Move logic for populating Token Exchange claims

Issue spring-projectsgh-60

Author: sjohnr

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/DelegatingOAuth2TokenCustomizer.java

@@ -15,8 +15,6 @@
  */
 package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers;
 
-import java.util.ArrayList;
-import java.util.List;
 import java.util.Map;
 
 import com.nimbusds.jose.jwk.source.JWKSource;
@@ -172,39 +170,13 @@ static JWKSource<SecurityContext> getJwkSource(HttpSecurity httpSecurity) {
 	}
 
 	private static OAuth2TokenCustomizer<JwtEncodingContext> getJwtCustomizer(HttpSecurity httpSecurity) {
-		OAuth2TokenCustomizer<JwtEncodingContext> defaultTokenCustomizer = OAuth2TokenExchangeTokenCustomizers.jwt();
 		ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, JwtEncodingContext.class);
-		OAuth2TokenCustomizer<JwtEncodingContext> userTokenCustomizer = getOptionalBean(httpSecurity, type);
-
-		OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer;
-		if (userTokenCustomizer != null) {
-			List<OAuth2TokenCustomizer<JwtEncodingContext>> tokenCustomizers = new ArrayList<>();
-			tokenCustomizers.add(defaultTokenCustomizer);
-			tokenCustomizers.add(userTokenCustomizer);
-			tokenCustomizer = new DelegatingOAuth2TokenCustomizer<>(tokenCustomizers);
-		} else {
-			tokenCustomizer = defaultTokenCustomizer;
-		}
-
-		return tokenCustomizer;
+		return getOptionalBean(httpSecurity, type);
 	}
 
 	private static OAuth2TokenCustomizer<OAuth2TokenClaimsContext> getAccessTokenCustomizer(HttpSecurity httpSecurity) {
-		OAuth2TokenCustomizer<OAuth2TokenClaimsContext> defaultTokenCustomizer = OAuth2TokenExchangeTokenCustomizers.accessToken();
 		ResolvableType type = ResolvableType.forClassWithGenerics(OAuth2TokenCustomizer.class, OAuth2TokenClaimsContext.class);
-		OAuth2TokenCustomizer<OAuth2TokenClaimsContext> userTokenCustomizer = getOptionalBean(httpSecurity, type);
-
-		OAuth2TokenCustomizer<OAuth2TokenClaimsContext> tokenCustomizer;
-		if (userTokenCustomizer != null) {
-			List<OAuth2TokenCustomizer<OAuth2TokenClaimsContext>> tokenCustomizers = new ArrayList<>();
-			tokenCustomizers.add(defaultTokenCustomizer);
-			tokenCustomizers.add(userTokenCustomizer);
-			tokenCustomizer = new DelegatingOAuth2TokenCustomizer<>(tokenCustomizers);
-		} else {
-			tokenCustomizer = defaultTokenCustomizer;
-		}
-
-		return tokenCustomizer;
+		return getOptionalBean(httpSecurity, type);
 	}
 
 	static AuthorizationServerSettings getAuthorizationServerSettings(HttpSecurity httpSecurity) {

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2ConfigurerUtils.java

@@ -17,8 +17,12 @@
 
 import java.security.MessageDigest;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Base64;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
 
@@ -28,6 +32,10 @@
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken;
+import org.springframework.util.CollectionUtils;
 
 /**
  * @author Joe Grandja
@@ -46,10 +54,13 @@ final class DefaultOAuth2TokenClaimsConsumer implements Consumer<Map<String, Obj
 
 	@Override
 	public void accept(Map<String, Object> claims) {
+		if (!OAuth2TokenType.ACCESS_TOKEN.equals(this.context.getTokenType()) ||
+				this.context.getAuthorizationGrant() == null) {
+			return;
+		}
+
 		// Add 'cnf' claim for Mutual-TLS Client Certificate-Bound Access Tokens
-		if (OAuth2TokenType.ACCESS_TOKEN.equals(this.context.getTokenType()) &&
-				this.context.getAuthorizationGrant() != null &&
-				this.context.getAuthorizationGrant().getPrincipal() instanceof OAuth2ClientAuthenticationToken clientAuthentication) {
+		if (this.context.getAuthorizationGrant().getPrincipal() instanceof OAuth2ClientAuthenticationToken clientAuthentication) {
 
