PR changes, round 2

Steve Riesenberg · Steve Riesenberg · commit 9b41b713752d · 2021-10-19T16:29:18.000-05:00
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcUserInfoTests.java
@@ -18,8 +18,8 @@
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Set;
+import java.util.function.Function;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@@ -37,10 +37,10 @@
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.config.test.SpringTestRule;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.core.authentication.OAuth2AuthenticationContext;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
-import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
 import org.springframework.security.oauth2.jose.TestJwks;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 import org.springframework.security.oauth2.jwt.JoseHeader;
@@ -57,10 +57,14 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
+import org.springframework.security.oauth2.server.authorization.oidc.authentication.OidcUserInfoAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.ResultMatcher;
 
+import static org.springframework.test.web.servlet.ResultMatcher.matchAll;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
@@ -73,9 +77,6 @@
  */
 public class OidcUserInfoTests {
 	private static final String DEFAULT_OIDC_USER_INFO_ENDPOINT_URI = "/userinfo";
-	private static final List<String> OPENID_USER_INFO_SCOPES = Arrays.asList(
-			OidcScopes.OPENID, OidcScopes.ADDRESS, OidcScopes.EMAIL, OidcScopes.PHONE, OidcScopes.PROFILE
-	);
 
 	@Rule
 	public final SpringTestRule spring = new SpringTestRule();
@@ -96,30 +97,12 @@ public void requestWhenUserInfoRequestGetThenUserInfoResponse() throws Exception
 		OAuth2Authorization authorization = createAuthorization();
 		this.authorizationService.save(authorization);
 
+		OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
 		// @formatter:off
 		this.mvc.perform(get(DEFAULT_OIDC_USER_INFO_ENDPOINT_URI)
-				.header(HttpHeaders.AUTHORIZATION, "Bearer " + authorization.getAccessToken().getToken().getTokenValue()))
+				.header(HttpHeaders.AUTHORIZATION, "Bearer " + accessToken.getTokenValue()))
 				.andExpect(status().is2xxSuccessful())
-				.andExpect(jsonPath("sub").value("user1"))
-				.andExpect(jsonPath("name").value("First Last"))
-				.andExpect(jsonPath("given_name").value("First"))
-				.andExpect(jsonPath("family_name").value("Last"))
-				.andExpect(jsonPath("middle_name").value("Middle"))
-				.andExpect(jsonPath("nickname").value("User"))
-				.andExpect(jsonPath("preferred_username").value("user"))
-				.andExpect(jsonPath("profile").value("https://example.com/user1"))
-				.andExpect(jsonPath("picture").value("https://example.com/user1.jpg"))
-				.andExpect(jsonPath("website").value("https://example.com"))
-				.andExpect(jsonPath("email").value("user1@example.com"))
-				.andExpect(jsonPath("email_verified").value("true"))
-				.andExpect(jsonPath("gender").value("female"))
-				.andExpect(jsonPath("birthdate").value("1970-01-01"))
-				.andExpect(jsonPath("zoneinfo").value("Europe/Paris"))
-				.andExpect(jsonPath("locale").value("en-US"))
-				.andExpect(jsonPath("phone_number").value("+1 (604) 555-1234;ext=5678"))
-				.andExpect(jsonPath("phone_number_verified").value("false"))
-				.andExpect(jsonPath("address").value("Champ de Mars\n5 Av. Anatole France\n75007 Paris\nFrance"))
-				.andExpect(jsonPath("updated_at").value("1970-01-01T00:00:00Z"));
+				.andExpect(userInfoResponse());
 		// @formatter:on
 	}
 
@@ -130,40 +113,70 @@ public void requestWhenUserInfoRequestPostThenUserInfoResponse() throws Exceptio
 		OAuth2Authorization authorization = createAuthorization();
 		this.authorizationService.save(authorization);
 
