Introduce OAuth2AuthorizedClientManager

- spring-projects#73 Introduce OAuth2AuthorizedClientManager
- spring-projects#74 Integrate OAuth2AuthorizedClientManager with OAuth2AuthorizedClientProvider(s)
- spring-projects#81 Add builder for OAuth2AuthorizedClientProvider

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@@ -20,14 +20,12 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.context.annotation.ImportSelector;
 import org.springframework.core.type.AnnotationMetadata;
-import org.springframework.security.oauth2.client.AuthorizationCodeOAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.ClientCredentialsOAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.DefaultOAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.DelegatingOAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.client.web.method.annotation.OAuth2AuthorizedClientArgumentResolver;
 import org.springframework.util.ClassUtils;
@@ -77,21 +75,16 @@ public void addArgumentResolvers(List<HandlerMethodArgumentResolver> argumentRes
 						new OAuth2AuthorizedClientArgumentResolver(
 								this.clientRegistrationRepository, this.authorizedClientRepository);
 				if (this.accessTokenResponseClient != null) {
-					ClientCredentialsOAuth2AuthorizedClientProvider clientCredentialsAuthorizedClientProvider =
-							new ClientCredentialsOAuth2AuthorizedClientProvider(
-									this.clientRegistrationRepository, this.authorizedClientRepository);
-					clientCredentialsAuthorizedClientProvider.setAccessTokenResponseClient(this.accessTokenResponseClient);
-					AuthorizationCodeOAuth2AuthorizedClientProvider authorizationCodeAuthorizedClientProvider =
-							new AuthorizationCodeOAuth2AuthorizedClientProvider(
-									this.clientRegistrationRepository, this.authorizedClientRepository);
-					RefreshTokenOAuth2AuthorizedClientProvider refreshTokenAuthorizedClientProvider =
-							new RefreshTokenOAuth2AuthorizedClientProvider(
-									this.clientRegistrationRepository, this.authorizedClientRepository);
-					DelegatingOAuth2AuthorizedClientProvider authorizedClientProvider = new DelegatingOAuth2AuthorizedClientProvider(
-							authorizationCodeAuthorizedClientProvider, refreshTokenAuthorizedClientProvider, clientCredentialsAuthorizedClientProvider);
-					authorizedClientProvider.setDefaultAuthorizedClientProvider(
-							new DefaultOAuth2AuthorizedClientProvider(this.clientRegistrationRepository, this.authorizedClientRepository));
-					authorizedClientArgumentResolver.setAuthorizedClientProvider(authorizedClientProvider);
+					OAuth2AuthorizedClientProvider authorizedClientProvider =
+							OAuth2AuthorizedClientProviderBuilder.withProvider()
+									.authorizationCode()
+									.refreshToken()
+									.clientCredentials(configurer -> configurer.accessTokenResponseClient(this.accessTokenResponseClient))
+									.build();
+					DefaultOAuth2AuthorizedClientManager authorizedClientManager = new DefaultOAuth2AuthorizedClientManager(
+							this.clientRegistrationRepository, this.authorizedClientRepository);
+					authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+					authorizedClientArgumentResolver.setAuthorizedClientManager(authorizedClientManager);
 				}
 				argumentResolvers.add(authorizedClientArgumentResolver);
 			}

config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfigurationTests.java

@@ -75,6 +75,7 @@ public void requestWhenAuthorizedClientFoundThenMethodArgumentResolved() throws
 
 		OAuth2AuthorizedClientRepository authorizedClientRepository = mock(OAuth2AuthorizedClientRepository.class);
 		OAuth2AuthorizedClient authorizedClient = mock(OAuth2AuthorizedClient.class);
+		when(authorizedClient.getClientRegistration()).thenReturn(clientRegistration);
 		when(authorizedClientRepository.loadAuthorizedClient(
 				eq(clientRegistrationId), eq(authentication), any(HttpServletRequest.class)))
 				.thenReturn(authorizedClient);

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/AuthorizationCodeOAuth2AuthorizedClientProvider.java

