Fix cancel consent functionality on default consent page

- Fix also applies to custom consent sample

Closes gh-393

Author: Dmitriy Dubson

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

@@ -65,6 +65,7 @@
  * @author Paurav Munshi
  * @author Daniel Garnier-Moiroux
  * @author Anoop Garlapati
+ * @author Dmitriy Dubson
  * @since 0.0.1
  * @see AuthenticationManager
  * @see OAuth2AuthorizationCodeRequestAuthenticationProvider
@@ -332,6 +333,12 @@ private static String generateConsentPage(HttpServletRequest request,
 			builder.append("    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">");
 			builder.append("    <link rel=\"stylesheet\" href=\"https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css\" integrity=\"sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z\" crossorigin=\"anonymous\">");
 			builder.append("    <title>Consent required</title>");
+			builder.append("	<script>");
+			builder.append("		function cancelConsent() {");
+			builder.append("			document.consent_form.reset();");
+			builder.append("			document.consent_form.submit();");
+			builder.append("		}");
+			builder.append("	</script>");
 			builder.append("</head>");
 			builder.append("<body>");
 			builder.append("<div class=\"container\">");
@@ -350,13 +357,13 @@ private static String generateConsentPage(HttpServletRequest request,
 			builder.append("    </div>");
 			builder.append("    <div class=\"row\">");
 			builder.append("        <div class=\"col text-center\">");
-			builder.append("            <form method=\"post\" action=\"" + request.getRequestURI() + "\">");
+			builder.append("            <form name=\"consent_form\" method=\"post\" action=\"" + request.getRequestURI() + "\">");
 			builder.append("                <input type=\"hidden\" name=\"client_id\" value=\"" + clientId + "\">");
 			builder.append("                <input type=\"hidden\" name=\"state\" value=\"" + state + "\">");
 
 			for (String scope : scopesToAuthorize) {
 				builder.append("                <div class=\"form-group form-check py-1\">");
-				builder.append("                    <input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" value=\"" + scope + "\" id=\"" + scope + "\">");
+				builder.append("                    <input class=\"form-check-input scope-to-accept\" type=\"checkbox\" name=\"scope\" value=\"" + scope + "\" id=\"" + scope + "\">");
 				builder.append("                    <label class=\"form-check-label\" for=\"" + scope + "\">" + scope + "</label>");
 				builder.append("                </div>");
 			}
@@ -372,10 +379,10 @@ private static String generateConsentPage(HttpServletRequest request,
 			}
 
 			builder.append("                <div class=\"form-group pt-3\">");
-			builder.append("                    <button class=\"btn btn-primary btn-lg\" type=\"submit\">Submit Consent</button>");
+			builder.append("                    <button class=\"btn btn-primary btn-lg\" type=\"submit\" id=\"submit-consent\">Submit Consent</button>");
 			builder.append("                </div>");
 			builder.append("                <div class=\"form-group\">");
-			builder.append("                    <button class=\"btn btn-link regular\" type=\"reset\">Cancel</button>");
+			builder.append("                    <button class=\"btn btn-link regular\" type=\"button\" onclick=\"cancelConsent();\" id=\"cancel-consent\">Cancel</button>");
 			builder.append("                </div>");
 			builder.append("            </form>");
 			builder.append("        </div>");

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java

@@ -122,6 +122,7 @@
  *
  * @author Joe Grandja
  * @author Daniel Garnier-Moiroux
+ * @author Dmitriy Dubson
  */
 public class OAuth2AuthorizationCodeGrantTests {
 	private static final String DEFAULT_AUTHORIZATION_ENDPOINT_URI = "/oauth2/authorize";
@@ -556,7 +557,7 @@ private static String getAuthorizationHeader(RegisteredClient registeredClient)
 
 	private static String scopeCheckbox(String scope) {
 		return MessageFormat.format(
-				"<input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" value=\"{0}\" id=\"{0}\">",
+				"<input class=\"form-check-input scope-to-accept\" type=\"checkbox\" name=\"scope\" value=\"{0}\" id=\"{0}\">",
 				scope
 		);
 	}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java

