Polish gh-1106 Device Authorization Grant

Author: jgrandja

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/AbstractOAuth2AuthorizationServerMetadata.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,6 +38,7 @@
  * @since 0.1.1
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc8414#section-3.2">3.2. Authorization Server Metadata Response</a>
  * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">4.2. OpenID Provider Configuration Response</a>
+ * @see <a target="_blank" href="https://www.rfc-editor.org/rfc/rfc8628.html#section-4">4. Device Authorization Grant Metadata</a>
  */
 public abstract class AbstractOAuth2AuthorizationServerMetadata implements OAuth2AuthorizationServerMetadataClaimAccessor, Serializable {
 	private static final long serialVersionUID = SpringAuthorizationServerVersion.SERIAL_VERSION_UID;
@@ -96,6 +97,17 @@ public B authorizationEndpoint(String authorizationEndpoint) {
 			return claim(OAuth2AuthorizationServerMetadataClaimNames.AUTHORIZATION_ENDPOINT, authorizationEndpoint);
 		}
 
+		/**
+		 * Use this {@code device_authorization_endpoint} in the resulting {@link AbstractOAuth2AuthorizationServerMetadata}, OPTIONAL.
+		 *
+		 * @param deviceAuthorizationEndpoint the {@code URL} of the OAuth 2.0 Device Authorization Endpoint
+		 * @return the {@link AbstractBuilder} for further configuration
+		 * @since 1.1
+		 */
+		public B deviceAuthorizationEndpoint(String deviceAuthorizationEndpoint) {
+			return claim(OAuth2AuthorizationServerMetadataClaimNames.DEVICE_AUTHORIZATION_ENDPOINT, deviceAuthorizationEndpoint);
+		}
+
 		/**
 		 * Use this {@code token_endpoint} in the resulting {@link AbstractOAuth2AuthorizationServerMetadata}, REQUIRED.
 		 *
@@ -346,6 +358,9 @@ protected void validate() {
 			validateURL(getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.ISSUER), "issuer must be a valid URL");
 			Assert.notNull(getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.AUTHORIZATION_ENDPOINT), "authorizationEndpoint cannot be null");
 			validateURL(getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.AUTHORIZATION_ENDPOINT), "authorizationEndpoint must be a valid URL");
+			if (getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.DEVICE_AUTHORIZATION_ENDPOINT) != null) {
+				validateURL(getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.DEVICE_AUTHORIZATION_ENDPOINT), "deviceAuthorizationEndpoint must be a valid URL");
+			}
 			Assert.notNull(getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.TOKEN_ENDPOINT), "tokenEndpoint cannot be null");
 			validateURL(getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.TOKEN_ENDPOINT), "tokenEndpoint must be a valid URL");
 			if (getClaims().get(OAuth2AuthorizationServerMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED) != null) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java

@@ -155,7 +155,9 @@ private static boolean hasToken(OAuth2Authorization authorization, String token,
 					matchesAuthorizationCode(authorization, token) ||
 					matchesAccessToken(authorization, token) ||
 					matchesIdToken(authorization, token) ||
-					matchesRefreshToken(authorization, token);
+					matchesRefreshToken(authorization, token) ||
+					matchesDeviceCode(authorization, token) ||
+					matchesUserCode(authorization, token);
 		} else if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
 			return matchesState(authorization, token);
 		} else if (OAuth2ParameterNames.CODE.equals(tokenType.getValue())) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 the original author or authors.
+ * Copyright 2020-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -253,18 +253,6 @@ public static class Token<T extends OAuth2Token> implements Serializable {
 		 */
 		public static final String INVALIDATED_METADATA_NAME = TOKEN_METADATA_NAMESPACE.concat("invalidated");
 
-		/**
-		 * The name of the metadata that indicates if access has been denied by the resource owner.
-		 * Used with the OAuth 2.0 Device Authorization Grant.
-		 */
-		public static final String ACCESS_DENIED_METADATA_NAME = TOKEN_METADATA_NAMESPACE.concat("access_denied");
-
-		/**
-		 * The name of the metadata that indicates if access has been denied by the resource owner.
-		 * Used with the OAuth 2.0 Device Authorization Grant.
-		 */
-		public static final String ACCESS_GRANTED_METADATA_NAME = TOKEN_METADATA_NAMESPACE.concat("access_granted");
-
 		/**
 		 * The name of the metadata used for the claims of the token.
 		 */