+		OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
 		// @formatter:off
 		this.mvc.perform(post(DEFAULT_OIDC_USER_INFO_ENDPOINT_URI)
-				.header(HttpHeaders.AUTHORIZATION, "Bearer " + authorization.getAccessToken().getToken().getTokenValue()))
+				.header(HttpHeaders.AUTHORIZATION, "Bearer " + accessToken.getTokenValue()))
 				.andExpect(status().is2xxSuccessful())
-				.andExpect(jsonPath("sub").value("user1"))
-				.andExpect(jsonPath("name").value("First Last"))
-				.andExpect(jsonPath("given_name").value("First"))
-				.andExpect(jsonPath("family_name").value("Last"))
-				.andExpect(jsonPath("middle_name").value("Middle"))
-				.andExpect(jsonPath("nickname").value("User"))
-				.andExpect(jsonPath("preferred_username").value("user"))
-				.andExpect(jsonPath("profile").value("https://example.com/user1"))
-				.andExpect(jsonPath("picture").value("https://example.com/user1.jpg"))
-				.andExpect(jsonPath("website").value("https://example.com"))
-				.andExpect(jsonPath("email").value("user1@example.com"))
-				.andExpect(jsonPath("email_verified").value("true"))
-				.andExpect(jsonPath("gender").value("female"))
-				.andExpect(jsonPath("birthdate").value("1970-01-01"))
-				.andExpect(jsonPath("zoneinfo").value("Europe/Paris"))
-				.andExpect(jsonPath("locale").value("en-US"))
-				.andExpect(jsonPath("phone_number").value("+1 (604) 555-1234;ext=5678"))
-				.andExpect(jsonPath("phone_number_verified").value("false"))
-				.andExpect(jsonPath("address").value("Champ de Mars\n5 Av. Anatole France\n75007 Paris\nFrance"))
-				.andExpect(jsonPath("updated_at").value("1970-01-01T00:00:00Z"));
+				.andExpect(userInfoResponse());
+		// @formatter:on
+	}
+
+	@Test
+	public void requestWhenSignedJwtAndCustomUserInfoMapperThenUserInfoResponse() throws Exception {
+		this.spring.register(CustomUserInfoConfiguration.class).autowire();
+
+		OAuth2Authorization authorization = createAuthorization();
+		this.authorizationService.save(authorization);
+
+		OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
+		// @formatter:off
+		this.mvc.perform(get(DEFAULT_OIDC_USER_INFO_ENDPOINT_URI)
+				.header(HttpHeaders.AUTHORIZATION, "Bearer " + accessToken.getTokenValue()))
+				.andExpect(status().is2xxSuccessful())
+				.andExpect(userInfoResponse());
+		// @formatter:on
+	}
+
+	private static ResultMatcher userInfoResponse() {
+		// @formatter:off
+		return matchAll(
+				jsonPath("sub").value("user1"),
+				jsonPath("name").value("First Last"),
+				jsonPath("given_name").value("First"),
+				jsonPath("family_name").value("Last"),
+				jsonPath("middle_name").value("Middle"),
+				jsonPath("nickname").value("User"),
+				jsonPath("preferred_username").value("user"),
+				jsonPath("profile").value("https://example.com/user1"),
+				jsonPath("picture").value("https://example.com/user1.jpg"),
+				jsonPath("website").value("https://example.com"),
+				jsonPath("email").value("user1@example.com"),
+				jsonPath("email_verified").value("true"),
+				jsonPath("gender").value("female"),
+				jsonPath("birthdate").value("1970-01-01"),
+				jsonPath("zoneinfo").value("Europe/Paris"),
+				jsonPath("locale").value("en-US"),
+				jsonPath("phone_number").value("+1 (604) 555-1234;ext=5678"),
+				jsonPath("phone_number_verified").value("false"),
+				jsonPath("address").value("Champ de Mars\n5 Av. Anatole France\n75007 Paris\nFrance"),
+				jsonPath("updated_at").value("1970-01-01T00:00:00Z")
+		);
 		// @formatter:on
 	}
 
 	private OAuth2Authorization createAuthorization() {
 		JoseHeader headers = JoseHeader.withAlgorithm(SignatureAlgorithm.RS256).build();
-		JwtClaimsSet claimSet = JwtClaimsSet.builder().claim(StandardClaimNames.SUB, "user").build();
+		// @formatter:off
+		JwtClaimsSet claimSet = JwtClaimsSet.builder()
+				.claims(claims -> claims.putAll(createUserInfo().getClaims()))
+				.build();
+		// @formatter:on
 		Jwt jwt = this.jwtEncoder.encode(headers, claimSet);
 
 		Instant now = Instant.now();
-		Set<String> scopes = new HashSet<>(OPENID_USER_INFO_SCOPES);
+		Set<String> scopes = new HashSet<>(Arrays.asList(
+				OidcScopes.OPENID, OidcScopes.ADDRESS, OidcScopes.EMAIL, OidcScopes.PHONE, OidcScopes.PROFILE));
 		OAuth2AccessToken accessToken = new OAuth2AccessToken(
 				OAuth2AccessToken.TokenType.BEARER, jwt.getTokenValue(), now, now.plusSeconds(300), scopes);
 		OidcIdToken idToken = OidcIdToken.withTokenValue("id-token")
@@ -203,6 +216,45 @@ private static OidcUserInfo createUserInfo() {
 		// @formatter:on
 	}
 
