diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java index 5e5cf2806..9da4ea4ae 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java @@ -39,7 +39,6 @@ import org.springframework.security.oauth2.core.OAuth2Error; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; -import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationProvider; import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken; @@ -57,9 +56,7 @@ import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.util.RedirectUrlBuilder; import org.springframework.security.web.util.UrlUtils; -import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; -import org.springframework.security.web.util.matcher.NegatedRequestMatcher; import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -151,20 +148,8 @@ private static RequestMatcher createDefaultRequestMatcher(String authorizationEn HttpMethod.GET.name()); RequestMatcher authorizationRequestPostMatcher = new AntPathRequestMatcher(authorizationEndpointUri, HttpMethod.POST.name()); - RequestMatcher openidScopeMatcher = (request) -> { - String scope = request.getParameter(OAuth2ParameterNames.SCOPE); - return StringUtils.hasText(scope) && scope.contains(OidcScopes.OPENID); - }; - RequestMatcher responseTypeParameterMatcher = ( - request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null; - - RequestMatcher authorizationRequestMatcher = new OrRequestMatcher(authorizationRequestGetMatcher, - new AndRequestMatcher(authorizationRequestPostMatcher, responseTypeParameterMatcher, - openidScopeMatcher)); - RequestMatcher authorizationConsentMatcher = new AndRequestMatcher(authorizationRequestPostMatcher, - new NegatedRequestMatcher(responseTypeParameterMatcher)); - - return new OrRequestMatcher(authorizationRequestMatcher, authorizationConsentMatcher); + + return new OrRequestMatcher(authorizationRequestGetMatcher, authorizationRequestPostMatcher); } @Override diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java index c574d6153..521ddd400 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java @@ -64,11 +64,11 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationConverter impleme private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); - private static final RequestMatcher OIDC_REQUEST_MATCHER = createOidcRequestMatcher(); + private static final RequestMatcher POST_WITH_RESPONSE_TYPE_REQUEST_MATCHER = createPostWithResponseTypeRequestMatcher(); @Override public Authentication convert(HttpServletRequest request) { - if (!"GET".equals(request.getMethod()) && !OIDC_REQUEST_MATCHER.matches(request)) { + if (!"GET".equals(request.getMethod()) && !POST_WITH_RESPONSE_TYPE_REQUEST_MATCHER.matches(request)) { return null; } @@ -153,15 +153,11 @@ else if (!responseType.equals(OAuth2AuthorizationResponseType.CODE.getValue())) state, scopes, additionalParameters); } - private static RequestMatcher createOidcRequestMatcher() { + private static RequestMatcher createPostWithResponseTypeRequestMatcher() { RequestMatcher postMethodMatcher = (request) -> "POST".equals(request.getMethod()); RequestMatcher responseTypeParameterMatcher = ( request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null; - RequestMatcher openidScopeMatcher = (request) -> { - String scope = request.getParameter(OAuth2ParameterNames.SCOPE); - return StringUtils.hasText(scope) && scope.contains(OidcScopes.OPENID); - }; - return new AndRequestMatcher(postMethodMatcher, responseTypeParameterMatcher, openidScopeMatcher); + return new AndRequestMatcher(postMethodMatcher, responseTypeParameterMatcher); } private static void throwError(String errorCode, String parameterName) { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java index 4a7494708..ada590fd4 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java @@ -611,11 +611,7 @@ public void doFilterWhenAuthorizationRequestAuthenticatedThenAuthorizationRespon @Test public void doFilterWhenAuthenticationRequestAuthenticatedThenAuthorizationResponse() throws Exception { - // Setup OpenID Connect request - RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scopes((scopes) -> { - scopes.clear(); - scopes.add(OidcScopes.OPENID); - }).build(); + RegisteredClient registeredClient = TestRegisteredClients.registeredClient().scopes(Set::clear).build(); OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthenticationResult = new OAuth2AuthorizationCodeRequestAuthenticationToken( AUTHORIZATION_URI, registeredClient.getClientId(), this.principal, this.authorizationCode, registeredClient.getRedirectUris().iterator().next(), STATE, registeredClient.getScopes()); @@ -623,7 +619,7 @@ public void doFilterWhenAuthenticationRequestAuthenticatedThenAuthorizationRespo given(this.authenticationManager.authenticate(any())).willReturn(authorizationCodeRequestAuthenticationResult); MockHttpServletRequest request = createAuthorizationRequest(registeredClient); - request.setMethod("POST"); // OpenID Connect supports POST method + request.setMethod("POST"); request.setQueryString(null); MockHttpServletResponse response = new MockHttpServletResponse(); FilterChain filterChain = mock(FilterChain.class);