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationServerMetadataClaimAccessor.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,6 +30,7 @@
  * @see OAuth2AuthorizationServerMetadataClaimNames
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc8414#section-2">2. Authorization Server Metadata</a>
  * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">3. OpenID Provider Metadata</a>
+ * @see <a target="_blank" href="https://www.rfc-editor.org/rfc/rfc8628.html#section-4">4. Device Authorization Grant Metadata</a>
  */
 public interface OAuth2AuthorizationServerMetadataClaimAccessor extends ClaimAccessor {
 
@@ -51,6 +52,16 @@ default URL getAuthorizationEndpoint() {
 		return getClaimAsURL(OAuth2AuthorizationServerMetadataClaimNames.AUTHORIZATION_ENDPOINT);
 	}
 
+	/**
+	 * Returns the {@code URL} of the OAuth 2.0 Device Authorization Endpoint {@code (device_authorization_endpoint)}.
+	 *
+	 * @return the {@code URL} of the OAuth 2.0 Device Authorization Endpoint
+	 * @since 1.1
+	 */
+	default URL getDeviceAuthorizationEndpoint() {
+		return getClaimAsURL(OAuth2AuthorizationServerMetadataClaimNames.DEVICE_AUTHORIZATION_ENDPOINT);
+	}
+
 	/**
 	 * Returns the {@code URL} of the OAuth 2.0 Token Endpoint {@code (token_endpoint)}.
 	 *

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationServerMetadataClaimNames.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 the original author or authors.
+ * Copyright 2020-2023 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@
  * @since 0.1.1
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc8414#section-2">2. Authorization Server Metadata</a>
  * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">3. OpenID Provider Metadata</a>
+ * @see <a target="_blank" href="https://www.rfc-editor.org/rfc/rfc8628.html#section-4">4. Device Authorization Grant Metadata</a>
  */
 public class OAuth2AuthorizationServerMetadataClaimNames {
 
@@ -36,6 +37,12 @@ public class OAuth2AuthorizationServerMetadataClaimNames {
 	 */
 	public static final String AUTHORIZATION_ENDPOINT = "authorization_endpoint";
 
+	/**
+	 * {@code device_authorization_endpoint} - the {@code URL} of the OAuth 2.0 Device Authorization Endpoint
+	 * @since 1.1
+	 */
+	public static final String DEVICE_AUTHORIZATION_ENDPOINT = "device_authorization_endpoint";
+
 	/**
 	 * {@code token_endpoint} - the {@code URL} of the OAuth 2.0 Token Endpoint
 	 */

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationConsentAuthenticationContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 the original author or authors.
+ * Copyright 2020-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -113,10 +113,6 @@ private Builder(OAuth2AuthorizationConsentAuthenticationToken authentication) {
 			super(authentication);
 		}
 
-		private Builder(OAuth2DeviceAuthorizationConsentAuthenticationToken authentication) {
-			super(authentication);
-		}
-
 		/**
 		 * Sets the {@link OAuth2AuthorizationConsent.Builder authorization consent builder}.
 		 *

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationConsentAuthenticationProvider.java

@@ -91,6 +91,12 @@ public OAuth2AuthorizationConsentAuthenticationProvider(RegisteredClientReposito
 
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		if (authentication instanceof OAuth2DeviceAuthorizationConsentAuthenticationToken) {
+			// This is NOT an OAuth 2.0 Authorization Consent for the Authorization Code Grant,
+			// return null and let OAuth2DeviceAuthorizationConsentAuthenticationProvider handle it instead
+			return null;
+		}
+
 		OAuth2AuthorizationConsentAuthenticationToken authorizationConsentAuthentication =
 				(OAuth2AuthorizationConsentAuthenticationToken) authentication;
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java

@@ -15,7 +15,6 @@
  */
 package org.springframework.security.oauth2.server.authorization.authentication;
 
-import java.security.Principal;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -24,6 +23,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
@@ -33,7 +33,6 @@
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2UserCode;
-import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
@@ -45,8 +44,8 @@
 import org.springframework.util.Assert;
 
