-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support custom validation in OidcLogoutAuthenticationProvider #1723
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
/* | ||
* Copyright 2020-2024 the original author or authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.springframework.security.oauth2.server.authorization.oidc.authentication; | ||
|
||
import java.util.Map; | ||
import java.util.function.Consumer; | ||
|
||
import org.springframework.lang.Nullable; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.oauth2.core.oidc.OidcIdToken; | ||
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization; | ||
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthenticationContext; | ||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; | ||
import org.springframework.util.Assert; | ||
|
||
/** | ||
* An {@link OAuth2AuthenticationContext} that holds an | ||
* {@link OidcLogoutAuthenticationToken} and additional information and is used when | ||
* validating the OpenID Connect RP-Initiated Logout Request parameters. | ||
* | ||
* @author Daniel Garnier-Moiroux | ||
* @since 1.4 | ||
* @see OAuth2AuthenticationContext | ||
* @see OidcLogoutAuthenticationToken | ||
* @see OidcLogoutAuthenticationProvider#setAuthenticationValidator(Consumer) | ||
*/ | ||
public final class OidcLogoutAuthenticationContext implements OAuth2AuthenticationContext { | ||
|
||
private final Map<Object, Object> context; | ||
|
||
private OidcLogoutAuthenticationContext(Map<Object, Object> context) { | ||
this.context = context; | ||
} | ||
|
||
@SuppressWarnings("unchecked") | ||
@Nullable | ||
@Override | ||
public <V> V get(Object key) { | ||
return hasKey(key) ? (V) this.context.get(key) : null; | ||
} | ||
|
||
@Override | ||
public boolean hasKey(Object key) { | ||
Assert.notNull(key, "key cannot be null"); | ||
return this.context.containsKey(key); | ||
} | ||
|
||
/** | ||
* Returns the {@link RegisteredClient registered client}. | ||
* @return the {@link RegisteredClient} | ||
*/ | ||
public RegisteredClient getRegisteredClient() { | ||
return get(RegisteredClient.class); | ||
} | ||
|
||
/** | ||
* Returns the {@link OAuth2Authorization authorization request}. | ||
* @return the {@link OAuth2Authorization} | ||
*/ | ||
public OAuth2Authorization getAuthorizationRequest() { | ||
return get(OAuth2Authorization.class); | ||
} | ||
|
||
/** | ||
* Returns the {@link OidcIdToken id_token}. | ||
* @return the {@link OidcIdToken} | ||
*/ | ||
public OidcIdToken getIdToken() { | ||
return get(OidcIdToken.class); | ||
} | ||
|
||
/** | ||
* Constructs a new {@link Builder} with the provided | ||
* {@link OidcLogoutAuthenticationToken}. | ||
* @param authentication the {@link OidcLogoutAuthenticationToken} | ||
* @return the {@link Builder} | ||
*/ | ||
public static Builder with(OidcLogoutAuthenticationToken authentication) { | ||
return new Builder(authentication); | ||
} | ||
|
||
/** | ||
* A builder for {@link OidcLogoutAuthenticationContext}. | ||
*/ | ||
public static final class Builder extends AbstractBuilder<OidcLogoutAuthenticationContext, Builder> { | ||
|
||
private Builder(Authentication authentication) { | ||
super(authentication); | ||
} | ||
|
||
/** | ||
* Sets the {@link RegisteredClient registered client}. | ||
* @param registeredClient the {@link RegisteredClient} | ||
* @return the {@link Builder} for further configuration | ||
*/ | ||
public Builder registeredClient(RegisteredClient registeredClient) { | ||
return put(RegisteredClient.class, registeredClient); | ||
} | ||
|
||
/** | ||
* Sets the {@link OAuth2Authorization registered client}. | ||
* @param authorization the {@link OAuth2Authorization} | ||
* @return the {@link Builder} for further configuration | ||
*/ | ||
public Builder authorization(OAuth2Authorization authorization) { | ||
return put(OAuth2Authorization.class, authorization); | ||
} | ||
|
||
/** | ||
* Sets the {@link OidcIdToken id_token}. | ||
* @param idToken the {@link OidcIdToken} | ||
* @return the {@link Builder} for further configuration | ||
*/ | ||
public Builder idToken(OidcIdToken idToken) { | ||
return put(OidcIdToken.class, idToken); | ||
} | ||
|
||
/** | ||
* Builds a new {@link OidcLogoutAuthenticationContext}. | ||
* @return the {@link OidcLogoutAuthenticationContext} | ||
*/ | ||
@Override | ||
public OidcLogoutAuthenticationContext build() { | ||
return new OidcLogoutAuthenticationContext(getContext()); | ||
} | ||
|
||
} | ||
|
||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
/* | ||
* Copyright 2020-2024 the original author or authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package org.springframework.security.oauth2.server.authorization.oidc.authentication; | ||
|
||
import java.util.List; | ||
