Skip to content

Commit ddb2cd4

Browse files
sjohnrsjohnr
committed
Use constants from Spring Security 6.3
Issue gh-60 Issue gh-1562
1 parent ea026ad commit ddb2cd4

File tree

6 files changed

+40
-69
lines changed

6 files changed

+40
-69
lines changed

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProvider.java

+5-9
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
import org.springframework.security.oauth2.core.OAuth2Error;
3838
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
3939
import org.springframework.security.oauth2.core.OAuth2Token;
40+
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
4041
import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
4142
import org.springframework.security.oauth2.jwt.Jwt;
4243
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
@@ -70,15 +71,10 @@ public final class OAuth2TokenExchangeAuthenticationProvider implements Authenti
7071

7172
private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
7273

73-
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType(
74-
"urn:ietf:params:oauth:grant-type:token-exchange");
75-
7674
private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt";
7775

7876
private static final String MAY_ACT = "may_act";
7977

80-
private static final String ISSUED_TOKEN_TYPE = "issued_token_type";
81-
8278
private final Log logger = LogFactory.getLog(getClass());
8379

8480
private final OAuth2AuthorizationService authorizationService;
@@ -112,7 +108,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
112108
this.logger.trace("Retrieved registered client");
113109
}
114110

115-
if (!registeredClient.getAuthorizationGrantTypes().contains(TOKEN_EXCHANGE)) {
111+
if (!registeredClient.getAuthorizationGrantTypes().contains(AuthorizationGrantType.TOKEN_EXCHANGE)) {
116112
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
117113
}
118114

@@ -218,7 +214,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
218214
.authorizationServerContext(AuthorizationServerContextHolder.getContext())
219215
.authorizedScopes(authorizedScopes)
220216
.tokenType(OAuth2TokenType.ACCESS_TOKEN)
221-
.authorizationGrantType(TOKEN_EXCHANGE)
217+
.authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE)
222218
.authorizationGrant(tokenExchangeAuthentication);
223219
// @formatter:on
224220

@@ -242,7 +238,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
242238
// @formatter:off
243239
OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.withRegisteredClient(registeredClient)
244240
.principalName(subjectAuthorization.getPrincipalName())
245-
.authorizationGrantType(TOKEN_EXCHANGE)
241+
.authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE)
246242
.authorizedScopes(authorizedScopes)
247243
.attribute(Principal.class.getName(), principal);
248244
// @formatter:on
@@ -264,7 +260,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
264260
}
265261

266262
Map<String, Object> additionalParameters = new HashMap<>();
267-
additionalParameters.put(ISSUED_TOKEN_TYPE, tokenExchangeAuthentication.getRequestedTokenType());
263+
additionalParameters.put(OAuth2ParameterNames.ISSUED_TOKEN_TYPE, tokenExchangeAuthentication.getRequestedTokenType());
268264

269265
if (this.logger.isTraceEnabled()) {
270266
this.logger.trace("Authenticated token request");

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationToken.java

+1-4
Original file line numberDiff line numberDiff line change
@@ -36,9 +36,6 @@
3636
*/
3737
public class OAuth2TokenExchangeAuthenticationToken extends OAuth2AuthorizationGrantAuthenticationToken {
3838

39-
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType(
40-
"urn:ietf:params:oauth:grant-type:token-exchange");
41-
4239
private final List<String> resources;
4340

4441
private final List<String> audiences;
@@ -73,7 +70,7 @@ public OAuth2TokenExchangeAuthenticationToken(List<String> resources, List<Strin
7370
@Nullable Set<String> scopes, @Nullable String requestedTokenType, String subjectToken,
7471
String subjectTokenType, @Nullable String actorToken, @Nullable String actorTokenType,
7572
Authentication clientPrincipal, @Nullable Map<String, Object> additionalParameters) {
76-
super(TOKEN_EXCHANGE, clientPrincipal, additionalParameters);
73+
super(AuthorizationGrantType.TOKEN_EXCHANGE, clientPrincipal, additionalParameters);
7774
Assert.notNull(resources, "resources cannot be null");
7875
Assert.notNull(audiences, "audiences cannot be null");
7976
Assert.hasText(requestedTokenType, "requestedTokenType cannot be empty");

