Add RestClient implementations

Issue spring-projectsgh-13588
sjohnr · May 21, 2024 · c8ce3f1 · c8ce3f1
1 parent 30e6403
commit c8ce3f1
Show file tree

Hide file tree

Showing 6 changed files with 441 additions and 0 deletions.
diff --git a/...rk/security/oauth2/client/endpoint/AbstractRestClientOAuth2AccessTokenResponseClient.java b/...rk/security/oauth2/client/endpoint/AbstractRestClientOAuth2AccessTokenResponseClient.java
@@ -0,0 +1,214 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.converter.FormHttpMessageConverter;
+import org.springframework.security.oauth2.client.http.OAuth2ErrorResponseErrorHandler;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+import org.springframework.web.client.RestClient;
+import org.springframework.web.client.RestClient.RequestHeadersSpec;
+
+/**
+ * @author Steve Riesenberg
+ */
+abstract class AbstractRestClientOAuth2AccessTokenResponseClient<T extends AbstractOAuth2AuthorizationGrantRequest>
+		implements OAuth2AccessTokenResponseClient<T> {
+
+	// @formatter:off
+	private RestClient restClient = RestClient.builder()
+			.messageConverters((messageConverters) -> {
+				messageConverters.clear();
+				messageConverters.add(new FormHttpMessageConverter());
+				messageConverters.add(new OAuth2AccessTokenResponseHttpMessageConverter());
+			})
+			.defaultStatusHandler(new OAuth2ErrorResponseErrorHandler())
+			.build();
+	// @formatter:on
+
+	private Converter<T, RequestHeadersSpec<?>> requestEntityConverter = this::validatingPopulateRequest;
+
+	private Converter<T, HttpHeaders> headersConverter = new DefaultOAuth2TokenRequestHeadersConverter<>();
+
+	private Converter<T, MultiValueMap<String, String>> parametersConverter = this::createParameters;
+
+	@Override
+	public OAuth2AccessTokenResponse getTokenResponse(T grantRequest) {
+		Assert.notNull(grantRequest, "grantRequest cannot be null");
+		// @formatter:off
+		return this.requestEntityConverter.convert(grantRequest)
+				.retrieve()
+				.body(OAuth2AccessTokenResponse.class);
+		// @formatter:on
+	}
+
+	private RequestHeadersSpec<?> validatingPopulateRequest(T grantRequest) {
+		validateClientAuthenticationMethod(grantRequest);
+		return populateRequest(grantRequest);
+	}
+
+	private void validateClientAuthenticationMethod(T grantRequest) {
+		ClientRegistration clientRegistration = grantRequest.getClientRegistration();
+		ClientAuthenticationMethod clientAuthenticationMethod = clientRegistration.getClientAuthenticationMethod();
+		boolean supportedClientAuthenticationMethod = clientAuthenticationMethod.equals(ClientAuthenticationMethod.NONE)
+				|| clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+				|| clientAuthenticationMethod.equals(ClientAuthenticationMethod.CLIENT_SECRET_POST);
+		if (!supportedClientAuthenticationMethod) {
+			throw new IllegalArgumentException(String.format(
+					"This class supports `client_secret_basic`, `client_secret_post`, and `none` by default. Client [%s] is using [%s] instead. Please use a supported client authentication method, or use `set/addParametersConverter` or `set/addHeadersConverter` to supply an instance that supports [%s].",
+					clientRegistration.getRegistrationId(), clientAuthenticationMethod, clientAuthenticationMethod));
+		}
+	}
+
+	private RequestHeadersSpec<?> populateRequest(T grantRequest) {
+		return this.restClient.post()
+			.uri(grantRequest.getClientRegistration().getProviderDetails().getTokenUri())
+			.headers((headers) -> {
+				HttpHeaders headersToAdd = this.headersConverter.convert(grantRequest);
+				if (headersToAdd != null) {
+					headers.addAll(headersToAdd);
+				}
+			})
+			.body(this.parametersConverter.convert(grantRequest));
+	}
+
+	/**
+	 * Returns a {@link MultiValueMap} of the parameters used in the OAuth 2.0 Access
+	 * Token Request body.
+	 * @param grantRequest the authorization grant request
+	 * @return a {@link MultiValueMap} of the parameters used in the OAuth 2.0 Access
+	 * Token Request body
+	 */
+	MultiValueMap<String, String> createParameters(T grantRequest) {
+		ClientRegistration clientRegistration = grantRequest.getClientRegistration();
+		MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();
+		parameters.set(OAuth2ParameterNames.GRANT_TYPE, grantRequest.getGrantType().getValue());
+		if (!ClientAuthenticationMethod.CLIENT_SECRET_BASIC
+			.equals(clientRegistration.getClientAuthenticationMethod())) {
+			parameters.set(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
+		}
+		if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientRegistration.getClientAuthenticationMethod())) {
+			parameters.set(OAuth2ParameterNames.CLIENT_SECRET, clientRegistration.getClientSecret());
+		}
+		if (!CollectionUtils.isEmpty(clientRegistration.getScopes())) {
+			parameters.set(OAuth2ParameterNames.SCOPE,
+					StringUtils.collectionToDelimitedString(clientRegistration.getScopes(), " "));
+		}
+		return parameters;
+	}
+
+	/**
+	 * Sets the {@link RestClient} used when requesting the OAuth 2.0 Access Token
+	 * Response.
