Update Token Exchange

* updates based on review feedback
* tests for Token Exchange

Issue spring-projectsgh-60

Author: sjohnr

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/aot/hint/OAuth2AuthorizationServerBeanRegistrationAotProcessor.java

@@ -43,8 +43,8 @@
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority;
-import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ActorAuthenticationToken;
-import org.springframework.security.oauth2.server.authorization.authentication.OAuth2CompositeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.jackson2.OAuth2AuthorizationServerJackson2Module;
 import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
 import org.springframework.security.web.authentication.WebAuthenticationDetails;
@@ -111,9 +111,9 @@ private void registerHints(RuntimeHints hints) {
 							TypeReference.of(OidcIdToken.class),
 							TypeReference.of(AbstractOAuth2Token.class),
 							TypeReference.of(OidcUserInfo.class),
-							TypeReference.of(OAuth2ActorAuthenticationToken.class),
+							TypeReference.of(OAuth2TokenExchangeActor.class),
 							TypeReference.of(OAuth2AuthorizationRequest.class),
-							TypeReference.of(OAuth2CompositeAuthenticationToken.class),
+							TypeReference.of(OAuth2TokenExchangeCompositeAuthenticationToken.class),
 							TypeReference.of(AuthorizationGrantType.class),
 							TypeReference.of(OAuth2AuthorizationResponseType.class),
 							TypeReference.of(OAuth2TokenFormat.class)

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ActorAuthenticationToken.java renamed to oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeActor.java

@@ -16,11 +16,13 @@
 
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.io.Serializable;
 import java.util.Collections;
+import java.util.Map;
+import java.util.Objects;
 
-import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.ClaimAccessor;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimNames;
 import org.springframework.util.Assert;
 
 /**
@@ -29,25 +31,41 @@
  *
  * @author Steve Riesenberg
  * @since 1.3
- * @see OAuth2CompositeAuthenticationToken
+ * @see OAuth2TokenExchangeCompositeAuthenticationToken
  */
-public class OAuth2ActorAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
+public class OAuth2TokenExchangeActor implements ClaimAccessor {
 
-	private final String name;
+	private final Map<String, Object> claims;
 
-	public OAuth2ActorAuthenticationToken(String name) {
-		super(Collections.emptyList());
-		Assert.hasText(name, "name cannot be empty");
-		this.name = name;
+	public OAuth2TokenExchangeActor(Map<String, Object> claims) {
+		Assert.notNull(claims, "claims cannot be null");
+		this.claims = Collections.unmodifiableMap(claims);
 	}
 
 	@Override
-	public Object getPrincipal() {
-		return this.name;
+	public Map<String, Object> getClaims() {
+		return this.claims;
+	}
+
+	public String getIssuer() {
+		return getClaimAsString(OAuth2TokenClaimNames.ISS);
+	}
+
+	public String getSubject() {
+		return getClaimAsString(OAuth2TokenClaimNames.SUB);
 	}
 
 	@Override
-	public Object getCredentials() {
-		return null;
+	public boolean equals(Object obj) {
+		if (!(obj instanceof OAuth2TokenExchangeActor other)) {
+			return false;
+		}
+		return Objects.equals(this.claims, other.claims);
 	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(this.claims);
+	}
+
 }

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProvider.java

@@ -22,6 +22,7 @@
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 
 import org.apache.commons.logging.Log;
@@ -38,7 +39,6 @@
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2Token;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
-import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
@@ -47,6 +47,7 @@
 import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
 import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
 import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimNames;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;
 import org.springframework.util.Assert;
@@ -153,11 +154,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		// As per https://datatracker.ietf.org/doc/html/rfc8693#section-4.4,
 		// The may_act claim makes a statement that one party is authorized to
 		// become the actor and act on behalf of another party.
-		String authorizedActorSubject = null;
+		Map<String, Object> authorizedActorClaims = null;
 		if (subjectToken.getClaims() != null &&
 				subjectToken.getClaims().containsKey(MAY_ACT) &&
 				subjectToken.getClaims().get(MAY_ACT) instanceof Map<?, ?> mayAct) {
-			authorizedActorSubject = (String) mayAct.get(StandardClaimNames.SUB);
+			authorizedActorClaims = (Map<String, Object>) mayAct;
 		}
 
 		OAuth2Authorization actorAuthorization = null;
@@ -188,12 +189,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				//throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
 			}
 
-			if (StringUtils.hasText(authorizedActorSubject) &&
-					!authorizedActorSubject.equals(actorAuthorization.getPrincipalName())) {
-				throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+			if (authorizedActorClaims != null) {
+				validateClaims(authorizedActorClaims, actorToken.getClaims(), OAuth2TokenClaimNames.ISS,
+						OAuth2TokenClaimNames.SUB);
 			}
-		} else if (StringUtils.hasText(authorizedActorSubject) &&
-				!authorizedActorSubject.equals(clientPrincipal.getName())) {
+		} else if (authorizedActorClaims != null) {
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
 		}
 