 /**
- * An {@link AuthenticationProvider} implementation for the OAuth 2.0 Authorization Consent
- * used in the Device Authorization Grant.
+ * An {@link AuthenticationProvider} implementation for the Device Authorization Consent
+ * used in the OAuth 2.0 Device Authorization Grant.
  *
  * @author Steve Riesenberg
  * @since 1.1
@@ -61,7 +60,7 @@
  */
 public final class OAuth2DeviceAuthorizationConsentAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String DEFAULT_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1";
+	private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
 	static final OAuth2TokenType STATE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.STATE);
 
 	private final Log logger = LogFactory.getLog(getClass());
@@ -104,7 +103,11 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Retrieved authorization with device authorization consent state");
 		}
 
+		// The authorization must be associated to the current principal
 		Authentication principal = (Authentication) deviceAuthorizationConsentAuthentication.getPrincipal();
+		if (!isPrincipalAuthenticated(principal) || !principal.getName().equals(authorization.getPrincipalName())) {
+			throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.STATE);
+		}
 
 		RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(
 				deviceAuthorizationConsentAuthentication.getClientId());
@@ -116,12 +119,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			this.logger.trace("Retrieved registered client");
 		}
 
-		OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
-				OAuth2AuthorizationRequest.class.getName());
-		Set<String> requestedScopes = authorizationRequest.getScopes();
-		Set<String> authorizedScopes = deviceAuthorizationConsentAuthentication.getScopes() != null ?
-				new HashSet<>(deviceAuthorizationConsentAuthentication.getScopes()) :
-				new HashSet<>();
+		Set<String> requestedScopes = authorization.getAttribute(OAuth2ParameterNames.SCOPE);
+		Set<String> authorizedScopes = new HashSet<>(deviceAuthorizationConsentAuthentication.getScopes());
 		if (!requestedScopes.containsAll(authorizedScopes)) {
 			throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE);
 		}
@@ -162,7 +161,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 							.authorizationConsent(authorizationConsentBuilder)
 							.registeredClient(registeredClient)
 							.authorization(authorization)
-							.authorizationRequest(authorizationRequest)
 							.build();
 			// @formatter:on
 			this.authorizationConsentCustomizer.accept(authorizationConsentAuthenticationContext);
@@ -187,15 +185,16 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			}
 			authorization = OAuth2Authorization.from(authorization)
 					.token(deviceCodeToken.getToken(), metadata ->
-							metadata.put(OAuth2Authorization.Token.ACCESS_DENIED_METADATA_NAME, true))
+							metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true))
 					.token(userCodeToken.getToken(), metadata ->
 							metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true))
+					.attributes(attrs -> attrs.remove(OAuth2ParameterNames.STATE))
 					.build();
 			this.authorizationService.save(authorization);
 			if (this.logger.isTraceEnabled()) {
 				this.logger.trace("Invalidated device code and user code because authorization consent was denied");
 			}
-			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.ACCESS_DENIED);
+			throwError(OAuth2ErrorCodes.ACCESS_DENIED, OAuth2ParameterNames.CLIENT_ID);
 		}
 
 		OAuth2AuthorizationConsent authorizationConsent = authorizationConsentBuilder.build();
@@ -206,26 +205,23 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			}
 		}
 
-		OAuth2Authorization updatedAuthorization = OAuth2Authorization.from(authorization)
-				.principalName(principal.getName())
+		authorization = OAuth2Authorization.from(authorization)
 				.authorizedScopes(authorizedScopes)
-				.token(deviceCodeToken.getToken(), metadata -> metadata
-						.put(OAuth2Authorization.Token.ACCESS_GRANTED_METADATA_NAME, true))
-				.token(userCodeToken.getToken(), metadata -> metadata
-						.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true))
-				.attribute(Principal.class.getName(), principal)
+				.token(userCodeToken.getToken(), metadata ->
+						metadata.put(OAuth2Authorization.Token.INVALIDATED_METADATA_NAME, true))
 				.attributes(attrs -> attrs.remove(OAuth2ParameterNames.STATE))
+				.attributes(attrs -> attrs.remove(OAuth2ParameterNames.SCOPE))
 				.build();
-		this.authorizationService.save(updatedAuthorization);
+		this.authorizationService.save(authorization);
 
 		if (this.logger.isTraceEnabled()) {
 			this.logger.trace("Saved authorization with authorized scopes");
 			// This log is kept separate for consistency with other providers
-			this.logger.trace("Authenticated authorization consent request");
+			this.logger.trace("Authenticated device authorization consent request");
 		}
 