import java.util.function.Consumer; | ||
|
||
import org.springframework.security.oauth2.core.OAuth2AuthenticationException; | ||
import org.springframework.security.oauth2.core.OAuth2Error; | ||
import org.springframework.security.oauth2.core.OAuth2ErrorCodes; | ||
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames; | ||
import org.springframework.security.oauth2.core.oidc.OidcIdToken; | ||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; | ||
import org.springframework.util.CollectionUtils; | ||
import org.springframework.util.StringUtils; | ||
|
||
/** | ||
* A {@code Consumer} providing access to the {@link OidcLogoutAuthenticationContext} | ||
* containing an {@link OidcLogoutAuthenticationToken} and is the default | ||
* {@link OidcLogoutAuthenticationProvider#setAuthenticationValidator(Consumer) | ||
* authentication validator} used for validating specific OpenID Connect RP-Initiated | ||
* Logout parameters used in the Authorization Code Grant. | ||
* | ||
* <p> | ||
* The default implementation first validates {@link OidcIdToken#getAudience()}, and then | ||
* {@link OidcLogoutAuthenticationToken#getPostLogoutRedirectUri()}. If validation fails, | ||
* an {@link OAuth2AuthenticationException} is thrown. | ||
* | ||
* @author Daniel Garnier-Moiroux | ||
* @since 1.4 | ||
* @see OidcLogoutAuthenticationContext | ||
* @see OidcLogoutAuthenticationToken | ||
* @see OidcLogoutAuthenticationProvider#setAuthenticationValidator(Consumer) | ||
*/ | ||
public final class OidcLogoutAuthenticationValidator implements Consumer<OidcLogoutAuthenticationContext> { | ||
|
||
/** | ||
* The default validator for {@link OidcIdToken#getAudience()}. | ||
*/ | ||
public static final Consumer<OidcLogoutAuthenticationContext> DEFAULT_AUDIENCE_VALIDATOR = OidcLogoutAuthenticationValidator::validateAudience; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should reset this change since this issue is to address There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I wanted to give more a bit flexibility in logout validation, and showcase how validators can be composed, similar to what we do in the redirect uri validation. Happy to remove it though - In I can't think of a valid use-case where the |
||
|
||
/** | ||
* The default validator for | ||
* {@link OidcLogoutAuthenticationToken#getPostLogoutRedirectUri()}. | ||
*/ | ||
public static final Consumer<OidcLogoutAuthenticationContext> DEFAULT_POST_LOGOUT_REDIRECT_URI_VALIDATOR = OidcLogoutAuthenticationValidator::validatePostLogoutRedirectUri; | ||
|
||
private final Consumer<OidcLogoutAuthenticationContext> authenticationValidator = DEFAULT_AUDIENCE_VALIDATOR | ||
.andThen(DEFAULT_POST_LOGOUT_REDIRECT_URI_VALIDATOR); | ||
|
||
@Override | ||
public void accept(OidcLogoutAuthenticationContext authenticationContext) { | ||
this.authenticationValidator.accept(authenticationContext); | ||
} | ||
|
||
private static void validatePostLogoutRedirectUri(OidcLogoutAuthenticationContext authenticationContext) { | ||
OidcLogoutAuthenticationToken oidcLogoutAuthentication = authenticationContext.getAuthentication(); | ||
RegisteredClient registeredClient = authenticationContext.getRegisteredClient(); | ||
if (StringUtils.hasText(oidcLogoutAuthentication.getPostLogoutRedirectUri()) | ||
&& !registeredClient.getPostLogoutRedirectUris() | ||
.contains(oidcLogoutAuthentication.getPostLogoutRedirectUri())) { | ||
throwError(OAuth2ErrorCodes.INVALID_REQUEST, "post_logout_redirect_uri"); | ||
} | ||
} | ||
|
||
private static void validateAudience(OidcLogoutAuthenticationContext authenticationContext) { | ||
OidcIdToken idToken = authenticationContext.getIdToken(); | ||
List<String> audClaim = idToken.getAudience(); | ||
RegisteredClient registeredClient = authenticationContext.getRegisteredClient(); | ||
if (CollectionUtils.isEmpty(audClaim) || !audClaim.contains(registeredClient.getClientId())) { | ||
throwError(OAuth2ErrorCodes.INVALID_TOKEN, IdTokenClaimNames.AUD); | ||
} | ||
} | ||
|
||
private static void throwError(String errorCode, String parameterName) { | ||
OAuth2Error error = new OAuth2Error(errorCode, "OpenID Connect 1.0 Logout Request Parameter: " + parameterName, | ||
"https://openid.net/specs/openid-connect-rpinitiated-1_0.html#ValidationAndErrorHandling"); | ||
throw new OAuth2AuthenticationException(error); | ||
} | ||
|
||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not used so can be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should leave it.
Since this is the
OidcLogoutAuthenticationContext
, it goes beyond just the logout URI. TheOAuth2Authorization
is part of the the logout context and is loaded from a repository, it may prove useful for users who want to perform further checks.