Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 13:23:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

OAuth2DeviceVerificationEndpointFilter is applied after AuthorizationFilter

Browse Source 
Closes gh-18873
This commit is contained in:
Joe Grandja
2026-03-10 14:14:42 -04:00
parent e8e0da1ec6
commit 1906075b0c
6 changed files with 18 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files
oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java
+1 -3
View File
@@ -132,9 +132,7 @@ public final class OAuth2DeviceVerificationAuthenticationProvider implements Aut
if (this.logger.isTraceEnabled()) {
this.logger.trace("Did not authenticate device verification request since principal not authenticated");
}
// Return the device verification request as-is where isAuthenticated() is
// false
return deviceVerificationAuthentication;
throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_REQUEST);
}
RegisteredClient registeredClient = this.registeredClientRepository
oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java
-9
View File
@@ -161,15 +161,6 @@ public final class OAuth2DeviceVerificationEndpointFilter extends OncePerRequest
}
Authentication authenticationResult = this.authenticationManager.authenticate(authentication);
if (!authenticationResult.isAuthenticated()) {
// If the Principal (Resource Owner) is not authenticated then pass
// through the chain
// with the expectation that the authentication process will commence via
// AuthenticationEntryPoint
filterChain.doFilter(request, response);
return;
}
if (authenticationResult instanceof OAuth2DeviceAuthorizationConsentAuthenticationToken) {
if (this.logger.isTraceEnabled()) {
this.logger.trace("Device authorization consent is required");
oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java
+13 -7
View File
@@ -227,7 +227,7 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
}
@Test
public void authenticateWhenPrincipalNotAuthenticatedThenReturnUnauthenticated() {
public void authenticateWhenPrincipalNotAuthenticatedThenThrowOAuth2AuthenticationException() {
RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
// @formatter:off
OAuth2Authorization authorization = TestOAuth2Authorizations
@@ -237,15 +237,21 @@ public class OAuth2DeviceVerificationAuthenticationProviderTests {
.attribute(OAuth2ParameterNames.SCOPE, registeredClient.getScopes())
.build();
// @formatter:on
TestingAuthenticationToken principal = new TestingAuthenticationToken("user", null);
TestingAuthenticationToken principal = new TestingAuthenticationToken("anonymous", null);
principal.setAuthenticated(false);
Authentication authentication = new OAuth2DeviceVerificationAuthenticationToken(principal, USER_CODE,
Collections.emptyMap());
given(this.authorizationService.findByToken(anyString(), any(OAuth2TokenType.class))).willReturn(authorization);
given(this.authorizationService.findByToken(eq(USER_CODE),
eq(OAuth2DeviceVerificationAuthenticationProvider.USER_CODE_TOKEN_TYPE)))
.willReturn(authorization);
OAuth2DeviceVerificationAuthenticationToken authenticationResult = (OAuth2DeviceVerificationAuthenticationToken) this.authenticationProvider
.authenticate(authentication);
assertThat(authenticationResult).isEqualTo(authentication);
assertThat(authenticationResult.isAuthenticated()).isFalse();
// @formatter:off
assertThatExceptionOfType(OAuth2AuthenticationException.class)
.isThrownBy(() -> this.authenticationProvider.authenticate(authentication))
.extracting(OAuth2AuthenticationException::getError)
.extracting(OAuth2Error::getErrorCode)
.isEqualTo(OAuth2ErrorCodes.INVALID_REQUEST);
// @formatter:on
verify(this.authorizationService).findByToken(USER_CODE,
OAuth2DeviceVerificationAuthenticationProvider.USER_CODE_TOKEN_TYPE);
oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilterTests.java
-15
View File
@@ -166,21 +166,6 @@ public class OAuth2DeviceVerificationEndpointFilterTests {
verifyNoInteractions(this.authenticationManager);
}
@Test
public void doFilterWhenUnauthenticatedThenPassThrough() throws Exception {
TestingAuthenticationToken unauthenticatedResult = new TestingAuthenticationToken("user", null);
given(this.authenticationManager.authenticate(any(Authentication.class))).willReturn(unauthenticatedResult);
MockHttpServletRequest request = createRequest();
request.addParameter(OAuth2ParameterNames.USER_CODE, USER_CODE);
updateQueryString(request);
MockHttpServletResponse response = new MockHttpServletResponse();
FilterChain filterChain = mock(FilterChain.class);
this.filter.doFilter(request, response, filterChain);
verify(this.authenticationManager).authenticate(any(Authentication.class));
verify(filterChain).doFilter(request, response);
}
@Test
public void doFilterWhenDeviceAuthorizationConsentRequestThenSuccess() throws Exception {
Authentication authenticationResult = createDeviceVerificationAuthentication();