From 8edbc26b18570be4a10a98c733a8d1d73f3ded9a Mon Sep 17 00:00:00 2001 From: Joe Grandja <10884212+jgrandja@users.noreply.github.com> Date: Thu, 12 Sep 2024 06:44:15 -0400 Subject: [PATCH] Add convenience method for invalidating an OAuth2Token Closes gh-1717 --- .../authorization/OAuth2Authorization.java | 30 +++++++++++++++-- .../OAuth2AuthenticationProviderUtils.java | 32 +------------------ ...thorizationCodeAuthenticationProvider.java | 13 ++++---- ...rizationConsentAuthenticationProvider.java | 11 +++---- ...Auth2DeviceCodeAuthenticationProvider.java | 9 +++--- ...iceVerificationAuthenticationProvider.java | 5 ++- ...TokenRevocationAuthenticationProvider.java | 4 +-- .../OidcAuthenticationProviderUtils.java | 32 +------------------ ...entRegistrationAuthenticationProvider.java | 10 +++--- ...rospectionAuthenticationProviderTests.java | 4 +-- ...figurationAuthenticationProviderTests.java | 4 +-- ...gistrationAuthenticationProviderTests.java | 4 +-- ...dcUserInfoAuthenticationProviderTests.java | 7 ++-- 13 files changed, 64 insertions(+), 101 deletions(-) diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java index 364b21399..e4d367f27 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -479,7 +479,6 @@ public Builder token(T token) { * @return the {@link Builder} */ public Builder token(T token, Consumer> metadataConsumer) { - Assert.notNull(token, "token cannot be null"); Map metadata = Token.defaultMetadata(); Token existingToken = this.tokens.get(token.getClass()); @@ -492,6 +491,33 @@ public Builder token(T token, Consumer the type of the token + * @return the {@link Builder} + * @since 1.4 + */ + public Builder invalidate(T token) { + Assert.notNull(token, "token cannot be null"); + if (this.tokens.get(token.getClass()) == null) { + return this; + } + token(token, (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); + if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) { + Token accessToken = this.tokens.get(OAuth2AccessToken.class); + token(accessToken.getToken(), + (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); + + Token authorizationCode = this.tokens.get(OAuth2AuthorizationCode.class); + if (authorizationCode != null && !authorizationCode.isInvalidated()) { + token(authorizationCode.getToken(), + (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); + } + } + return this; + } + protected final Builder tokens(Map, Token> tokens) { this.tokens = new HashMap<>(tokens); return this; diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java index f5b7be35d..cb16c2814 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthenticationProviderUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,10 +21,8 @@ import org.springframework.security.oauth2.core.OAuth2AccessToken; import org.springframework.security.oauth2.core.OAuth2AuthenticationException; import org.springframework.security.oauth2.core.OAuth2ErrorCodes; -import org.springframework.security.oauth2.core.OAuth2RefreshToken; import org.springframework.security.oauth2.core.OAuth2Token; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode; import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext; @@ -50,34 +48,6 @@ static OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidCli throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_CLIENT); } - static OAuth2Authorization invalidate(OAuth2Authorization authorization, T token) { - - // @formatter:off - OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization) - .token(token, - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - - if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) { - authorizationBuilder.token( - authorization.getAccessToken().getToken(), - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - - OAuth2Authorization.Token authorizationCode = - authorization.getToken(OAuth2AuthorizationCode.class); - if (authorizationCode != null && !authorizationCode.isInvalidated()) { - authorizationBuilder.token( - authorizationCode.getToken(), - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - } - } - // @formatter:on - - return authorizationBuilder.build(); - } - static OAuth2AccessToken accessToken(OAuth2Authorization.Builder builder, T token, OAuth2TokenContext accessTokenContext) { diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java index 74c9bc701..c0039361d 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java @@ -144,8 +144,9 @@ public Authentication authenticate(Authentication authentication) throws Authent if (!authorizationCode.isInvalidated()) { // Invalidate the authorization code given that a different client is // attempting to use it - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, - authorizationCode.getToken()); + authorization = OAuth2Authorization.from(authorization) + .invalidate(authorizationCode.getToken()) + .build(); this.authorizationService.save(authorization); if (this.logger.isWarnEnabled()) { this.logger.warn(LogMessage.format("Invalidated authorization code used by registered client '%s'", @@ -172,7 +173,7 @@ public Authentication authenticate(Authentication authentication) throws Authent if (token != null) { // Invalidate the access (and refresh) token as the client is // attempting to use the authorization code more than once - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, token.getToken()); + authorization = OAuth2Authorization.from(authorization).invalidate(token.getToken()).build(); this.authorizationService.save(authorization); if (this.logger.isWarnEnabled()) { this.logger.warn(LogMessage.format( @@ -284,10 +285,10 @@ public Authentication authenticate(Authentication