Token exchange support

pom.xml

@@ -5,7 +5,7 @@
   <name>OAuth for Spring Security</name>
   <description>Parent Project for OAuth Support for Spring Security</description>
   <packaging>pom</packaging>
-  <version>2.0.13.BUILD-SNAPSHOT</version>
+  <version>2.1.1.BUILD-SNAPSHOT</version>
   <url>http://static.springframework.org/spring-security/oauth</url>
 
   <modules>

samples/oauth/sparklr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.0.13.BUILD-SNAPSHOT</version>
+		<version>2.1.1.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/oauth/tonr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.0.13.BUILD-SNAPSHOT</version>
+		<version>2.1.1.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/oauth2/sparklr/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.0.13.BUILD-SNAPSHOT</version>
+		<version>2.1.1.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/oauth2/tonr/pom.xml

@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.0.13.BUILD-SNAPSHOT</version>
+		<version>2.1.1.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 

samples/pom.xml

@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth-parent</artifactId>
-    <version>2.0.13.BUILD-SNAPSHOT</version>
+    <version>2.1.1.BUILD-SNAPSHOT</version>
   </parent>
 
   <artifactId>spring-security-oauth-samples</artifactId>

spring-security-oauth/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.0.13.BUILD-SNAPSHOT</version>
+		<version>2.1.1.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth</artifactId>

spring-security-oauth2/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.0.13.BUILD-SNAPSHOT</version>
+		<version>2.1.1.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth2</artifactId>

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java

@@ -20,8 +20,11 @@
 import javax.annotation.PostConstruct;
 
 import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.BeanFactoryUtils;
+import org.springframework.beans.factory.FactoryBean;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.config.AbstractFactoryBean;
 import org.springframework.beans.factory.config.ConfigurableListableBeanFactory;
 import org.springframework.beans.factory.support.BeanDefinitionBuilder;
 import org.springframework.beans.factory.support.BeanDefinitionRegistry;
@@ -131,8 +134,19 @@ public FrameworkEndpointHandlerMapping oauth2EndpointHandlerMapping() throws Exc
 	}
 
 	@Bean
-	public ConsumerTokenServices consumerTokenServices() throws Exception {
-		return getEndpointsConfigurer().getConsumerTokenServices();
+	public FactoryBean<ConsumerTokenServices> consumerTokenServices() throws Exception {
+		return new AbstractFactoryBean<ConsumerTokenServices>() {
+
+			@Override
+			public Class<?> getObjectType() {
+				return ConsumerTokenServices.class;
+			}
+
+			@Override
+			protected ConsumerTokenServices createInstance() throws Exception {
+				return getEndpointsConfigurer().getConsumerTokenServices();
+			}
+		};
 	}
 
 	/**
@@ -146,13 +160,18 @@ public ConsumerTokenServices consumerTokenServices() throws Exception {
 	 * @return an AuthorizationServerTokenServices
 	 */
 	@Bean
-	public AuthorizationServerTokenServices defaultAuthorizationServerTokenServices() {
-		return endpoints.getDefaultAuthorizationServerTokenServices();
+	public FactoryBean<AuthorizationServerTokenServices> defaultAuthorizationServerTokenServices() {
+		return new AuthorizationServerTokenServicesFactoryBean(endpoints);
 	}
 
 	public AuthorizationServerEndpointsConfigurer getEndpointsConfigurer() {
 		if (!endpoints.isTokenServicesOverride()) {
-			endpoints.tokenServices(defaultAuthorizationServerTokenServices());
+			try {
+				endpoints.tokenServices(endpoints.getDefaultAuthorizationServerTokenServices());
+			}
+			catch (Exception e) {
+				throw new BeanCreationException("Cannot create token services", e);
+			}
 		}
 		return endpoints;
 	}
@@ -193,6 +212,30 @@ private String extractPath(FrameworkEndpointHandlerMapping mapping, String page)
 		return "forward:" + path;
 	}
 