@@ -17,14 +17,9 @@
 
 import org.springframework.lang.Nullable;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
-import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.util.Assert;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
 /**
  * An implementation of an {@link OAuth2AuthorizedClientProvider}
  * for the {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} grant.
@@ -34,38 +29,16 @@
  * @see OAuth2AuthorizedClientProvider
  */
 public final class AuthorizationCodeOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
-	private static final String HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME = HttpServletRequest.class.getName();
-	private static final String HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME = HttpServletResponse.class.getName();
-	private final ClientRegistrationRepository clientRegistrationRepository;
-	private final OAuth2AuthorizedClientRepository authorizedClientRepository;
 
-	/**
-	 * Constructs an {@code AuthorizationCodeOAuth2AuthorizedClientProvider} using the provided parameters.
-	 *
-	 * @param clientRegistrationRepository the repository of client registrations
-	 * @param authorizedClientRepository the repository of authorized clients
-	 */
-	public AuthorizationCodeOAuth2AuthorizedClientProvider(ClientRegistrationRepository clientRegistrationRepository,
-															OAuth2AuthorizedClientRepository authorizedClientRepository) {
-		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
-		Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null");
-		this.clientRegistrationRepository = clientRegistrationRepository;
-		this.authorizedClientRepository = authorizedClientRepository;
+	public AuthorizationCodeOAuth2AuthorizedClientProvider() {
 	}
 
 	/**
-	 * Attempt to authorize the {@link OAuth2AuthorizationContext#getClientRegistrationId() client} in the provided {@code context}.
+	 * Attempt to authorize the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
 	 * Returns {@code null} if authorization is not supported,
 	 * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type}
 	 * is not {@link AuthorizationGrantType#AUTHORIZATION_CODE authorization_code} OR the client is already authorized.
 	 *
-	 * <p>
-	 * The following {@link OAuth2AuthorizationContext#getAttributes() context attributes} are supported:
-	 * <ol>
-	 *  <li>{@code "javax.servlet.http.HttpServletRequest"} (required) - the {@code HttpServletRequest}</li>
-	 *  <li>{@code "javax.servlet.http.HttpServletResponse"} (required) - the {@code HttpServletResponse}</li>
-	 * </ol>
-	 *
 	 * @param context the context that holds authorization-specific state for the client
 	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization is not supported
 	 */
@@ -74,26 +47,11 @@ public AuthorizationCodeOAuth2AuthorizedClientProvider(ClientRegistrationReposit
 	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 
-		HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME);
-		HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME);
-		Assert.notNull(request, "The context attribute cannot be null '" + HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME + "'");
-		Assert.notNull(response, "The context attribute cannot be null '" + HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME + "'");
-
-		String clientRegistrationId = context.getClientRegistrationId();
-		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId);
-		Assert.notNull(clientRegistration, "Could not find ClientRegistration with id '" + clientRegistrationId + "'");
-
-		if (!AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
-			return null;
-		}
-
-		OAuth2AuthorizedClient authorizedClient = this.authorizedClientRepository.loadAuthorizedClient(
-				clientRegistrationId, context.getPrincipal(), request);
-		if (authorizedClient == null) {
+		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(context.getClientRegistration().getAuthorizationGrantType()) &&
+				context.getAuthorizedClient() == null) {
 			// ClientAuthorizationRequiredException is caught by OAuth2AuthorizationRequestRedirectFilter which initiates authorization
-			throw new ClientAuthorizationRequiredException(clientRegistrationId);
+			throw new ClientAuthorizationRequiredException(context.getClientRegistration().getRegistrationId());
 		}
-
 		return null;
 	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java

@@ -20,15 +20,11 @@
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
-import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
-import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.core.AbstractOAuth2Token;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.util.Assert;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.time.Duration;
 import java.time.Instant;
 
@@ -42,42 +38,20 @@
  * @see DefaultClientCredentialsTokenResponseClient
  */
 public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
-	private static final String HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME = HttpServletRequest.class.getName();
-	private static final String HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME = HttpServletResponse.class.getName();
-	private final ClientRegistrationRepository clientRegistrationRepository;
-	private final OAuth2AuthorizedClientRepository authorizedClientRepository;
 	private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient =
 			new DefaultClientCredentialsTokenResponseClient();
 	private Duration clockSkew = Duration.ofSeconds(60);
 
