Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Client Credentials Authentication #72

Closed
wants to merge 1 commit into from
Closed

Implement Client Credentials Authentication #72

wants to merge 1 commit into from

Conversation

pkostrzewa
Copy link

@pkostrzewa pkostrzewa commented Apr 27, 2020
edited
Loading

  • The Filter should process requests for the (default) path /oauth2/token and check if credentials are available in the request.
  • The OAuth2ClientAuthenticationToken should be passed to the AuthenticationManager.
  • The AuthenticationManager should be composed of OAuth2ClientAuthenticationProvider.
  • The OAuth2ClientAuthenticationProvider should use the RegisteredClientRepository.
  • The RegisteredClient should be returned in a new OAuth2ClientAuthenticationToken if the authentication succeeds.
  • The Filter should save the OAuth2ClientAuthenticationToken in the SecurityContext.
  • Add javadoc for class and public methods.
  • Unit tests.

The ClientAuthenticationConverter is based on BasicAuthenticationFilter.

Fixes #39 .

@pkostrzewa
Copy link
Author

pkostrzewa commented Apr 27, 2020
edited
Loading

@jgrandja Few questions:

  • Should AuthenticationSuccessHandler and AuthenticationFailureHandler be used in early implementation?
  • Should RequestMatcher be used to check if request matches or simply checking the request URI is currently enough?

@pkostrzewa
Copy link
Author

pkostrzewa commented Apr 28, 2020
edited
Loading

@jgrandja Could you please elaborate?

The AuthenticationManager should be composed of OAuth2ClientAuthenticationProvider

Isn't OAuth2ClientAuthenticationProvider automatically registered in AuthenticationManager? If not, what should be done to register a provider?

jgrandja
jgrandja requested changes Apr 29, 2020
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @pkostrzewa. Please see my review comments.

.../security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java Outdated Show resolved Hide resolved
.../security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java Outdated Show resolved Hide resolved
.../security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java Outdated Show resolved Hide resolved
...ork/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationToken.java Outdated Show resolved Hide resolved
.../security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java Outdated Show resolved Hide resolved
...ringframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java Outdated Show resolved Hide resolved
...ringframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java Show resolved Hide resolved
.../springframework/security/oauth2/server/authorization/web/ClientAuthenticationConverter.java Outdated Show resolved Hide resolved
.../springframework/security/oauth2/server/authorization/web/ClientAuthenticationConverter.java Outdated Show resolved Hide resolved
.../springframework/security/oauth2/server/authorization/web/ClientAuthenticationConverter.java Outdated Show resolved Hide resolved
@jgrandja
Copy link
Collaborator

@pkostrzewa

Isn't OAuth2ClientAuthenticationProvider automatically registered in AuthenticationManager?

Yes, it will be in a later story. Nothing to do as far as this issue goes. I was simply stating the runtime expectations. I updated the main issue to be clear.

@jgrandja jgrandja self-assigned this Apr 29, 2020
@jgrandja jgrandja added the type: enhancement A general enhancement label Apr 29, 2020
@pkostrzewa
Copy link
Author

@jgrandja

Thanks for the review! I will update the PR with your comments later on today.

@pkostrzewa
Copy link
Author

@jgrandja I've updated the PR. There are still missing tests and documentation and I will provide both as soon as I can.

@pkostrzewa pkostrzewa requested a review from jgrandja May 1, 2020 13:55
jgrandja
jgrandja requested changes May 6, 2020
View reviewed changes
Copy link
Collaborator

@jgrandja jgrandja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @pkostrzewa. Please see my review comments.

For the next update, can you please rebase on master and avoid merge commits. And after you add all the tests please change the Draft to Ready and I think we'll be close to merging.

...ringframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java Outdated Show resolved Hide resolved
...ringframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java Outdated Show resolved Hide resolved
...ringframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java Show resolved Hide resolved
...ringframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java Outdated Show resolved Hide resolved
...gframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationConverter.java Outdated Show resolved Hide resolved
...th2/server/authorization/authentication/DefaultOAuth2ClientAuthenticationSuccessHandler.java Outdated Show resolved Hide resolved
...th2/server/authorization/authentication/DefaultOAuth2ClientAuthenticationFailureHandler.java Outdated Show resolved Hide resolved
...th2/server/authorization/authentication/DefaultOAuth2ClientAuthenticationFailureHandler.java Outdated Show resolved Hide resolved
...ework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationConverterTests.java Outdated Show resolved Hide resolved
@pkostrzewa
Copy link
Author

Thanks for the review @jgrandja. I will update the PR soon.

