diff --git a/docs/modules/ROOT/pages/servlet/oauth2/client/client-authentication.adoc b/docs/modules/ROOT/pages/servlet/oauth2/client/client-authentication.adoc index c9fe6e27d29..b3dcfb16d5e 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/client/client-authentication.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/client/client-authentication.adoc @@ -92,7 +92,9 @@ val tokenResponseClient = DefaultAuthorizationCodeTokenResponseClient() tokenResponseClient.setRequestEntityConverter(requestEntityConverter) ---- ====== - +[NOTE] +If you're using the `client-authentication-method: client_secret_basic` and you need to skip URL encoding, +create a new `DefaultOAuth2TokenRequestHeadersConverter` and set it in the Request Entity Converter above. === Authenticate using `client_secret_jwt` diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java index 1c853d6c3c7..b36f11d306e 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/AbstractOAuth2AuthorizationGrantRequestEntityConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -42,11 +42,7 @@ abstract class AbstractOAuth2AuthorizationGrantRequestEntityConverter implements Converter> { - // @formatter:off - private Converter headersConverter = - (authorizationGrantRequest) -> OAuth2AuthorizationGrantRequestEntityUtils - .getTokenRequestHeaders(authorizationGrantRequest.getClientRegistration()); - // @formatter:on + private Converter headersConverter = new DefaultOAuth2TokenRequestHeadersConverter<>(); private Converter> parametersConverter = this::createParameters; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultOAuth2TokenRequestHeadersConverter.java similarity index 57% rename from oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java rename to oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultOAuth2TokenRequestHeadersConverter.java index ba82a9466c8..44c8160ee29 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultOAuth2TokenRequestHeadersConverter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -16,10 +16,9 @@ package org.springframework.security.oauth2.client.endpoint; -import java.io.UnsupportedEncodingException; import java.net.URLEncoder; -import java.nio.charset.StandardCharsets; import java.util.Collections; +import java.nio.charset.StandardCharsets; import org.springframework.core.convert.converter.Converter; import org.springframework.http.HttpHeaders; @@ -28,51 +27,53 @@ import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; + /** - * Utility methods used by the {@link Converter}'s that convert from an implementation of - * an {@link AbstractOAuth2AuthorizationGrantRequest} to a {@link RequestEntity} - * representation of an OAuth 2.0 Access Token Request for the specific Authorization - * Grant. + * Default Converter used by the {@link OAuth2AuthorizationCodeGrantRequestEntityConverter} + * that convert from an implementation of an {@link AbstractOAuth2AuthorizationGrantRequest} + * to a {@link RequestEntity} representation of an OAuth 2.0 Access Token Request for the + * specific Authorization Grant. * + * @author Peter Eastham * @author Joe Grandja - * @since 5.1 - * @see OAuth2AuthorizationCodeGrantRequestEntityConverter + * @since 6.3 * @see OAuth2ClientCredentialsGrantRequestEntityConverter */ -final class OAuth2AuthorizationGrantRequestEntityUtils { +public class DefaultOAuth2TokenRequestHeadersConverter + implements Converter { - private static HttpHeaders DEFAULT_TOKEN_REQUEST_HEADERS = getDefaultTokenRequestHeaders(); + private static final HttpHeaders DEFAULT_TOKEN_HEADERS = getDefaultTokenRequestHeaders(); + private boolean encodeClientCredentials = true; - private OAuth2AuthorizationGrantRequestEntityUtils() { + private static HttpHeaders getDefaultTokenRequestHeaders() { + HttpHeaders headers = new HttpHeaders(); + headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8)); + final MediaType contentType = MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8"); + headers.setContentType(contentType); + return headers; } - static HttpHeaders getTokenRequestHeaders(ClientRegistration clientRegistration) { + + @Override + public HttpHeaders convert(T source) { HttpHeaders headers = new HttpHeaders(); - headers.addAll(DEFAULT_TOKEN_REQUEST_HEADERS); + headers.addAll(DEFAULT_TOKEN_HEADERS); + ClientRegistration clientRegistration = source.getClientRegistration(); if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientRegistration.getClientAuthenticationMethod())) { - String clientId = encodeClientCredential(clientRegistration.getClientId()); - String clientSecret = encodeClientCredential(clientRegistration.getClientSecret()); + String clientId = this.encodeClientCredentials ? + encodeClientCredential(clientRegistration.getClientId()) : clientRegistration.getClientId(); + String