-		return new OAuth2DeviceVerificationAuthenticationToken(registeredClient.getClientId(), principal,
-				deviceAuthorizationConsentAuthentication.getUserCode());
+		return new OAuth2DeviceVerificationAuthenticationToken(principal,
+				deviceAuthorizationConsentAuthentication.getUserCode(), registeredClient.getClientId());
 	}
 
 	@Override
@@ -244,10 +240,9 @@ public boolean supports(Class<?> authentication) {
 	 * prior to {@link OAuth2AuthorizationConsentService#save(OAuth2AuthorizationConsent)}.</li>
 	 * <li>The {@link Authentication} of type
 	 * {@link OAuth2DeviceAuthorizationConsentAuthenticationToken}.</li>
-	 * <li>The {@link RegisteredClient} associated with the authorization request.</li>
+	 * <li>The {@link RegisteredClient} associated with the device authorization request.</li>
 	 * <li>The {@link OAuth2Authorization} associated with the state token presented in the
-	 * authorization consent request.</li>
-	 * <li>The {@link OAuth2AuthorizationRequest} associated with the authorization consent request.</li>
+	 * device authorization consent request.</li>
 	 * </ul>
 	 *
 	 * @param authorizationConsentCustomizer the {@code Consumer} providing access to the
@@ -258,8 +253,14 @@ public void setAuthorizationConsentCustomizer(Consumer<OAuth2AuthorizationConsen
 		this.authorizationConsentCustomizer = authorizationConsentCustomizer;
 	}
 
+	private static boolean isPrincipalAuthenticated(Authentication principal) {
+		return principal != null &&
+				!AnonymousAuthenticationToken.class.isAssignableFrom(principal.getClass()) &&
+				principal.isAuthenticated();
+	}
+
 	private static void throwError(String errorCode, String parameterName) {
-		OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName, DEFAULT_ERROR_URI);
+		OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Parameter: " + parameterName, ERROR_URI);
 		throw new OAuth2AuthenticationException(error);
 	}
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationToken.java

@@ -21,16 +21,19 @@
 import java.util.Set;
 
 import org.springframework.lang.Nullable;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.server.authorization.util.SpringAuthorizationServerVersion;
 import org.springframework.util.Assert;
 
 /**
- * An {@link Authentication} implementation for the Authorization Consent used
+ * An {@link Authentication} implementation for the Device Authorization Consent used
  * in the OAuth 2.0 Device Authorization Grant.
  *
  * @author Steve Riesenberg
  * @since 1.1
+ * @see AbstractAuthenticationToken
+ * @see OAuth2DeviceAuthorizationConsentAuthenticationProvider
  */
 public class OAuth2DeviceAuthorizationConsentAuthenticationToken extends OAuth2AuthorizationConsentAuthenticationToken {
 	private static final long serialVersionUID = SpringAuthorizationServerVersion.SERIAL_VERSION_UID;
@@ -43,7 +46,7 @@ public class OAuth2DeviceAuthorizationConsentAuthenticationToken extends OAuth2A
 	 * @param authorizationUri the authorization URI
 	 * @param clientId the client identifier
 	 * @param principal the {@code Principal} (Resource Owner)
-	 * @param userCode the user code associated with the device authorization request
+	 * @param userCode the user code associated with the device authorization response
 	 * @param state the state
 	 * @param authorizedScopes the authorized scope(s)
 	 * @param additionalParameters the additional parameters
@@ -64,7 +67,7 @@ public OAuth2DeviceAuthorizationConsentAuthenticationToken(String authorizationU
 	 * @param authorizationUri the authorization URI
 	 * @param clientId the client identifier
 	 * @param principal the {@code Principal} (Resource Owner)
-	 * @param userCode the user code associated with the device authorization request
+	 * @param userCode the user code associated with the device authorization response
 	 * @param state the state
 	 * @param requestedScopes the requested scope(s)
 	 * @param authorizedScopes the authorized scope(s)