@@ -284,26 +284,37 @@ private static Set<String> validateRequestedScopes(RegisteredClient registeredCl
 		return new LinkedHashSet<>(requestedScopes);
 	}
 
+	private static void validateClaims(Map<String, Object> expectedClaims, Map<String, Object> actualClaims, String... claimNames) {
+		if (actualClaims == null) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+		}
+
+		for (String claimName : claimNames) {
+			if (!Objects.equals(expectedClaims.get(claimName), actualClaims.get(claimName))) {
+				throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+			}
+		}
+	}
+
 	private static Authentication getPrincipal(OAuth2Authorization subjectAuthorization, OAuth2Authorization actorAuthorization) {
 		Authentication subjectPrincipal = subjectAuthorization.getAttribute(Principal.class.getName());
-
-		List<Authentication> actorPrincipals = new LinkedList<>();
-		if (actorAuthorization != null) {
-			actorPrincipals.add(new OAuth2ActorAuthenticationToken(actorAuthorization.getPrincipalName()));
+		if (actorAuthorization == null) {
+			return subjectPrincipal;
 		}
 
-		if (subjectPrincipal instanceof OAuth2CompositeAuthenticationToken compositeAuthenticationToken) {
-			// As per https://datatracker.ietf.org/doc/html/rfc8693#section-4.1,
-			// the act claim can be used to represent a chain of delegation,
-			// so we unwrap the original subject and any previous actor(s).
+		// Capture claims for current actor's access token
+		OAuth2TokenExchangeActor currentActor = new OAuth2TokenExchangeActor(
+				actorAuthorization.getAccessToken().getClaims());
+		List<OAuth2TokenExchangeActor> actorPrincipals = new LinkedList<>();
+		actorPrincipals.add(currentActor);
+
+		// Add chain of delegation for previous actor(s) if any
+		if (subjectPrincipal instanceof OAuth2TokenExchangeCompositeAuthenticationToken compositeAuthenticationToken) {
 			subjectPrincipal = compositeAuthenticationToken.getSubject();
 			actorPrincipals.addAll(compositeAuthenticationToken.getActors());
-			// TODO: Should we allow delegation-to-impersonation where previous
-			//  actors exist but no actor_token exists on this request?
 		}
 
-		return CollectionUtils.isEmpty(actorPrincipals) ? subjectPrincipal :
-				new OAuth2CompositeAuthenticationToken(subjectPrincipal, actorPrincipals);
+		return new OAuth2TokenExchangeCompositeAuthenticationToken(subjectPrincipal, actorPrincipals);
 	}
 
 	@Override

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationToken.java

@@ -17,7 +17,7 @@
 
 import java.util.Collections;
 import java.util.HashSet;
-import java.util.List;
+import java.util.LinkedHashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -36,10 +36,6 @@
  */
 public class OAuth2TokenExchangeAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken {
 
-	private final List<String> resources;
-
-	private final List<String> audiences;
-
 	private final String requestedTokenType;
 
 	private final String subjectToken;
@@ -50,70 +46,47 @@ public class OAuth2TokenExchangeAuthenticationToken extends OAuth2AuthorizationG
 
 	private final String actorTokenType;
 
+	private final Set<String> resources;
+
+	private final Set<String> audiences;
+
 	private final Set<String> scopes;
 
