From 435e3896094eb62fa2fd8d08e00f4247c87afe92 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Tue, 30 May 2017 14:19:28 -0400 Subject: [PATCH] Change ClientAuthenticationMethod from enum to class Fixes gh-4313 --- ...NimbusAuthorizationCodeTokenExchanger.java | 2 +- .../registration/ClientRegistration.java | 4 +-- .../ClientRegistrationProperties.java | 2 +- .../core/ClientAuthenticationMethod.java | 31 +++++++++++++++---- samples/boot/oauth2login/README.adoc | 16 +++++----- .../META-INF/oauth2-clients-defaults.yml | 8 ++--- 6 files changed, 41 insertions(+), 22 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/nimbus/NimbusAuthorizationCodeTokenExchanger.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/nimbus/NimbusAuthorizationCodeTokenExchanger.java index 3b73d945b8..9ddbad61bb 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/nimbus/NimbusAuthorizationCodeTokenExchanger.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/nimbus/NimbusAuthorizationCodeTokenExchanger.java @@ -78,7 +78,7 @@ public class NimbusAuthorizationCodeTokenExchanger implements AuthorizationGrant ClientID clientId = new ClientID(clientRegistration.getClientId()); Secret clientSecret = new Secret(clientRegistration.getClientSecret()); ClientAuthentication clientAuthentication; - if (ClientAuthenticationMethod.FORM.equals(clientRegistration.getClientAuthenticationMethod())) { + if (ClientAuthenticationMethod.POST.equals(clientRegistration.getClientAuthenticationMethod())) { clientAuthentication = new ClientSecretPost(clientId, clientSecret); } else { clientAuthentication = new ClientSecretBasic(clientId, clientSecret); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java index 63eeeca05e..61338dc16d 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java @@ -35,7 +35,7 @@ import java.util.Set; public class ClientRegistration { private String clientId; private String clientSecret; - private ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.HEADER; + private ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.BASIC; private AuthorizationGrantType authorizedGrantType; private String redirectUri; private Set scopes = Collections.emptySet(); @@ -154,7 +154,7 @@ public class ClientRegistration { public static class Builder { protected String clientId; protected String clientSecret; - protected ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.HEADER; + protected ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.BASIC; protected AuthorizationGrantType authorizedGrantType; protected String redirectUri; protected Set scopes; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrationProperties.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrationProperties.java index da2afc5e5a..8a6c48be74 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrationProperties.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrationProperties.java @@ -35,7 +35,7 @@ import java.util.Set; public class ClientRegistrationProperties { private String clientId; private String clientSecret; - private ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.HEADER; + private ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.BASIC; private AuthorizationGrantType authorizedGrantType; private String redirectUri; private Set scopes; diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java index 19a3bf1031..957cd0a0c8 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/ClientAuthenticationMethod.java @@ -15,6 +15,8 @@ */ package org.springframework.security.oauth2.core; +import org.springframework.util.Assert; + /** * The available authentication methods used when authenticating the client with the authorization server. * @@ -22,17 +24,34 @@ package org.springframework.security.oauth2.core; * @since 5.0 * @see Section 2.3 Client Authentication */ -public enum ClientAuthenticationMethod { - HEADER("header"), - FORM("form"); - +public final class ClientAuthenticationMethod { + public static final ClientAuthenticationMethod BASIC = new ClientAuthenticationMethod("basic"); + public static final ClientAuthenticationMethod POST = new ClientAuthenticationMethod("post"); private final String value; - ClientAuthenticationMethod(String value) { + public ClientAuthenticationMethod(String value) { + Assert.hasText(value, "value cannot be empty"); this.value = value; } - public String value() { + public String getValue() { return this.value; } + + @Override + public boolean equals(Object obj) { + if (this == obj) { + return true; + } + if (obj == null || this.getClass() != obj.getClass()) { + return false; + } + ClientAuthenticationMethod that = (ClientAuthenticationMethod) obj; + return this.getValue().equalsIgnoreCase(that.getValue()); + } + + @Override + public int hashCode() { + return this.getValue().hashCode(); + } } diff --git a/samples/boot/oauth2login/README.adoc