@@ -73,6 +73,7 @@
  * @author Joe Grandja
  * @author Daniel Garnier-Moiroux
  * @author Anoop Garlapati
+ * @author Dmitriy Dubson
  * @since 0.0.1
  */
 public class OAuth2AuthorizationEndpointFilterTests {
@@ -574,7 +575,7 @@ private static OAuth2AuthorizationCodeRequestAuthenticationToken.Builder authori
 
 	private static String scopeCheckbox(String scope) {
 		return MessageFormat.format(
-				"<input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" value=\"{0}\" id=\"{0}\">",
+				"<input class=\"form-check-input scope-to-accept\" type=\"checkbox\" name=\"scope\" value=\"{0}\" id=\"{0}\">",
 				scope
 		);
 	}

samples/boot/oauth2-integration/authorizationserver-custom-consent-page/spring-security-samples-boot-oauth2-integrated-authorizationserver-custom-consent-page.gradle

@@ -5,4 +5,8 @@ dependencies {
 	compile 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	compile 'org.springframework.boot:spring-boot-starter-security'
 	compile project(':spring-security-oauth2-authorization-server')
+
+	testCompile 'org.springframework.boot:spring-boot-starter-test'
+	testCompile 'org.springframework.security:spring-security-test'
+	testCompile 'net.sourceforge.htmlunit:htmlunit'
 }

samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/main/java/sample/config/AuthorizationServerConfig.java

@@ -21,8 +21,6 @@
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
-import sample.jose.Jwks;
-
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
@@ -42,13 +40,15 @@
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import sample.jose.Jwks;
 
 /**
  * @author Joe Grandja
  * @author Daniel Garnier-Moiroux
  */
 @Configuration(proxyBeanMethods = false)
 public class AuthorizationServerConfig {
+	private static final String CUSTOM_CONSENT_PAGE_URI = "/oauth2/consent";
 
 	@Bean
 	@Order(Ordered.HIGHEST_PRECEDENCE)
@@ -57,7 +57,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 				new OAuth2AuthorizationServerConfigurer<>();
 		authorizationServerConfigurer
 				.authorizationEndpoint(authorizationEndpoint ->
-						authorizationEndpoint.consentPage("/oauth2/consent"));
+						authorizationEndpoint.consentPage(CUSTOM_CONSENT_PAGE_URI));
 
 		RequestMatcher endpointsMatcher = authorizationServerConfigurer
 				.getEndpointsMatcher();

samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/main/resources/templates/consent.html

@@ -5,12 +5,18 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
     <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css"
           integrity="sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z" crossorigin="anonymous">
-    <title>Consent required</title>
+    <title>Custom consent page - Consent required</title>
     <style>
         body {
             background-color: aliceblue;
         }
     </style>
+	<script>
+		function cancelConsent() {
+			document.consent_form.reset();
+			document.consent_form.submit();
+		}
+	</script>
 </head>
 <body>
 <div class="container">
@@ -33,7 +39,7 @@ <h1 class="text-center text-primary">App permissions</h1>
     </div>
     <div class="row">
         <div class="col text-center">
-            <form method="post" action="/oauth2/authorize">
+            <form name="consent_form" method="post" action="/oauth2/authorize">
                 <input type="hidden" name="client_id" th:value="${clientId}">
                 <input type="hidden" name="state" th:value="${state}">
 
@@ -59,12 +65,12 @@ <h1 class="text-center text-primary">App permissions</h1>
                 </div>
 
                 <div class="form-group pt-3">
-                    <button class="btn btn-primary btn-lg" type="submit">
+                    <button class="btn btn-primary btn-lg" type="submit" id="submit-consent">
                         Submit Consent
                     </button>
                 </div>
                 <div class="form-group">
-                    <button class="btn btn-link regular" type="reset">
+                    <button class="btn btn-link regular" type="button" id="cancel-consent" onclick="cancelConsent();">
                         Cancel
                     </button>
                 </div>

samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/test/java/sample/OAuth2AuthorizationServerCustomConsentPageApplicationTests.java

