Adding nonce to Authentication Request spring-projects#4442

shazin · Oct 13, 2017 · 77db241 · 77db241
1 parent f184ada
commit 77db241
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 5 deletions.
diff --git a/...rg/springframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilter.java b/...rg/springframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilter.java
@@ -122,6 +122,8 @@ protected void sendRedirectForAuthorizationCode(HttpServletRequest request, Http
 			throw new IllegalArgumentException("Invalid Client Identifier (Registration Id): " + registrationId);
 		}
 
+		String nonce = request.getParameter(OAuth2Parameter.NONCE);
+
 		String redirectUriStr = this.expandRedirectUri(request, clientRegistration);
 
 		Map<String,Object> additionalParameters = new HashMap<>();
@@ -134,6 +136,7 @@ protected void sendRedirectForAuthorizationCode(HttpServletRequest request, Http
 				.redirectUri(redirectUriStr)
 				.scope(clientRegistration.getScope())
 				.state(this.stateGenerator.generateKey())
+				.nonce(nonce)
 				.additionalParameters(additionalParameters)
 				.build();
 

diff --git a/...n/java/org/springframework/security/oauth2/client/web/AuthorizationRequestUriBuilder.java b/...n/java/org/springframework/security/oauth2/client/web/AuthorizationRequestUriBuilder.java
@@ -32,6 +32,7 @@
  * <li>response type (required)</li>
  * <li>requested scope(s) (optional)</li>
  * <li>state (recommended)</li>
+ * <li>nonce (recommended)</li>
  * <li>redirection URI (optional) - the authorization server will send the user-agent back to once access is granted (or denied) by the end-user (resource owner)</li>
  * </ul>
  *

diff --git a/...org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java b/...org/springframework/security/oauth2/client/web/DefaultAuthorizationRequestUriBuilder.java
@@ -46,7 +46,8 @@ public URI build(AuthorizationRequestAttributes authorizationRequestAttributes)
 				.queryParam(OAuth2Parameter.CLIENT_ID, authorizationRequestAttributes.getClientId())
 				.queryParam(OAuth2Parameter.SCOPE,
 						authorizationRequestAttributes.getScope().stream().collect(Collectors.joining(" ")))
-				.queryParam(OAuth2Parameter.STATE, authorizationRequestAttributes.getState());
+				.queryParam(OAuth2Parameter.STATE, authorizationRequestAttributes.getState())
+				.queryParam(OAuth2Parameter.NONCE, authorizationRequestAttributes.getNonce());
 
 		return uriBuilder.build().encode().toUri();
 	}

diff --git a/...work/security/oauth2/client/web/AuthorizationCodeAuthenticationProcessingFilterTests.java b/...work/security/oauth2/client/web/AuthorizationCodeAuthenticationProcessingFilterTests.java
@@ -105,10 +105,12 @@ public void doFilterWhenAuthorizationCodeSuccessResponseThenAuthenticationSucces
 		MockHttpServletRequest request = this.setupRequest(clientRegistration);
 		String authCode = "some code";
 		String state = "some state";
+		String nonce = "some nonce";
 		request.addParameter(OAuth2Parameter.CODE, authCode);
 		request.addParameter(OAuth2Parameter.STATE, state);
+		request.addParameter(OAuth2Parameter.NONCE, nonce);
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state);
+		setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state, nonce);
 		FilterChain filterChain = Mockito.mock(FilterChain.class);
 
 		filter.doFilter(request, response, filterChain);
@@ -155,10 +157,12 @@ public void doFilterWhenAuthorizationCodeSuccessResponseWithInvalidStateParamThe
 		MockHttpServletRequest request = this.setupRequest(clientRegistration);
 		String authCode = "some code";
 		String state = "some other state";
+		String nonce = "some nonce";
 		request.addParameter(OAuth2Parameter.CODE, authCode);
 		request.addParameter(OAuth2Parameter.STATE, state);
+		request.addParameter(OAuth2Parameter.NONCE, nonce);
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, "some state");
+		setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, "some state", nonce);
 		FilterChain filterChain = Mockito.mock(FilterChain.class);
 
 		filter.doFilter(request, response, filterChain);
@@ -180,10 +184,12 @@ public void doFilterWhenAuthorizationCodeSuccessResponseWithInvalidRedirectUriPa
 		request.setRequestURI(request.getRequestURI() + "-other");
 		String authCode = "some code";
 		String state = "some state";
+		String nonce = "some nonce";
 		request.addParameter(OAuth2Parameter.CODE, authCode);
 		request.addParameter(OAuth2Parameter.STATE, state);
+		request.addParameter(OAuth2Parameter.NONCE, nonce);
 		MockHttpServletResponse response = new MockHttpServletResponse();
-		setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state);
+		setupAuthorizationRequest(authorizationRequestRepository, request, response, clientRegistration, state, nonce);
 		FilterChain filterChain = Mockito.mock(FilterChain.class);
 