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2TokenExchangeTokenCustomizers.java

+1-4
Original file line numberDiff line numberDiff line change
@@ -38,9 +38,6 @@
3838
*/
3939
final class OAuth2TokenExchangeTokenCustomizers {
4040

41-
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType(
42-
"urn:ietf:params:oauth:grant-type:token-exchange");
43-
4441
private OAuth2TokenExchangeTokenCustomizers() {
4542
}
4643

@@ -53,7 +50,7 @@ static OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessToken() {
5350
}
5451

5552
private static void customize(OAuth2TokenContext context, Map<String, Object> claims) {
56-
if (!TOKEN_EXCHANGE.equals(context.getAuthorizationGrantType())) {
53+
if (!AuthorizationGrantType.TOKEN_EXCHANGE.equals(context.getAuthorizationGrantType())) {
5754
return;
5855
}
5956

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java

+1-2
Original file line numberDiff line numberDiff line change
@@ -105,8 +105,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
105105
.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
106106
.grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue())
107107
.grantType(AuthorizationGrantType.DEVICE_CODE.getValue())
108-
// TODO: Replace with constant from spring-security:
109-
.grantType(new AuthorizationGrantType("urn:ietf:params:oauth:grant-type:token-exchange").getValue())
108+
.grantType(AuthorizationGrantType.TOKEN_EXCHANGE.getValue())
110109
.tokenRevocationEndpoint(asUrl(issuer, authorizationServerSettings.getTokenRevocationEndpoint()))
111110
.tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods())
112111
.tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerSettings.getTokenIntrospectionEndpoint()))

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationServerMetadataEndpointFilter.java

+1-2
Original file line numberDiff line numberDiff line change
@@ -101,8 +101,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
101101
.grantType(AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
102102
.grantType(AuthorizationGrantType.REFRESH_TOKEN.getValue())
103103
.grantType(AuthorizationGrantType.DEVICE_CODE.getValue())
104-
// TODO: Replace with constant from spring-security:
105-
.grantType(new AuthorizationGrantType("urn:ietf:params:oauth:grant-type:token-exchange").getValue())
104+
.grantType(AuthorizationGrantType.TOKEN_EXCHANGE.getValue())
106105
.tokenRevocationEndpoint(asUrl(issuer, authorizationServerSettings.getTokenRevocationEndpoint()))
107106
.tokenRevocationEndpointAuthenticationMethods(clientAuthenticationMethods())
108107
.tokenIntrospectionEndpoint(asUrl(issuer, authorizationServerSettings.getTokenIntrospectionEndpoint()))

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2TokenExchangeAuthenticationConverter.java

+31-48
Original file line numberDiff line numberDiff line change
@@ -56,23 +56,6 @@ public final class OAuth2TokenExchangeAuthenticationConverter implements Authent
5656

5757
private static final String TOKEN_TYPE_IDENTIFIERS_URI = "https://datatracker.ietf.org/doc/html/rfc8693#section-3";
5858

59-
private static final AuthorizationGrantType TOKEN_EXCHANGE = new AuthorizationGrantType(
60-
"urn:ietf:params:oauth:grant-type:token-exchange");
61-
62-
private static final String AUDIENCE = "audience";
63-
64-
private static final String RESOURCE = "resource";
65-
66-
private static final String REQUESTED_TOKEN_TYPE = "requested_token_type";
67-
68-
private static final String SUBJECT_TOKEN = "subject_token";
69-
70-
private static final String SUBJECT_TOKEN_TYPE = "subject_token_type";
71-
72-
private static final String ACTOR_TOKEN = "actor_token";
73-
74-
private static final String ACTOR_TOKEN_TYPE = "actor_token_type";
75-
7659
private static final String ACCESS_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:access_token";
7760

7861
private static final String JWT_TOKEN_TYPE_VALUE = "urn:ietf:params:oauth:token-type:jwt";
@@ -86,27 +69,27 @@ public Authentication convert(HttpServletRequest request) {
8669