 	/**
 	 * Constructs an {@code OAuth2TokenExchangeAuthenticationToken} using the provided parameters.
 	 *
-	 * @param resources a list of resource URIs
-	 * @param audiences a list audience values
-	 * @param scopes the requested scope(s)
 	 * @param requestedTokenType the requested token type
 	 * @param subjectToken the subject token
 	 * @param subjectTokenType the subject token type
+	 * @param clientPrincipal the authenticated client principal
 	 * @param actorToken the actor token
 	 * @param actorTokenType the actor token type
-	 * @param clientPrincipal the authenticated client principal
+	 * @param resources the requested resource URI(s)
+	 * @param audiences the requested audience value(s)
+	 * @param scopes the requested scope(s)
 	 * @param additionalParameters the additional parameters
 	 */
-	public OAuth2TokenExchangeAuthenticationToken(List<String> resources, List<String> audiences,
-			@Nullable Set<String> scopes, @Nullable String requestedTokenType, String subjectToken,
-			String subjectTokenType, @Nullable String actorToken, @Nullable String actorTokenType,
-			Authentication clientPrincipal, @Nullable Map<String, Object> additionalParameters) {
+	public OAuth2TokenExchangeAuthenticationToken(String requestedTokenType, String subjectToken,
+			String subjectTokenType, Authentication clientPrincipal, @Nullable String actorToken,
+			@Nullable String actorTokenType, @Nullable Set<String> resources, @Nullable Set<String> audiences,
+			@Nullable Set<String> scopes, @Nullable Map<String, Object> additionalParameters) {
 		super(AuthorizationGrantType.TOKEN_EXCHANGE, clientPrincipal, additionalParameters);
-		Assert.notNull(resources, "resources cannot be null");
-		Assert.notNull(audiences, "audiences cannot be null");
 		Assert.hasText(requestedTokenType, "requestedTokenType cannot be empty");
 		Assert.hasText(subjectToken, "subjectToken cannot be empty");
 		Assert.hasText(subjectTokenType, "subjectTokenType cannot be empty");
-		this.resources = resources;
-		this.audiences = audiences;
 		this.requestedTokenType = requestedTokenType;
 		this.subjectToken = subjectToken;
 		this.subjectTokenType = subjectTokenType;
 		this.actorToken = actorToken;
 		this.actorTokenType = actorTokenType;
+		this.resources = Collections.unmodifiableSet(
+				resources != null ? new LinkedHashSet<>(resources) : Collections.emptySet());
+		this.audiences = Collections.unmodifiableSet(
+				audiences != null ? new LinkedHashSet<>(audiences) : Collections.emptySet());
 		this.scopes = Collections.unmodifiableSet(
 				scopes != null ? new HashSet<>(scopes) : Collections.emptySet());
 	}
 
-	/**
-	 * Returns the list of resource URIs.
-	 *
-	 * @return the list of resource URIs
-	 */
-	public List<String> getResources() {
-		return this.resources;
-	}
-
-	/**
-	 * Returns the list of audience values.
-	 *
-	 * @return the list of audience values
-	 */
-	public List<String> getAudiences() {
-		return this.audiences;
-	}
-
-	/**
-	 * Returns the requested scope(s).
-	 *
-	 * @return the requested scope(s), or an empty {@code Set} if not available
-	 */
-	public Set<String> getScopes() {
-		return this.scopes;
-	}
-
 	/**
 	 * Returns the requested token type.
 	 *
@@ -158,4 +131,32 @@ public String getActorToken() {
 	public String getActorTokenType() {
 		return this.actorTokenType;
 	}
+
+	/**
+	 * Returns the requested resource URI(s).
+	 *
+	 * @return the requested resource URI(s), or an empty {@code Set} if not available
+	 */
+	public Set<String> getResources() {
+		return this.resources;
+	}
+
+	/**
+	 * Returns the requested audience value(s).
+	 *
+	 * @return the requested audience value(s), or an empty {@code Set} if not available
+	 */
+	public Set<String> getAudiences() {
+		return this.audiences;
+	}
+
+	/**
+	 * Returns the requested scope(s).
+	 *
+	 * @return the requested scope(s), or an empty {@code Set} if not available
+	 */
+	public Set<String> getScopes() {
+		return this.scopes;
+	}
+
 }

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2CompositeAuthenticationToken.java renamed to oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeCompositeAuthenticationToken.java

@@ -16,10 +16,10 @@
 
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.io.Serializable;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
+import java.util.Objects;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -33,13 +33,13 @@
  * @since 1.3
  * @see OAuth2TokenExchangeAuthenticationToken
  */
-public class OAuth2CompositeAuthenticationToken extends AbstractAuthenticationToken implements Serializable {
+public class OAuth2TokenExchangeCompositeAuthenticationToken extends AbstractAuthenticationToken {
 
 	private final Authentication subject;
 
-	private final List<Authentication> actors;
+	private final List<OAuth2TokenExchangeActor> actors;
 
-	public OAuth2CompositeAuthenticationToken(Authentication subject, List<Authentication> actors) {
+	public OAuth2TokenExchangeCompositeAuthenticationToken(Authentication subject, List<OAuth2TokenExchangeActor> actors) {
 		super(subject != null ? subject.getAuthorities() : null);
 		Assert.notNull(subject, "subject cannot be null");
 		Assert.notNull(actors, "actors cannot be null");
@@ -63,7 +63,22 @@ public Authentication getSubject() {
 		return this.subject;
 	}
 
-	public List<Authentication> getActors() {
+	public List<OAuth2TokenExchangeActor> getActors() {
 		return this.actors;
 	}
+
+	@Override
+	public boolean equals(Object obj) {
+		if (!(obj instanceof OAuth2TokenExchangeCompositeAuthenticationToken other)) {
+			return false;
+		}
+		return super.equals(obj) && Objects.equals(this.subject, other.subject) &&
+				Objects.equals(this.actors, other.actors);
+	}
+
+	@Override
+	public int hashCode() {
+		return Objects.hash(super.hashCode(), this.subject, this.actors);
+	}
+
 }