 		filter.doFilter(request, response, filterChain);
@@ -230,7 +236,8 @@ private void setupAuthorizationRequest(AuthorizationRequestRepository authorizat
 											HttpServletRequest request,
 											HttpServletResponse response,
 											ClientRegistration clientRegistration,
-											String state) {
+											String state,
+											String nonce) {
 
 		Map<String,Object> additionalParameters = new HashMap<>();
 		additionalParameters.put(OAuth2Parameter.REGISTRATION_ID, clientRegistration.getRegistrationId());
@@ -242,6 +249,7 @@ private void setupAuthorizationRequest(AuthorizationRequestRepository authorizat
 				.redirectUri(clientRegistration.getRedirectUri())
 				.scope(clientRegistration.getScope())
 				.state(state)
+				.nonce(nonce)
 				.additionalParameters(additionalParameters)
 				.build();
 

diff --git a/...ringframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilterTests.java b/...ringframework/security/oauth2/client/web/AuthorizationCodeRequestRedirectFilterTests.java
@@ -92,6 +92,7 @@ public void doFilterWhenRequestMatchesClientThenAuthorizationRequestSavedInSessi
 		String requestUri = TestUtil.AUTHORIZATION_BASE_URI + "/" + clientRegistration.getRegistrationId();
 		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
 		request.setServletPath(requestUri);
+		request.addParameter("nonce", "some nonce");
 		MockHttpServletResponse response = new MockHttpServletResponse();
 		FilterChain filterChain = Mockito.mock(FilterChain.class);
 
@@ -111,6 +112,7 @@ public void doFilterWhenRequestMatchesClientThenAuthorizationRequestSavedInSessi
 		Assertions.assertThat(authorizationRequestAttributes.getRedirectUri()).isNotNull();
 		Assertions.assertThat(authorizationRequestAttributes.getScope()).isNotNull();
 		Assertions.assertThat(authorizationRequestAttributes.getState()).isNotNull();
+		Assertions.assertThat(authorizationRequestAttributes.getNonce()).isNotNull();
 	}
 
 	private AuthorizationCodeRequestRedirectFilter setupFilter(String authorizationUri,

diff --git a/...ava/org/springframework/security/oauth2/core/endpoint/AuthorizationRequestAttributes.java b/...ava/org/springframework/security/oauth2/core/endpoint/AuthorizationRequestAttributes.java
@@ -31,6 +31,7 @@
  * for the authorization code grant type or implicit grant type.
  *
  * @author Joe Grandja
+ * @author Shazin Sadakath
  * @since 5.0
  * @see AuthorizationGrantType
  * @see ResponseType
@@ -45,6 +46,7 @@ public final class AuthorizationRequestAttributes implements Serializable {
 	private String redirectUri;
 	private Set<String> scope;
 	private String state;
+	private String nonce;
 	private Map<String,Object> additionalParameters;
 
 	private AuthorizationRequestAttributes() {
@@ -82,6 +84,10 @@ public Map<String, Object> getAdditionalParameters() {
 		return this.additionalParameters;
 	}
 
+	public String getNonce() {
+		return nonce;
+	}
+
 	public static Builder withAuthorizationCode() {
 		return new Builder(AuthorizationGrantType.AUTHORIZATION_CODE);
 	}
@@ -123,6 +129,11 @@ public Builder state(String state) {
 			return this;
 		}
 
+		public Builder nonce(String nonce) {
+			this.authorizationRequest.nonce = nonce;
+			return this;
+		}
+
 		public Builder additionalParameters(Map<String,Object> additionalParameters) {
 			this.authorizationRequest.additionalParameters = additionalParameters;
 			return this;

diff --git a/...core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2Parameter.java b/...core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2Parameter.java
@@ -45,4 +45,6 @@ public interface OAuth2Parameter {
 
 	String REGISTRATION_ID = "registration_id";		// Non-standard additional parameter
 
+	String NONCE = "nonce";
+
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -45,4 +45,6 @@ public interface OAuth2Parameter {

		String REGISTRATION_ID = "registration_id"; // Non-standard additional parameter

		String NONCE = "nonce";

		}