spring-projectsgh-1454:

Greg Li · Greg Li · commit e32436924acc · 2024-01-15T15:12:26.000+08:00
Provide a configuration "enableDeviceAuthorizationEndpoint" to support enable/disable device authorization grant. The default value of enableDeviceAuthorizationEndpoint is true for backward capability.
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationServerConfigurer.java
@@ -222,40 +222,26 @@ public OAuth2AuthorizationServerConfigurer tokenRevocationEndpoint(Customizer<OA
 	}
 
 	/**
-	 * Configures the OAuth 2.0 Device Authorization Endpoint (disabled by default).
+	 * Configures the OAuth 2.0 Device Authorization Endpoint.
 	 *
 	 * @param deviceAuthorizationEndpointCustomizer the {@link Customizer} providing access to the {@link OAuth2DeviceAuthorizationEndpointConfigurer}
 	 * @return the {@link OAuth2AuthorizationServerConfigurer} for further configuration
 	 * @since 1.1
 	 */
 	public OAuth2AuthorizationServerConfigurer deviceAuthorizationEndpoint(Customizer<OAuth2DeviceAuthorizationEndpointConfigurer> deviceAuthorizationEndpointCustomizer) {
-		OAuth2DeviceAuthorizationEndpointConfigurer deviceAuthorizationEndpointConfigurer =
-				getConfigurer(OAuth2DeviceAuthorizationEndpointConfigurer.class);
-		if (deviceAuthorizationEndpointConfigurer == null) {
-			addConfigurer(OAuth2DeviceAuthorizationEndpointConfigurer.class,
-					new OAuth2DeviceAuthorizationEndpointConfigurer(this::postProcess));
-			deviceAuthorizationEndpointConfigurer = getConfigurer(OAuth2DeviceAuthorizationEndpointConfigurer.class);
-		}
-		deviceAuthorizationEndpointCustomizer.customize(deviceAuthorizationEndpointConfigurer);
+		deviceAuthorizationEndpointCustomizer.customize(getConfigurer(OAuth2DeviceAuthorizationEndpointConfigurer.class));
 		return this;
 	}
 
 	/**
-	 * Configures the OAuth 2.0 Device Verification Endpoint (disabled by default).
+	 * Configures the OAuth 2.0 Device Verification Endpoint.
 	 *
 	 * @param deviceVerificationEndpointCustomizer the {@link Customizer} providing access to the {@link OAuth2DeviceVerificationEndpointConfigurer}
 	 * @return the {@link OAuth2AuthorizationServerConfigurer} for further configuration
 	 * @since 1.1
 	 */
 	public OAuth2AuthorizationServerConfigurer deviceVerificationEndpoint(Customizer<OAuth2DeviceVerificationEndpointConfigurer> deviceVerificationEndpointCustomizer) {
-		OAuth2DeviceVerificationEndpointConfigurer deviceVerificationEndpointConfigurer =
-				getConfigurer(OAuth2DeviceVerificationEndpointConfigurer.class);
-		if (deviceVerificationEndpointConfigurer == null) {
-			addConfigurer(OAuth2DeviceVerificationEndpointConfigurer.class,
-					new OAuth2DeviceVerificationEndpointConfigurer(this::postProcess));
-			deviceVerificationEndpointConfigurer = getConfigurer(OAuth2DeviceVerificationEndpointConfigurer.class);
-		}
-		deviceVerificationEndpointCustomizer.customize(deviceVerificationEndpointConfigurer);
+		deviceVerificationEndpointCustomizer.customize(getConfigurer(OAuth2DeviceVerificationEndpointConfigurer.class));
 		return this;
 	}
 
@@ -325,6 +311,10 @@ public void init(HttpSecurity httpSecurity) {
 				}
 			});
 		}
+		if (!isDeviceAuthorizationEnabled()) {
+			this.configurers.remove(OAuth2DeviceAuthorizationEndpointConfigurer.class);
+			this.configurers.remove(OAuth2DeviceVerificationEndpointConfigurer.class);
+		}
 
 		List<RequestMatcher> requestMatchers = new ArrayList<>();
 		this.configurers.values().forEach(configurer -> {
@@ -338,7 +328,7 @@ public void init(HttpSecurity httpSecurity) {
 		ExceptionHandlingConfigurer<HttpSecurity> exceptionHandling = httpSecurity.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptionHandling != null) {
 			OrRequestMatcher preferredRequestMatcher = null;
-			if (getRequestMatcher(OAuth2DeviceAuthorizationEndpointConfigurer.class) != null) {
+			if (isDeviceAuthorizationEnabled()) {
 				preferredRequestMatcher = new OrRequestMatcher(
 						getRequestMatcher(OAuth2TokenEndpointConfigurer.class),
 						getRequestMatcher(OAuth2TokenIntrospectionEndpointConfigurer.class),
@@ -359,9 +349,7 @@ public void init(HttpSecurity httpSecurity) {
 