+	@EnableWebSecurity
+	static class CustomUserInfoConfiguration extends AuthorizationServerConfiguration {
+
+		@Bean
+		@Override
+		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+			OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
+					new OAuth2AuthorizationServerConfigurer<>();
+			RequestMatcher endpointsMatcher = authorizationServerConfigurer
+					.getEndpointsMatcher();
+
+			// Custom User Info Mapper that retrieves claims from a signed JWT
+			Function<OAuth2AuthenticationContext, OidcUserInfo> userInfoMapper = context -> {
+				OidcUserInfoAuthenticationToken authentication = context.getAuthentication();
+				JwtAuthenticationToken principal = (JwtAuthenticationToken) authentication.getPrincipal();
+
+				return new OidcUserInfo(principal.getToken().getClaims());
+			};
+
+			// @formatter:off
+			http
+				.requestMatcher(endpointsMatcher)
+				.authorizeRequests(authorizeRequests ->
+					authorizeRequests.anyRequest().authenticated()
+				)
+				.csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
+				.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
+				.apply(authorizationServerConfigurer)
+					.oidc(oidc -> oidc
+						.userInfoEndpoint(userInfo -> userInfo
+							.userInfoMapper(userInfoMapper)
+						)
+					);
+			// @formatter:on
+
+			return http.build();
+		}
+	}
+
 	@EnableWebSecurity
 	static class AuthorizationServerConfiguration {
 
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/ProviderSettingsTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/ProviderSettingsTests.java
@@ -38,6 +38,7 @@ public void buildWhenDefaultThenDefaultsAreSet() {
 		assertThat(providerSettings.getTokenRevocationEndpoint()).isEqualTo("/oauth2/revoke");
 		assertThat(providerSettings.getTokenIntrospectionEndpoint()).isEqualTo("/oauth2/introspect");
 		assertThat(providerSettings.getOidcClientRegistrationEndpoint()).isEqualTo("/connect/register");
+		assertThat(providerSettings.getOidcUserInfoEndpoint()).isEqualTo("/userinfo");
 	}
 
 	@Test
@@ -48,6 +49,7 @@ public void buildWhenSettingsProvidedThenSet() {
 		String tokenRevocationEndpoint = "/oauth2/v1/revoke";
 		String tokenIntrospectionEndpoint = "/oauth2/v1/introspect";
 		String oidcClientRegistrationEndpoint = "/connect/v1/register";
+		String oidcUserInfoEndpoint = "/connect/v1/userinfo";
 		String issuer = "https://example.com:9000";
 
 		ProviderSettings providerSettings = ProviderSettings.builder()
@@ -59,6 +61,7 @@ public void buildWhenSettingsProvidedThenSet() {
 				.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint)
 				.tokenRevocationEndpoint(tokenRevocationEndpoint)
 				.oidcClientRegistrationEndpoint(oidcClientRegistrationEndpoint)
+				.oidcUserInfoEndpoint(oidcUserInfoEndpoint)
 				.build();
 
 		assertThat(providerSettings.getIssuer()).isEqualTo(issuer);
@@ -68,6 +71,7 @@ public void buildWhenSettingsProvidedThenSet() {
 		assertThat(providerSettings.getTokenRevocationEndpoint()).isEqualTo(tokenRevocationEndpoint);
 		assertThat(providerSettings.getTokenIntrospectionEndpoint()).isEqualTo(tokenIntrospectionEndpoint);
 		assertThat(providerSettings.getOidcClientRegistrationEndpoint()).isEqualTo(oidcClientRegistrationEndpoint);
+		assertThat(providerSettings.getOidcUserInfoEndpoint()).isEqualTo(oidcUserInfoEndpoint);
 	}
 
 	@Test
@@ -124,6 +128,13 @@ public void oidcClientRegistrationEndpointWhenNullThenThrowIllegalArgumentExcept
 				.withMessage("value cannot be null");
 	}
 
+	@Test
+	public void oidcUserInfoEndpointWhenNullThenThrowIllegalArgumentException() {
+		assertThatIllegalArgumentException()
+				.isThrownBy(() -> ProviderSettings.builder().oidcUserInfoEndpoint(null))
+				.withMessage("value cannot be null");
+	}
+
 	@Test
 	public void jwksEndpointWhenNullThenThrowIllegalArgumentException() {
 		assertThatIllegalArgumentException()
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProviderTests.java