8770
// grant_type (REQUIRED)
8871
String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE);
89-
if (!TOKEN_EXCHANGE.getValue().equals(grantType)) {
72+
if (!AuthorizationGrantType.TOKEN_EXCHANGE.getValue().equals(grantType)) {
9073
return null;
9174
}
9275

9376
Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
9477

9578
// resource (OPTIONAL)
96-
List<String> resources = parameters.getOrDefault(RESOURCE, Collections.emptyList());
79+
List<String> resources = parameters.getOrDefault(OAuth2ParameterNames.RESOURCE, Collections.emptyList());
9780
if (!CollectionUtils.isEmpty(resources)) {
9881
for (String resource : resources) {
9982
if (!isValidUri(resource)) {
10083
OAuth2EndpointUtils.throwError(
10184
OAuth2ErrorCodes.INVALID_REQUEST,
102-
RESOURCE,
85+
OAuth2ParameterNames.RESOURCE,
10386
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
10487
}
10588
}
10689
}
10790

10891
// audience (OPTIONAL)
109-
List<String> audiences = parameters.getOrDefault(AUDIENCE, Collections.emptyList());
92+
List<String> audiences = parameters.getOrDefault(OAuth2ParameterNames.AUDIENCE, Collections.emptyList());
11093

11194
// scope (OPTIONAL)
11295
String scope = parameters.getFirst(OAuth2ParameterNames.SCOPE);
@@ -125,87 +108,87 @@ public Authentication convert(HttpServletRequest request) {
125108
}
126109

127110
// requested_token_type (OPTIONAL)
128-
String requestedTokenType = parameters.getFirst(REQUESTED_TOKEN_TYPE);
111+
String requestedTokenType = parameters.getFirst(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE);
129112
if (StringUtils.hasText(requestedTokenType)) {
130-
if (parameters.get(REQUESTED_TOKEN_TYPE).size() != 1) {
113+
if (parameters.get(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE).size() != 1) {
131114
OAuth2EndpointUtils.throwError(
132115
OAuth2ErrorCodes.INVALID_REQUEST,
133-
REQUESTED_TOKEN_TYPE,
116+
OAuth2ParameterNames.REQUESTED_TOKEN_TYPE,
134117
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
135118
}
136119

137-
validateTokenType(REQUESTED_TOKEN_TYPE, requestedTokenType);
120+
validateTokenType(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE, requestedTokenType);
138121
} else {
139122
requestedTokenType = ACCESS_TOKEN_TYPE_VALUE;
140123
}
141124

142125
// subject_token (REQUIRED)
143-
String subjectToken = parameters.getFirst(SUBJECT_TOKEN);
126+
String subjectToken = parameters.getFirst(OAuth2ParameterNames.SUBJECT_TOKEN);
144127
if (!StringUtils.hasText(subjectToken) ||
145-
parameters.get(SUBJECT_TOKEN).size() != 1) {
128+
parameters.get(OAuth2ParameterNames.SUBJECT_TOKEN).size() != 1) {
146129
OAuth2EndpointUtils.throwError(
147130
OAuth2ErrorCodes.INVALID_REQUEST,
148-
SUBJECT_TOKEN,
131+
OAuth2ParameterNames.SUBJECT_TOKEN,
149132
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
150133
}
151134

152135
// subject_token_type (REQUIRED)
153-
String subjectTokenType = parameters.getFirst(SUBJECT_TOKEN_TYPE);
136+
String subjectTokenType = parameters.getFirst(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE);
154137
if (!StringUtils.hasText(subjectTokenType) ||
155-
parameters.get(SUBJECT_TOKEN_TYPE).size() != 1) {
138+
parameters.get(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE).size() != 1) {
156139
OAuth2EndpointUtils.throwError(
157140
OAuth2ErrorCodes.INVALID_REQUEST,
158-
SUBJECT_TOKEN_TYPE,
141+
OAuth2ParameterNames.SUBJECT_TOKEN_TYPE,
159142
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
160143
} else {
161-
validateTokenType(SUBJECT_TOKEN_TYPE, subjectTokenType);
144+
validateTokenType(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE, subjectTokenType);
162145
}
163146