 	@Override
 	public void configure(HttpSecurity httpSecurity) {
-		OAuth2DeviceAuthorizationEndpointConfigurer deviceAuthorizationEndpointConfigurer =
-				getConfigurer(OAuth2DeviceAuthorizationEndpointConfigurer.class);
-		if (deviceAuthorizationEndpointConfigurer != null) {
+		if (isDeviceAuthorizationEnabled()) {
 			OAuth2AuthorizationServerMetadataEndpointConfigurer auth2AuthorizationServerMetadataEndpointConfigurer =
 					getConfigurer(OAuth2AuthorizationServerMetadataEndpointConfigurer.class);
 
@@ -395,6 +383,11 @@ private boolean isOidcEnabled() {
 		return getConfigurer(OidcConfigurer.class) != null;
 	}
 
+	private boolean isDeviceAuthorizationEnabled() {
+		OAuth2DeviceAuthorizationEndpointConfigurer deviceAuthorizationEndpointConfigurer = getConfigurer(OAuth2DeviceAuthorizationEndpointConfigurer.class);
+		return deviceAuthorizationEndpointConfigurer != null && deviceAuthorizationEndpointConfigurer.isEnableDeviceAuthorizationEndpoint();
+	}
+
 	private Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> createConfigurers() {
 		Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer> configurers = new LinkedHashMap<>();
 		configurers.put(OAuth2ClientAuthenticationConfigurer.class, new OAuth2ClientAuthenticationConfigurer(this::postProcess));
@@ -403,6 +396,8 @@ private Map<Class<? extends AbstractOAuth2Configurer>, AbstractOAuth2Configurer>
 		configurers.put(OAuth2TokenEndpointConfigurer.class, new OAuth2TokenEndpointConfigurer(this::postProcess));
 		configurers.put(OAuth2TokenIntrospectionEndpointConfigurer.class, new OAuth2TokenIntrospectionEndpointConfigurer(this::postProcess));
 		configurers.put(OAuth2TokenRevocationEndpointConfigurer.class, new OAuth2TokenRevocationEndpointConfigurer(this::postProcess));
+		configurers.put(OAuth2DeviceAuthorizationEndpointConfigurer.class, new OAuth2DeviceAuthorizationEndpointConfigurer(this::postProcess));
+		configurers.put(OAuth2DeviceVerificationEndpointConfigurer.class, new OAuth2DeviceVerificationEndpointConfigurer(this::postProcess));
 		return configurers;
 	}
 
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceAuthorizationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceAuthorizationEndpointConfigurer.java
@@ -62,7 +62,13 @@ public final class OAuth2DeviceAuthorizationEndpointConfigurer extends AbstractO
 	private Consumer<List<AuthenticationProvider>> authenticationProvidersConsumer = (authenticationProviders) -> {};
 	private AuthenticationSuccessHandler deviceAuthorizationResponseHandler;
 	private AuthenticationFailureHandler errorResponseHandler;
+
+	public boolean isEnableDeviceAuthorizationEndpoint() {
+		return enableDeviceAuthorizationEndpoint;
+	}
+
 	private String verificationUri;
+	private boolean enableDeviceAuthorizationEndpoint = true;
 
 	/**
 	 * Restrict for internal use only.
@@ -161,6 +167,11 @@ public OAuth2DeviceAuthorizationEndpointConfigurer verificationUri(String verifi
 		return this;
 	}
 
+	public OAuth2DeviceAuthorizationEndpointConfigurer enableDeviceAuthorizationEndpoint(boolean enableDeviceAuthorizationEndpoint) {
+		this.enableDeviceAuthorizationEndpoint = enableDeviceAuthorizationEndpoint;
+		return this;
+	}
+
 	@Override
 	public void init(HttpSecurity builder) {
 		AuthorizationServerSettings authorizationServerSettings =
diff --git a/samples/demo-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java b/samples/demo-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
@@ -100,8 +100,10 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(
 
 		// @formatter:off
 		http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
-			.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
-				deviceAuthorizationEndpoint.verificationUri("/activate")
+			.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint -> {
+						deviceAuthorizationEndpoint.verificationUri("/activate");
+						deviceAuthorizationEndpoint.enableDeviceAuthorizationEndpoint(true);
+					}
 			)
 			.deviceVerificationEndpoint(deviceVerificationEndpoint ->
 				deviceVerificationEndpoint.consentPage(CUSTOM_CONSENT_PAGE_URI)