@@ -0,0 +1,132 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import com.gargoylesoftware.htmlunit.WebClient;
+import com.gargoylesoftware.htmlunit.WebResponse;
+import com.gargoylesoftware.htmlunit.html.DomElement;
+import com.gargoylesoftware.htmlunit.html.HtmlCheckBoxInput;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.TestConfiguration;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.test.context.support.WithMockUser;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.when;
+
+/**
+ * Consent page integration tests for the sample Authorization Server serving a custom Consent page
+ *
+ * @author Dmitriy Dubson
+ */
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@Import({OAuth2AuthorizationServerCustomConsentPageApplicationTests.InMemoryOAuth2AuthorizationServiceTestConfiguration.class})
+@AutoConfigureMockMvc
+public class OAuth2AuthorizationServerCustomConsentPageApplicationTests {
+	@Autowired
+	private WebClient webClient;
+
+	@MockBean
+	private OAuth2AuthorizationConsentService mockAuthorizationConsentService;
+
+	private final String testConsentResultEndpoint = "http://127.0.0.1/login/oauth2/code/messaging-client-oidc";
+
+	private final String authorizeEndpoint = UriComponentsBuilder
+			.fromPath("/oauth2/authorize")
+			.queryParam("response_type", "code")
+			.queryParam("client_id", "messaging-client")
+			.queryParam("scope", "openid message.read message.write")
+			.queryParam("state", "state")
+			.queryParam("redirect_uri", testConsentResultEndpoint)
+			.toUriString();
+
+	@Before
+	public void setUp() {
+		this.webClient.getOptions().setThrowExceptionOnFailingStatusCode(false);
+		this.webClient.getOptions().setRedirectEnabled(true);
+		this.webClient.getCookieManager().clearCookies();
+		when(mockAuthorizationConsentService.findById(any(), any())).thenReturn(null);
+	}
+
+	@Test
+	@WithMockUser("user1")
+	public void whenUserConsentsToAllScopesThenReturnAuthorizationCode() throws IOException {
+		final HtmlPage consentPage = webClient.getPage(authorizeEndpoint);
+		assertThat(consentPage.getTitleText()).isEqualTo("Custom consent page - Consent required");
+
+		List<HtmlCheckBoxInput> scopes = consentPage.querySelectorAll("input[name='scope']").stream()
+				.map(scope -> (HtmlCheckBoxInput) scope).collect(Collectors.toList());
+		for (HtmlCheckBoxInput scope : scopes) {
+			scope.click();
+		}
+
+		assertThat(scopes.stream().map(DomElement::getId).collect(Collectors.toList()))
+				.containsExactlyInAnyOrder("openid", "message.read", "message.write");
+		assertThat(scopes.stream().allMatch(HtmlCheckBoxInput::isChecked)).isTrue();
+
+		DomElement submitConsentButton = consentPage.querySelector("button[id='submit-consent']");
+		this.webClient.getOptions().setRedirectEnabled(false);
+
+		WebResponse approveConsentResponse = submitConsentButton.click().getWebResponse();
+		assertThat(approveConsentResponse.getStatusCode()).isEqualTo(HttpStatus.MOVED_PERMANENTLY.value());
+		String location = approveConsentResponse.getResponseHeaderValue("location");
+		assertThat(location).startsWith(testConsentResultEndpoint);
+		assertThat(location).contains("code=");
+	}
+
+	@Test
+	@WithMockUser("user1")
+	public void whenUserCancelsApprovingConsentThenReturnAnAccessDeniedError() throws IOException {
+		final HtmlPage consentPage = webClient.getPage(authorizeEndpoint);
+		assertThat(consentPage.getTitleText()).isEqualTo("Custom consent page - Consent required");
+
+		DomElement cancelConsentButton = consentPage.querySelector("button[id='cancel-consent']");
+		this.webClient.getOptions().setRedirectEnabled(false);
+
+		WebResponse cancelConsentResponse = cancelConsentButton.click().getWebResponse();
+		assertThat(cancelConsentResponse.getStatusCode()).isEqualTo(HttpStatus.MOVED_PERMANENTLY.value());
+		String location = cancelConsentResponse.getResponseHeaderValue("location");
+		assertThat(location).contains("error=access_denied");
+	}
+
+	@TestConfiguration
+	static class InMemoryOAuth2AuthorizationServiceTestConfiguration {
+		@Bean
+		public OAuth2AuthorizationService authorizationService() {
+			return new InMemoryOAuth2AuthorizationService();
+		}
+	}
+}

samples/boot/oauth2-integration/authorizationserver/spring-security-samples-boot-oauth2-integrated-authorizationserver.gradle

@@ -8,5 +8,6 @@ dependencies {
 	runtimeOnly 'com.h2database:h2'
 
 	testCompile 'org.springframework.boot:spring-boot-starter-test'
+	testCompile 'org.springframework.security:spring-security-test'
 	testCompile 'net.sourceforge.htmlunit:htmlunit'
 }