-	/**
-	 * Constructs a {@code ClientCredentialsOAuth2AuthorizedClientProvider} using the provided parameters.
-	 *
-	 * @param clientRegistrationRepository the repository of client registrations
-	 * @param authorizedClientRepository the repository of authorized clients
-	 */
-	public ClientCredentialsOAuth2AuthorizedClientProvider(ClientRegistrationRepository clientRegistrationRepository,
-															OAuth2AuthorizedClientRepository authorizedClientRepository) {
-		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
-		Assert.notNull(authorizedClientRepository, "authorizedClientRepository cannot be null");
-		this.clientRegistrationRepository = clientRegistrationRepository;
-		this.authorizedClientRepository = authorizedClientRepository;
+	public ClientCredentialsOAuth2AuthorizedClientProvider() {
 	}
 
 	/**
-	 * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistrationId() client} in the provided {@code context}.
+	 * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
 	 * Returns {@code null} if authorization (or re-authorization) is not supported,
 	 * e.g. the client's {@link ClientRegistration#getAuthorizationGrantType() authorization grant type}
 	 * is not {@link AuthorizationGrantType#CLIENT_CREDENTIALS client_credentials} OR
 	 * the {@link OAuth2AuthorizedClient#getAccessToken() access token} is not expired.
 	 *
-	 * <p>
-	 * The following {@link OAuth2AuthorizationContext#getAttributes() context attributes} are supported:
-	 * <ol>
-	 *  <li>{@code "javax.servlet.http.HttpServletRequest"} (required) - the {@code HttpServletRequest}</li>
-	 *  <li>{@code "javax.servlet.http.HttpServletResponse"} (required) - the {@code HttpServletResponse}</li>
-	 * </ol>
-	 *
 	 * @param context the context that holds authorization-specific state for the client
 	 * @return the {@link OAuth2AuthorizedClient} or {@code null} if authorization (or re-authorization) is not supported
 	 */
@@ -86,22 +60,10 @@ public ClientCredentialsOAuth2AuthorizedClientProvider(ClientRegistrationReposit
 	public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		Assert.notNull(context, "context cannot be null");
 
-		HttpServletRequest request = context.getAttribute(HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME);
-		HttpServletResponse response = context.getAttribute(HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME);
-		Assert.notNull(request, "The context attribute cannot be null '" + HTTP_SERVLET_REQUEST_ATTRIBUTE_NAME + "'");
-		Assert.notNull(response, "The context attribute cannot be null '" + HTTP_SERVLET_RESPONSE_ATTRIBUTE_NAME + "'");
-
-		String clientRegistrationId = context.getClientRegistrationId();
-		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(clientRegistrationId);
-		Assert.notNull(clientRegistration, "Could not find ClientRegistration with id '" + clientRegistrationId + "'");
-
-		if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType())) {
-			return null;
-		}
-
-		OAuth2AuthorizedClient authorizedClient = this.authorizedClientRepository.loadAuthorizedClient(
-				clientRegistrationId, context.getPrincipal(), request);
-		if (authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken())) {
+		ClientRegistration clientRegistration = context.getClientRegistration();
+		OAuth2AuthorizedClient authorizedClient = context.getAuthorizedClient();
+		if (!AuthorizationGrantType.CLIENT_CREDENTIALS.equals(clientRegistration.getAuthorizationGrantType()) ||
+				(authorizedClient != null && !hasTokenExpired(authorizedClient.getAccessToken()))) {
 			return null;
 		}
 
@@ -117,13 +79,7 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 		OAuth2AccessTokenResponse tokenResponse =
 				this.accessTokenResponseClient.getTokenResponse(clientCredentialsGrantRequest);
 
-		authorizedClient = new OAuth2AuthorizedClient(
-				clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken());
-
-		this.authorizedClientRepository.saveAuthorizedClient(
-				authorizedClient, context.getPrincipal(), request, response);
-
-		return authorizedClient;
+		return new OAuth2AuthorizedClient(clientRegistration, context.getPrincipal().getName(), tokenResponse.getAccessToken());
 	}
 
 	private boolean hasTokenExpired(AbstractOAuth2Token token) {