+	 * @param restClient the {@link RestClient} used when requesting the Access Token
+	 * Response
+	 */
+	public final void setRestClient(RestClient restClient) {
+		Assert.notNull(restClient, "webClient cannot be null");
+		this.restClient = restClient;
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} instance to a {@link HttpHeaders}
+	 * used in the OAuth 2.0 Access Token Request headers.
+	 * @param headersConverter the {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} to {@link HttpHeaders}
+	 */
+	public final void setHeadersConverter(Converter<T, HttpHeaders> headersConverter) {
+		Assert.notNull(headersConverter, "headersConverter cannot be null");
+		this.headersConverter = headersConverter;
+		this.requestEntityConverter = this::populateRequest;
+	}
+
+	/**
+	 * Add (compose) the provided {@code headersConverter} to the current
+	 * {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} instance to a {@link HttpHeaders}
+	 * used in the OAuth 2.0 Access Token Request headers.
+	 * @param headersConverter the {@link Converter} to add (compose) to the current
+	 * {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} to a {@link HttpHeaders}
+	 */
+	public final void addHeadersConverter(Converter<T, HttpHeaders> headersConverter) {
+		Assert.notNull(headersConverter, "headersConverter cannot be null");
+		Converter<T, HttpHeaders> currentHeadersConverter = this.headersConverter;
+		this.headersConverter = (authorizationGrantRequest) -> {
+			// Append headers using a Composite Converter
+			HttpHeaders headers = currentHeadersConverter.convert(authorizationGrantRequest);
+			if (headers == null) {
+				headers = new HttpHeaders();
+			}
+			HttpHeaders headersToAdd = headersConverter.convert(authorizationGrantRequest);
+			if (headersToAdd != null) {
+				headers.addAll(headersToAdd);
+			}
+			return headers;
+		};
+		this.requestEntityConverter = this::populateRequest;
+	}
+
+	/**
+	 * Sets the {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} instance to a {@link MultiValueMap}
+	 * used in the OAuth 2.0 Access Token Request body.
+	 * @param parametersConverter the {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} to {@link MultiValueMap}
+	 */
+	public final void setParametersConverter(Converter<T, MultiValueMap<String, String>> parametersConverter) {
+		Assert.notNull(parametersConverter, "parametersConverter cannot be null");
+		this.parametersConverter = parametersConverter;
+		this.requestEntityConverter = this::populateRequest;
+	}
+
+	/**
+	 * Add (compose) the provided {@code parametersConverter} to the current
+	 * {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} instance to a {@link MultiValueMap}
+	 * used in the OAuth 2.0 Access Token Request body.
+	 * @param parametersConverter the {@link Converter} to add (compose) to the current
+	 * {@link Converter} used for converting the
+	 * {@link AbstractOAuth2AuthorizationGrantRequest} to a {@link MultiValueMap}
+	 */
+	public final void addParametersConverter(Converter<T, MultiValueMap<String, String>> parametersConverter) {
+		Assert.notNull(parametersConverter, "parametersConverter cannot be null");
+		Converter<T, MultiValueMap<String, String>> currentParametersConverter = this.parametersConverter;
+		this.parametersConverter = (authorizationGrantRequest) -> {
+			MultiValueMap<String, String> parameters = currentParametersConverter.convert(authorizationGrantRequest);
+			if (parameters == null) {
+				parameters = new LinkedMultiValueMap<>();
+			}
+			MultiValueMap<String, String> parametersToAdd = parametersConverter.convert(authorizationGrantRequest);
+			if (parametersToAdd != null) {
+				parameters.addAll(parametersToAdd);
+			}
+			return parameters;
+		};
+		this.requestEntityConverter = this::populateRequest;
+	}
+
+}
diff --git a/...ework/security/oauth2/client/endpoint/RestClientAuthorizationCodeTokenResponseClient.java b/...ework/security/oauth2/client/endpoint/RestClientAuthorizationCodeTokenResponseClient.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationExchange;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+import org.springframework.util.MultiValueMap;
+
+/**
+ * @author Steve Riesenberg
+ */
+public final class RestClientAuthorizationCodeTokenResponseClient
+		extends AbstractRestClientOAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> {