@jgrandja jgrandja mentioned this pull request May 8, 2020
Closed
9 tasks
@pkostrzewa
Copy link
Author

For the next update, can you please rebase on master and avoid merge commits. And after you add all the tests please change the Draft to Ready and I think we'll be close to merging.

Do you mean I should squash all commits from this PR into single one?

@jgrandja
Copy link
Collaborator

@pkostrzewa Yes please squash to 1 commit and rebase on latest master.

@pkostrzewa pkostrzewa marked this pull request as ready for review May 24, 2020 17:27
@pkostrzewa
Copy link
Author

I've added missing tests and rebased on top of the master branch.

If there will be any changes requested I can address them next wednesday at earliest.

@pkostrzewa pkostrzewa requested a review from jgrandja May 25, 2020 11:20
anoopgarlapati
anoopgarlapati reviewed May 26, 2020
View reviewed changes
...ork/security/oauth2/server/authorization/web/DefaultOAuth2ClientAuthenticationConverter.java
if (credentials.length != 2) {
throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN));
}
return new OAuth2ClientAuthenticationToken(credentials[0], credentials[1]);
Copy link
Contributor

@anoopgarlapati anoopgarlapati May 26, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pkostrzewa cc: @jgrandja
As per RFC 6749 - section 2.3.1, the client identifier and client password are further encoded using application/x-www-form-urlencoded encoding algorithm and then used as username and password in HTTP Basic Authentication Scheme.

The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password.

There is an issue already logged in legacy oauth2 project spring-attic/spring-security-oauth#1826 and we should implement this according to specification in this project.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@anoopgarlapati
Although RFC 6749 - section 2.3.1, indeed does say:

The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password.

It further states:

Including the client credentials in the request-body using the two parameters is NOT RECOMMENDED and SHOULD be limited to clients unable to directly utilize the HTTP Basic authentication scheme (or other password-based HTTP authentication schemes). the parameters can only be transmitted in the request-body and MUST NOT be included in the request URI.

The authorization server MUST require the of TLS as described in Section 1.6 when sending requests using password authentication.

Since this client authentication method involves a password, the authorization server MUST protect any endpoint utilizing it against brute force attacks.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those sections do not contradict each other. The encoding needs to be applied when using Basic authentication.

@jgrandja jgrandja added this to the 0.0.1 milestone Jun 2, 2020
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Jun 2, 2020
jgrandja added a commit that referenced this pull request Jun 2, 2020
@jgrandja
Polish gh-72
7a5585f
@jgrandja
Copy link
Collaborator

jgrandja commented Jun 2, 2020

Thank you for all the updates @pkostrzewa !

Overall, the implementation looked good, however, I did add a polish commit in order to get this merged.

Please take a look at the changes applied in the polish commit and let me know if you have any questions.

Thank you again and I look forward to another contribution 👍

@jgrandja jgrandja closed this Jun 2, 2020
@pkostrzewa pkostrzewa deleted the gh-39 branch June 2, 2020 13:29
@jgrandja jgrandja mentioned this pull request Jun 15, 2020
Closed
@jzheaux jzheaux mentioned this pull request Apr 16, 2021
Closed
@petergphillips petergphillips mentioned this pull request Jul 5, 2021
Closed
doba16 pushed a commit to doba16/spring-authorization-server that referenced this pull request Apr 21, 2023
@jgrandja
Polish spring-projectsgh-72
0ec5b21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krisztian-toth krisztian-toth krisztian-toth left review comments

@anoopgarlapati anoopgarlapati anoopgarlapati left review comments

@dfcoffin dfcoffin dfcoffin left review comments

@OrangeDog OrangeDog OrangeDog left review comments

@Captain-P-Goldfish Captain-P-Goldfish Captain-P-Goldfish requested changes

@jgrandja jgrandja Awaiting requested review from jgrandja

Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
0.0.1
Development

Successfully merging this pull request may close these issues.

Implement Client Authentication
7 participants
@pkostrzewa @jgrandja @OrangeDog @dfcoffin @Captain-P-Goldfish @anoopgarlapati @krisztian-toth