b/samples/boot/oauth2login/README.adoc index 31ec3c74a8..0b6cb04832 100644 --- a/samples/boot/oauth2login/README.adoc +++ b/samples/boot/oauth2login/README.adoc @@ -393,7 +393,7 @@ The following specifies the common set of properties available for configuring a - At the base of the *_client property key_* are the properties for specifying the configuration for an OAuth Client. ==== -- *client-authentication-method* - the method used to authenticate the _Client_ with the _Provider_. Supported values are *header* and *form*. +- *client-authentication-method* - the method used to authenticate the _Client_ with the _Provider_. Supported values are *basic* and *post*. - *authorized-grant-type* - the OAuth 2.0 Authorization Framework defines the https://tools.ietf.org/html/rfc6749#section-1.3.1[Authorization Code] grant type, which is used to realize the _"authentication flow"_. Currently, this is the only supported grant type. - *redirect-uri* - this is the client's _registered_ redirect URI that the _Authorization Server_ redirects the end-user's user-agent @@ -443,7 +443,7 @@ security: oauth2: client: google: - client-authentication-method: header + client-authentication-method: basic authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: openid, email, profile @@ -454,7 +454,7 @@ security: client-name: Google client-alias: google github: - client-authentication-method: header + client-authentication-method: basic authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: user @@ -465,7 +465,7 @@ security: client-name: GitHub client-alias: github facebook: - client-authentication-method: form + client-authentication-method: post authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: public_profile, email @@ -476,7 +476,7 @@ security: client-name: Facebook client-alias: facebook okta: - client-authentication-method: header + client-authentication-method: basic authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: openid, email, profile @@ -503,7 +503,7 @@ Let's assume we have a _properties file_ named *oauth2-clients.properties* on th ---- security.oauth2.client.google.client-id=${client-id} security.oauth2.client.google.client-secret=${client-secret} -security.oauth2.client.google.client-authentication-method=header +security.oauth2.client.google.client-authentication-method=basic security.oauth2.client.google.authorized-grant-type=authorization_code security.oauth2.client.google.redirect-uri=http://localhost:8080/oauth2/authorize/code/google security.oauth2.client.google.scopes=openid,email,profile @@ -553,8 +553,8 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter { private ClientRegistration clientRegistration(String clientPropertyKey) { String clientId = this.environment.getProperty(clientPropertyKey + "client-id"); String clientSecret = this.environment.getProperty(clientPropertyKey + "client-secret"); - ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.valueOf( - this.environment.getProperty(clientPropertyKey + "client-authentication-method").toUpperCase()); + ClientAuthenticationMethod clientAuthenticationMethod = new ClientAuthenticationMethod( + this.environment.getProperty(clientPropertyKey + "client-authentication-method")); AuthorizationGrantType authorizationGrantType = AuthorizationGrantType.valueOf( this.environment.getProperty(clientPropertyKey + "authorized-grant-type").toUpperCase()); String redirectUri = this.environment.getProperty(clientPropertyKey + "redirect-uri"); diff --git a/samples/boot/oauth2login/src/main/resources/META-INF/oauth2-clients-defaults.yml b/samples/boot/oauth2login/src/main/resources/META-INF/oauth2-clients-defaults.yml index 6ad5ed450a..3158611615 100644 --- a/samples/boot/oauth2login/src/main/resources/META-INF/oauth2-clients-defaults.yml +++ b/samples/boot/oauth2login/src/main/resources/META-INF/oauth2-clients-defaults.yml @@ -2,7 +2,7 @@ security: oauth2: client: google: - client-authentication-method: header + client-authentication-method: basic authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: openid, email, profile @@ -13,7 +13,7 @@ security: client-name: Google client-alias: google github: - client-authentication-method: header + client-authentication-method: basic authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: user @@ -24,7 +24,7 @@ security: client-name: GitHub client-alias: github facebook: - client-authentication-method: form + client-authentication-method: post authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: public_profile, email @@ -35,7 +35,7 @@ security: client-name: Facebook client-alias: facebook okta: - client-authentication-method: header + client-authentication-method: basic authorized-grant-type: authorization_code redirect-uri: "{scheme}://{serverName}:{serverPort}{baseAuthorizeUri}/{clientAlias}" scopes: openid, email, profile