+
+	@Override
+	MultiValueMap<String, String> createParameters(OAuth2AuthorizationCodeGrantRequest grantRequest) {
+		OAuth2AuthorizationExchange authorizationExchange = grantRequest.getAuthorizationExchange();
+		MultiValueMap<String, String> parameters = super.createParameters(grantRequest);
+		parameters.remove(OAuth2ParameterNames.SCOPE);
+		parameters.set(OAuth2ParameterNames.CODE, authorizationExchange.getAuthorizationResponse().getCode());
+		String redirectUri = authorizationExchange.getAuthorizationRequest().getRedirectUri();
+		if (redirectUri != null) {
+			parameters.set(OAuth2ParameterNames.REDIRECT_URI, redirectUri);
+		}
+		String codeVerifier = authorizationExchange.getAuthorizationRequest()
+			.getAttribute(PkceParameterNames.CODE_VERIFIER);
+		if (codeVerifier != null) {
+			parameters.set(PkceParameterNames.CODE_VERIFIER, codeVerifier);
+		}
+		return parameters;
+	}
+
+}
diff --git a/...ework/security/oauth2/client/endpoint/RestClientClientCredentialsTokenResponseClient.java b/...ework/security/oauth2/client/endpoint/RestClientClientCredentialsTokenResponseClient.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.endpoint;
+
+/**
+ * @author Steve Riesenberg
+ */
+public final class RestClientClientCredentialsTokenResponseClient
+		extends AbstractRestClientOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> {
+
+}
diff --git a/...ringframework/security/oauth2/client/endpoint/RestClientJwtBearerTokenResponseClient.java b/...ringframework/security/oauth2/client/endpoint/RestClientJwtBearerTokenResponseClient.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.util.MultiValueMap;
+
+/**
+ * @author Steve Riesenberg
+ */
+public final class RestClientJwtBearerTokenResponseClient
+		extends AbstractRestClientOAuth2AccessTokenResponseClient<JwtBearerGrantRequest> {
+
+	@Override
+	MultiValueMap<String, String> createParameters(JwtBearerGrantRequest grantRequest) {
+		MultiValueMap<String, String> parameters = super.createParameters(grantRequest);
+		parameters.set(OAuth2ParameterNames.ASSERTION, grantRequest.getJwt().getTokenValue());
+		return parameters;
+	}
+
+}
diff --git a/...gframework/security/oauth2/client/endpoint/RestClientRefreshTokenTokenResponseClient.java b/...gframework/security/oauth2/client/endpoint/RestClientRefreshTokenTokenResponseClient.java
@@ -0,0 +1,66 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.client.endpoint;
+
+import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+
+/**
+ * @author Steve Riesenberg
+ */
+public final class RestClientRefreshTokenTokenResponseClient
+		extends AbstractRestClientOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> {
+
+	@Override
+	public OAuth2AccessTokenResponse getTokenResponse(OAuth2RefreshTokenGrantRequest grantRequest) {
+		OAuth2AccessTokenResponse accessTokenResponse = super.getTokenResponse(grantRequest);
+		return populateTokenResponse(grantRequest, accessTokenResponse);
+	}
+
+	@Override
+	MultiValueMap<String, String> createParameters(OAuth2RefreshTokenGrantRequest grantRequest) {
+		MultiValueMap<String, String> parameters = super.createParameters(grantRequest);
+		if (!CollectionUtils.isEmpty(grantRequest.getScopes())) {
+			parameters.add(OAuth2ParameterNames.SCOPE,
+					StringUtils.collectionToDelimitedString(grantRequest.getScopes(), " "));
+		}
+		parameters.set(OAuth2ParameterNames.REFRESH_TOKEN, grantRequest.getRefreshToken().getTokenValue());
+		return parameters;
+	}
+
+	private OAuth2AccessTokenResponse populateTokenResponse(OAuth2RefreshTokenGrantRequest grantRequest,
+			OAuth2AccessTokenResponse accessTokenResponse) {
+		if (!CollectionUtils.isEmpty(accessTokenResponse.getAccessToken().getScopes())
+				&& accessTokenResponse.getRefreshToken() != null) {
+			return accessTokenResponse;
+		}
+		OAuth2AccessTokenResponse.Builder tokenResponseBuilder = OAuth2AccessTokenResponse
+			.withResponse(accessTokenResponse);
+		if (CollectionUtils.isEmpty(accessTokenResponse.getAccessToken().getScopes())) {
+			tokenResponseBuilder.scopes(grantRequest.getAccessToken().getScopes());
+		}
+		if (accessTokenResponse.getRefreshToken() == null) {
+			// Reuse existing refresh token
+			tokenResponseBuilder.refreshToken(grantRequest.getRefreshToken().getTokenValue());
+		}
+		return tokenResponseBuilder.build();
+	}
+
+}