clientSecret = this.encodeClientCredentials ? + encodeClientCredential(clientRegistration.getClientSecret()) : clientRegistration.getClientSecret(); headers.setBasicAuth(clientId, clientSecret); } return headers; } private static String encodeClientCredential(String clientCredential) { - try { - return URLEncoder.encode(clientCredential, StandardCharsets.UTF_8.toString()); - } - catch (UnsupportedEncodingException ex) { - // Will not happen since UTF-8 is a standard charset - throw new IllegalArgumentException(ex); - } + return URLEncoder.encode(clientCredential, StandardCharsets.UTF_8); } - private static HttpHeaders getDefaultTokenRequestHeaders() { - HttpHeaders headers = new HttpHeaders(); - headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON_UTF8)); - final MediaType contentType = MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8"); - headers.setContentType(contentType); - return headers; + public void setEncodeClientCredentials(boolean encodeClientCredentials) { + this.encodeClientCredentials = encodeClientCredentials; } - } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverterTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverterTests.java index d884559f733..28058732e5f 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverterTests.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -110,9 +110,11 @@ public void convertWhenParametersConverterSetThenCalled() { @SuppressWarnings("unchecked") @Test public void convertWhenGrantRequestValidThenConverts() { - ClientRegistration clientRegistration = TestClientRegistrations.password().build(); + ClientRegistration clientRegistration = TestClientRegistrations.password().clientId("clientId").clientSecret("clientSecret=").build(); OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, "user1", "password"); + Converter headersConverter = new DefaultOAuth2TokenRequestHeadersConverter<>(); + this.converter.setHeadersConverter(headersConverter); RequestEntity requestEntity = this.converter.convert(passwordGrantRequest); assertThat(requestEntity.getMethod()).isEqualTo(HttpMethod.POST); assertThat(requestEntity.getUrl().toASCIIString()) @@ -121,7 +123,7 @@ public void convertWhenGrantRequestValidThenConverts() { assertThat(headers.getAccept()).contains(MediaType.APPLICATION_JSON_UTF8); assertThat(headers.getContentType()) .isEqualTo(MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8")); - assertThat(headers.getFirst(HttpHeaders.AUTHORIZATION)).startsWith("Basic "); + assertThat(headers.getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50SWQ6Y2xpZW50U2VjcmV0JTNE"); MultiValueMap formParameters = (MultiValueMap) requestEntity.getBody(); assertThat(formParameters.getFirst(OAuth2ParameterNames.GRANT_TYPE)) .isEqualTo(AuthorizationGrantType.PASSWORD.getValue()); @@ -130,4 +132,29 @@ public void convertWhenGrantRequestValidThenConverts() { assertThat(formParameters.getFirst(OAuth2ParameterNames.SCOPE)).contains(clientRegistration.getScopes()); } + @SuppressWarnings("unchecked") + @Test + public void convertWhenGrantRequestValidThenConvertsWithoutUrlEncoding() { + ClientRegistration clientRegistration = TestClientRegistrations.password().clientId("clientId").clientSecret("clientSecret=").build(); + OAuth2PasswordGrantRequest passwordGrantRequest = new OAuth2PasswordGrantRequest(clientRegistration, "user1", + "password="); + var headersConverter = new DefaultOAuth2TokenRequestHeadersConverter(); + headersConverter.setEncodeClientCredentials(false); + this.converter.setHeadersConverter(headersConverter); + RequestEntity requestEntity = this.converter.convert(passwordGrantRequest); + assertThat(requestEntity.getMethod()).isEqualTo(HttpMethod.POST); + assertThat(requestEntity.getUrl().toASCIIString()) + .isEqualTo(clientRegistration.getProviderDetails().getTokenUri()); + HttpHeaders headers = requestEntity.getHeaders(); + assertThat(headers.getAccept()).contains(MediaType.APPLICATION_JSON_UTF8); + assertThat(headers.getContentType()) + .isEqualTo(MediaType.valueOf(MediaType.APPLICATION_FORM_URLENCODED_VALUE + ";charset=UTF-8")); + assertThat(headers.getFirst(HttpHeaders.AUTHORIZATION)).isEqualTo("Basic Y2xpZW50SWQ6Y2xpZW50U2VjcmV0PQ=="); + MultiValueMap formParameters = (MultiValueMap) requestEntity.getBody(); + assertThat(formParameters.getFirst(OAuth2ParameterNames.GRANT_TYPE)) + .isEqualTo(AuthorizationGrantType.PASSWORD.getValue()); + assertThat(formParameters.getFirst(OAuth2ParameterNames.USERNAME)).isEqualTo("user1"); + assertThat(formParameters.getFirst(OAuth2ParameterNames.PASSWORD)).isEqualTo("password="); + assertThat(formParameters.getFirst(OAuth2ParameterNames.SCOPE)).contains(clientRegistration.getScopes()); + } }