 			if ((TLS_CLIENT_AUTH_AUTHENTICATION_METHOD.equals(clientAuthentication.getClientAuthenticationMethod()) ||
 					SELF_SIGNED_TLS_CLIENT_AUTH_AUTHENTICATION_METHOD.equals(clientAuthentication.getClientAuthenticationMethod())) &&
@@ -68,6 +79,31 @@ public void accept(Map<String, Object> claims) {
 				}
 			}
 		}
+
+		// Add claims for Token Exchange Grant
+		if (this.context.getAuthorizationGrant() instanceof OAuth2TokenExchangeAuthenticationToken tokenExchangeAuthentication) {
+
+			// Append audience value(s) from request to 'aud' claim
+			if (!CollectionUtils.isEmpty(tokenExchangeAuthentication.getAudiences())) {
+				List<String> audiences = getAudienceClaim(claims);
+				audiences.addAll(tokenExchangeAuthentication.getAudiences());
+				claims.put(OAuth2TokenClaimNames.AUD, audiences);
+			}
+
+			// Add 'act' claim for delegation. If more than one actor is present,
+			// we create a chain of delegation by nesting "act" claims.
+			if (this.context.getPrincipal() instanceof OAuth2TokenExchangeCompositeAuthenticationToken compositeAuthenticationToken) {
+				Map<String, Object> currentClaims = claims;
+				for (OAuth2TokenExchangeActor actor : compositeAuthenticationToken.getActors()) {
+					Map<String, Object> actorClaims = actor.getClaims();
+					Map<String, Object> actClaim = new LinkedHashMap<>();
+					actClaim.put(OAuth2TokenClaimNames.ISS, actorClaims.get(OAuth2TokenClaimNames.ISS));
+					actClaim.put(OAuth2TokenClaimNames.SUB, actorClaims.get(OAuth2TokenClaimNames.SUB));
+					currentClaims.put("act", Collections.unmodifiableMap(actClaim));
+					currentClaims = actClaim;
+				}
+			}
+		}
 	}
 
 	private static String computeSHA256Thumbprint(X509Certificate x509Certificate) throws Exception {
@@ -76,4 +112,10 @@ private static String computeSHA256Thumbprint(X509Certificate x509Certificate) t
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 	}
 
+	@SuppressWarnings("unchecked")
+	private static List<String> getAudienceClaim(Map<String, Object> claims) {
+		List<String> audiences = (List<String>) claims.getOrDefault(OAuth2TokenClaimNames.AUD, Collections.emptyList());
+		return new ArrayList<>(audiences);
+	}
+
 }

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenExchangeTokenCustomizers.java

@@ -0,0 +1,131 @@
+/*
+ * Copyright 2020-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.token;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.function.Consumer;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+/**
+ * Tests for {@link DefaultOAuth2TokenClaimsConsumer}.
+ *
+ * @author Steve Riesenberg
+ */
+public class DefaultOAuth2TokenClaimsConsumerTests {
+
+	private OAuth2TokenContext tokenContext;
+
+	private Consumer<Map<String, Object>> consumer;
+
+	@BeforeEach
+	public void setUp() {
+		this.tokenContext = mock(OAuth2TokenContext.class);
+		this.consumer = new DefaultOAuth2TokenClaimsConsumer(this.tokenContext);
+	}
+
+	@Test
+	public void acceptWhenTokenTypeIsRefreshTokenThenNoClaimsAdded() {
+		when(this.tokenContext.getTokenType()).thenReturn(OAuth2TokenType.REFRESH_TOKEN);
+		Map<String, Object> claims = new LinkedHashMap<>();
+		this.consumer.accept(claims);
+		assertThat(claims).isEmpty();
+	}
+
+	@Test
+	public void acceptWhenAuthorizationGrantIsNullThenNoClaimsAdded() {
+		when(this.tokenContext.getTokenType()).thenReturn(OAuth2TokenType.ACCESS_TOKEN);
+		when(this.tokenContext.getAuthorizationGrant()).thenReturn(null);
+		Map<String, Object> claims = new LinkedHashMap<>();
+		this.consumer.accept(claims);
+		assertThat(claims).isEmpty();
+	}
+
+	@Test
+	public void acceptWhenTokenExchangeAndAudiencesEmptyThenNoClaimsAdded() {
+		OAuth2TokenExchangeAuthenticationToken tokenExchangeAuthentication = mock(
+				OAuth2TokenExchangeAuthenticationToken.class);
+		when(tokenExchangeAuthentication.getAudiences()).thenReturn(Collections.emptySet());
+		when(this.tokenContext.getTokenType()).thenReturn(OAuth2TokenType.ACCESS_TOKEN);
+		when(this.tokenContext.getAuthorizationGrant()).thenReturn(tokenExchangeAuthentication);
+		Map<String, Object> claims = new LinkedHashMap<>();
+		this.consumer.accept(claims);
+		assertThat(claims).isEmpty();
+	}
+
+	@Test
+	public void acceptWhenTokenExchangeGrantAndAudiencesThenAudClaimAppended() {
+		OAuth2TokenExchangeAuthenticationToken tokenExchangeAuthentication = mock(
+				OAuth2TokenExchangeAuthenticationToken.class);
+		when(tokenExchangeAuthentication.getAudiences()).thenReturn(Set.of("audience1", "audience2"));
+		when(this.tokenContext.getTokenType()).thenReturn(OAuth2TokenType.ACCESS_TOKEN);
+		when(this.tokenContext.getAuthorizationGrant()).thenReturn(tokenExchangeAuthentication);
+		Map<String, Object> claims = new LinkedHashMap<>();
+		claims.put(OAuth2TokenClaimNames.AUD, List.of("client1"));
+		this.consumer.accept(claims);
+		assertThat(claims).hasSize(1);
+		assertThat(claims.get(OAuth2TokenClaimNames.AUD)).isNotNull();
+		@SuppressWarnings("unchecked")
+		List<String> audiences = (List<String>) claims.get(OAuth2TokenClaimNames.AUD);
+		assertThat(audiences).containsExactly("client1", "audience1", "audience2");
+	}
+
+	@Test
+	public void acceptWhenTokenExchangeGrantAndDelegationThenActClaimAdded() {
+		OAuth2TokenExchangeAuthenticationToken tokenExchangeAuthentication = mock(
+				OAuth2TokenExchangeAuthenticationToken.class);
+		when(tokenExchangeAuthentication.getAudiences()).thenReturn(Collections.emptySet());
+		when(this.tokenContext.getTokenType()).thenReturn(OAuth2TokenType.ACCESS_TOKEN);
+		when(this.tokenContext.getAuthorizationGrant()).thenReturn(tokenExchangeAuthentication);
+		Authentication subject = new TestingAuthenticationToken("subject", null);
+		OAuth2TokenExchangeActor actor1 = new OAuth2TokenExchangeActor(Map.of(OAuth2TokenClaimNames.ISS, "issuer1",
+				OAuth2TokenClaimNames.SUB, "actor1"));
+		OAuth2TokenExchangeActor actor2 = new OAuth2TokenExchangeActor(Map.of(OAuth2TokenClaimNames.ISS, "issuer2",
+				OAuth2TokenClaimNames.SUB, "actor2"));
+		OAuth2TokenExchangeCompositeAuthenticationToken principal = new OAuth2TokenExchangeCompositeAuthenticationToken(
+				subject, List.of(actor1, actor2));
+		when(this.tokenContext.getPrincipal()).thenReturn(principal);
+		Map<String, Object> claims = new LinkedHashMap<>();
+		this.consumer.accept(claims);
+		assertThat(claims).hasSize(1);
+		assertThat(claims.get("act")).isNotNull();
+		@SuppressWarnings("unchecked")
+		Map<String, Object> actClaim1 = (Map<String, Object>) claims.get("act");
+		assertThat(actClaim1.get(OAuth2TokenClaimNames.ISS)).isEqualTo("issuer1");
+		assertThat(actClaim1.get(OAuth2TokenClaimNames.SUB)).isEqualTo("actor1");
+		@SuppressWarnings("unchecked")
+		Map<String, Object> actClaim2 = (Map<String, Object>) actClaim1.get("act");
+		assertThat(actClaim2.get(OAuth2TokenClaimNames.ISS)).isEqualTo("issuer2");
+		assertThat(actClaim2.get(OAuth2TokenClaimNames.SUB)).isEqualTo("actor2");
+	}
+
+}