authentication) throws Authent idToken = null; } - authorization = authorizationBuilder.build(); - // Invalidate the authorization code as it can only be used once - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, authorizationCode.getToken()); + authorizationBuilder.invalidate(authorizationCode.getToken()); + + authorization = authorizationBuilder.build(); this.authorizationService.save(authorization); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java index 55978f0a7..45fea1207 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -187,10 +187,8 @@ public Authentication authenticate(Authentication authentication) throws Authent } } authorization = OAuth2Authorization.from(authorization) - .token((deviceCodeToken.getToken()), - (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)) - .token((userCodeToken.getToken()), - (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)) + .invalidate(deviceCodeToken.getToken()) + .invalidate(userCodeToken.getToken()) .attributes((attrs) -> attrs.remove(OAuth2ParameterNames.STATE)) .build(); this.authorizationService.save(authorization); @@ -210,8 +208,7 @@ public Authentication authenticate(Authentication authentication) throws Authent authorization = OAuth2Authorization.from(authorization) .authorizedScopes(authorizedScopes) - .token((userCodeToken.getToken()), - (metadata) -> metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)) + .invalidate(userCodeToken.getToken()) .attributes((attrs) -> attrs.remove(OAuth2ParameterNames.STATE)) .attributes((attrs) -> attrs.remove(OAuth2ParameterNames.SCOPE)) .build(); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java index 06e908fbd..115cbd5bb 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceCodeAuthenticationProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -124,7 +124,7 @@ public Authentication authenticate(Authentication authentication) throws Authent if (!deviceCode.isInvalidated()) { // Invalidate the device code given that a different client is attempting // to use it - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, deviceCode.getToken()); + authorization = OAuth2Authorization.from(authorization).invalidate(deviceCode.getToken()).build(); this.authorizationService.save(authorization); if (this.logger.isWarnEnabled()) { this.logger.warn(LogMessage.format("Invalidated device code used by registered client '%s'", @@ -172,7 +172,7 @@ public Authentication authenticate(Authentication authentication) throws Authent // restarting to avoid unnecessary polling. if (deviceCode.isExpired()) { // Invalidate the device code - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, deviceCode.getToken()); + authorization = OAuth2Authorization.from(authorization).invalidate(deviceCode.getToken()).build(); this.authorizationService.save(authorization); if (this.logger.isWarnEnabled()) { this.logger.warn(LogMessage.format("Invalidated device code used by registered client '%s'", @@ -200,8 +200,7 @@ public Authentication authenticate(Authentication authentication) throws Authent // @formatter:off OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization) // Invalidate the device code as it can only be used (successfully) once - .token(deviceCode.getToken(), (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); + .invalidate(deviceCode.getToken()); // @formatter:on // ----- Access token ----- diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java index 6dc4e2de4..b5e0ff41a 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -166,8 +166,7 @@ public Authentication authenticate(Authentication authentication) throws Authent authorization = OAuth2Authorization.from(authorization) .principalName(principal.getName()) .authorizedScopes(requestedScopes) - .token(userCode.getToken(), (metadata) -> metadata - .put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)) + .invalidate(userCode.getToken()) .attribute(Principal.class.getName(), principal) .attributes((attributes) -> attributes.remove(OAuth2ParameterNames.SCOPE)) .build(); diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenRevocationAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenRevocationAuthenticationProvider.java index 604d7fbaa..bd284b8b1 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenRevocationAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenRevocationAuthenticationProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,7 +79,7 @@ public Authentication authenticate(Authentication authentication) throws Authent } OAuth2Authorization.Token token = authorization.getToken(tokenRevocationAuthentication.getToken()); - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, token.getToken()); + authorization = OAuth2Authorization.from(authorization).invalidate(token.getToken()).build(); this.authorizationService.save(authorization); if (this.logger.isTraceEnabled()) { diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java index ea9cf0874..7e9ac14e8 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcAuthenticationProviderUtils.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,10 +18,8 @@ import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.oauth2.core.ClaimAccessor; import org.springframework.security.oauth2.core.OAuth2AccessToken; -import org.springframework.security.oauth2.core.OAuth2RefreshToken; import org.springframework.security.oauth2.core.OAuth2Token; import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; -import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode; import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat; import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext; @@ -36,34 +34,6 @@ final class OidcAuthenticationProviderUtils { private OidcAuthenticationProviderUtils() { } - static OAuth2Authorization invalidate(OAuth2Authorization authorization, T token) { - - // @formatter:off - OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization.from(authorization) - .token(token, - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - - if (OAuth2RefreshToken.class.isAssignableFrom(token.getClass())) { - authorizationBuilder.token( - authorization.getAccessToken().getToken(), - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - - OAuth2Authorization.Token authorizationCode = - authorization.getToken(OAuth2AuthorizationCode.class); - if (authorizationCode != null && !authorizationCode.isInvalidated()) { - authorizationBuilder.token( - authorizationCode.getToken(), - (metadata) -> - metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true)); - } - } - // @formatter:on - - return authorizationBuilder.build(); - } - static OAuth2AccessToken accessToken(OAuth2Authorization.Builder builder, T token, OAuth2TokenContext accessTokenContext) { diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java index 8b1def9a3..fcfe0375d 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -260,12 +260,12 @@ private OidcClientRegistrationAuthenticationToken registerClient( OAuth2Authorization registeredClientAuthorization = registerAccessToken(registeredClient); // Invalidate the "initial" access token as it can only be used once - authorization = OidcAuthenticationProviderUtils.invalidate(authorization, - authorization.getAccessToken().getToken()); + OAuth2Authorization.Builder builder = OAuth2Authorization.from(authorization) + .invalidate(authorization.getAccessToken().getToken()); if (authorization.getRefreshToken() != null) { - authorization = OidcAuthenticationProviderUtils.invalidate(authorization, - authorization.getRefreshToken().getToken()); + builder.invalidate(authorization.getRefreshToken().getToken()); } + authorization = builder.build(); this.authorizationService.save(authorization); if (this.logger.isTraceEnabled()) { diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProviderTests.java index 3ff0b62f9..99c27fbeb 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenIntrospectionAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -147,7 +147,7 @@ public void authenticateWhenTokenInvalidatedThenNotActive() { RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build(); OAuth2AccessToken accessToken = authorization.getAccessToken().getToken(); - authorization = OAuth2AuthenticationProviderUtils.invalidate(authorization, accessToken); + authorization = OAuth2Authorization.from(authorization).invalidate(accessToken).build(); given(this.authorizationService.findByToken(eq(accessToken.getTokenValue()), isNull())) .willReturn(authorization); OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient, diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProviderTests.java index 00f4bfad1..1772f6b55 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientConfigurationAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -176,8 +176,8 @@ public void authenticateWhenAccessTokenNotActiveThenThrowOAuth2AuthenticationExc RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); OAuth2Authorization authorization = TestOAuth2Authorizations .authorization(registeredClient, jwtAccessToken, jwt.getClaims()) + .invalidate(jwtAccessToken) .build(); - authorization = OidcAuthenticationProviderUtils.invalidate(authorization, jwtAccessToken); given(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))) .willReturn(authorization); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProviderTests.java index ddcb4eb03..bb95c02e5 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2023 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -250,8 +250,8 @@ public void authenticateWhenAccessTokenNotActiveThenThrowOAuth2AuthenticationExc RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build(); OAuth2Authorization authorization = TestOAuth2Authorizations .authorization(registeredClient, jwtAccessToken, jwt.getClaims()) + .invalidate(jwtAccessToken) .build(); - authorization = OidcAuthenticationProviderUtils.invalidate(authorization, jwtAccessToken); given(this.authorizationService.findByToken(eq(jwtAccessToken.getTokenValue()), eq(OAuth2TokenType.ACCESS_TOKEN))) .willReturn(authorization); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProviderTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProviderTests.java index ffeb823b8..e6a4caaab 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProviderTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcUserInfoAuthenticationProviderTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2020-2022 the original author or authors. + * Copyright 2020-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -133,8 +133,9 @@ public void authenticateWhenAccessTokenNotFoundThenThrowOAuth2AuthenticationExce public void authenticateWhenAccessTokenNotActiveThenThrowOAuth2AuthenticationException() { String tokenValue = "token"; OAuth2Authorization authorization = TestOAuth2Authorizations.authorization().build(); - authorization = OidcAuthenticationProviderUtils.invalidate(authorization, - authorization.getAccessToken().getToken()); + authorization = OAuth2Authorization.from(authorization) + .invalidate(authorization.getAccessToken().getToken()) + .build(); given(this.authorizationService.findByToken(eq(tokenValue), eq(OAuth2TokenType.ACCESS_TOKEN))) .willReturn(authorization);