164147
// actor_token (OPTIONAL, REQUIRED if actor_token_type is provided)
165-
String actorToken = parameters.getFirst(ACTOR_TOKEN);
148+
String actorToken = parameters.getFirst(OAuth2ParameterNames.ACTOR_TOKEN);
166149
if (StringUtils.hasText(actorToken) &&
167-
parameters.get(ACTOR_TOKEN).size() != 1) {
150+
parameters.get(OAuth2ParameterNames.ACTOR_TOKEN).size() != 1) {
168151
OAuth2EndpointUtils.throwError(
169152
OAuth2ErrorCodes.INVALID_REQUEST,
170-
ACTOR_TOKEN,
153+
OAuth2ParameterNames.ACTOR_TOKEN,
171154
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
172155
}
173156

174157
// actor_token_type (OPTIONAL, REQUIRED if actor_token is provided)
175-
String actorTokenType = parameters.getFirst(ACTOR_TOKEN_TYPE);
158+
String actorTokenType = parameters.getFirst(OAuth2ParameterNames.ACTOR_TOKEN_TYPE);
176159
if (StringUtils.hasText(actorTokenType)) {
177-
if (parameters.get(ACTOR_TOKEN_TYPE).size() != 1) {
160+
if (parameters.get(OAuth2ParameterNames.ACTOR_TOKEN_TYPE).size() != 1) {
178161
OAuth2EndpointUtils.throwError(
179162
OAuth2ErrorCodes.INVALID_REQUEST,
180-
ACTOR_TOKEN_TYPE,
163+
OAuth2ParameterNames.ACTOR_TOKEN_TYPE,
181164
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
182165
}
183166

184-
validateTokenType(ACTOR_TOKEN_TYPE, actorTokenType);
167+
validateTokenType(OAuth2ParameterNames.ACTOR_TOKEN_TYPE, actorTokenType);
185168
}
186169

187170
if (!StringUtils.hasText(actorToken) && StringUtils.hasText(actorTokenType)) {
188171
OAuth2EndpointUtils.throwError(
189172
OAuth2ErrorCodes.INVALID_REQUEST,
190-
ACTOR_TOKEN,
173+
OAuth2ParameterNames.ACTOR_TOKEN,
191174
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
192175
} else if (StringUtils.hasText(actorToken) && !StringUtils.hasText(actorTokenType)) {
193176
OAuth2EndpointUtils.throwError(
194177
OAuth2ErrorCodes.INVALID_REQUEST,
195-
ACTOR_TOKEN_TYPE,
178+
OAuth2ParameterNames.ACTOR_TOKEN_TYPE,
196179
OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
197180
}
198181

199182
Map<String, Object> additionalParameters = new HashMap<>();
200183
parameters.forEach((key, value) -> {
201184
if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
202-
!key.equals(RESOURCE) &&
203-
!key.equals(AUDIENCE) &&
204-
!key.equals(REQUESTED_TOKEN_TYPE) &&
205-
!key.equals(SUBJECT_TOKEN) &&
206-
!key.equals(SUBJECT_TOKEN_TYPE) &&
207-
!key.equals(ACTOR_TOKEN) &&
208-
!key.equals(ACTOR_TOKEN_TYPE) &&
185+
!key.equals(OAuth2ParameterNames.RESOURCE) &&
186+
!key.equals(OAuth2ParameterNames.AUDIENCE) &&
187+
!key.equals(OAuth2ParameterNames.REQUESTED_TOKEN_TYPE) &&
188+
!key.equals(OAuth2ParameterNames.SUBJECT_TOKEN) &&
189+
!key.equals(OAuth2ParameterNames.SUBJECT_TOKEN_TYPE) &&
190+
!key.equals(OAuth2ParameterNames.ACTOR_TOKEN) &&
191+
!key.equals(OAuth2ParameterNames.ACTOR_TOKEN_TYPE) &&
209192
!key.equals(OAuth2ParameterNames.SCOPE)) {
210193
additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
211194
}

0 commit comments

Comments
 (0)