+	protected static class AuthorizationServerTokenServicesFactoryBean
+			extends AbstractFactoryBean<AuthorizationServerTokenServices> {
+
+		private AuthorizationServerEndpointsConfigurer endpoints;
+
+		protected AuthorizationServerTokenServicesFactoryBean() {
+		}
+
+		public AuthorizationServerTokenServicesFactoryBean(
+				AuthorizationServerEndpointsConfigurer endpoints) {
+					this.endpoints = endpoints;
+		}
+
+		@Override
+		public Class<?> getObjectType() {
+			return AuthorizationServerTokenServices.class;
+		}
+
+		@Override
+		protected AuthorizationServerTokenServices createInstance() throws Exception {
+			return endpoints.getDefaultAuthorizationServerTokenServices();
+		}
+	}
+
 	@Component
 	protected static class TokenKeyEndpointRegistrar implements BeanDefinitionRegistryPostProcessor {
 

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java

@@ -15,15 +15,6 @@
  */
 package org.springframework.security.oauth2.config.annotation.web.configurers;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.http.HttpMethod;
@@ -36,17 +27,8 @@
 import org.springframework.security.oauth2.common.util.ProxyCreator;
 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
-import org.springframework.security.oauth2.provider.ClientDetailsService;
-import org.springframework.security.oauth2.provider.CompositeTokenGranter;
-import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
-import org.springframework.security.oauth2.provider.OAuth2RequestValidator;
-import org.springframework.security.oauth2.provider.TokenGranter;
-import org.springframework.security.oauth2.provider.TokenRequest;
-import org.springframework.security.oauth2.provider.approval.ApprovalStore;
-import org.springframework.security.oauth2.provider.approval.ApprovalStoreUserApprovalHandler;
-import org.springframework.security.oauth2.provider.approval.TokenApprovalStore;
-import org.springframework.security.oauth2.provider.approval.TokenStoreUserApprovalHandler;
-import org.springframework.security.oauth2.provider.approval.UserApprovalHandler;
+import org.springframework.security.oauth2.provider.*;
+import org.springframework.security.oauth2.provider.approval.*;
 import org.springframework.security.oauth2.provider.client.ClientCredentialsTokenGranter;
 import org.springframework.security.oauth2.provider.client.InMemoryClientDetailsService;
 import org.springframework.security.oauth2.provider.code.AuthorizationCodeServices;
@@ -55,19 +37,13 @@
 import org.springframework.security.oauth2.provider.endpoint.FrameworkEndpointHandlerMapping;
 import org.springframework.security.oauth2.provider.error.DefaultWebResponseExceptionTranslator;
 import org.springframework.security.oauth2.provider.error.WebResponseExceptionTranslator;
+import org.springframework.security.oauth2.provider.exchange.TokenExchangeTokenGranter;
 import org.springframework.security.oauth2.provider.implicit.ImplicitTokenGranter;
 import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
 import org.springframework.security.oauth2.provider.refresh.RefreshTokenGranter;
 import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
 import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestValidator;
-import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
-import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
-import org.springframework.security.oauth2.provider.token.ConsumerTokenServices;
-import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
-import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
-import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
-import org.springframework.security.oauth2.provider.token.TokenEnhancer;
-import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.*;
 import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
 import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
 import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
@@ -76,9 +52,11 @@
 import org.springframework.web.context.request.WebRequestInterceptor;
 import org.springframework.web.servlet.HandlerInterceptor;
 
+import java.util.*;
+
 /**
  * Configure the properties and enhanced functionality of the Authorization Server endpoints.
- * 
+ *
  * @author Rob Winch
  * @author Dave Syer
  * @since 2.0
@@ -242,7 +220,7 @@ public AuthorizationServerEndpointsConfigurer approvalStore(ApprovalStore approv
 	 * Explicitly disable the approval store, even if one would normally be added automatically (usually when JWT is not
 	 * used). Without an approval store the user can only be asked to approve or deny a grant without any more granular
 	 * decisions.
-	 * 
+	 *
 	 * @return this for fluent builder
 	 */
 	public AuthorizationServerEndpointsConfigurer approvalStoreDisabled() {
@@ -277,7 +255,7 @@ public AuthorizationServerEndpointsConfigurer exceptionTranslator(WebResponseExc
 
 	/**
 	 * The AuthenticationManager for the password grant.
-	 * 
+	 *
 	 * @param authenticationManager an AuthenticationManager, fully initialized
 	 * @return this for a fluent style
 	 */
@@ -544,8 +522,9 @@ private List<TokenGranter> getDefaultTokenGranters() {
 		if (authenticationManager != null) {
 			tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices,
 					clientDetails, requestFactory));
+            tokenGranters.add(new TokenExchangeTokenGranter(authenticationManager, tokenServices, clientDetails, requestFactory));
 		}
-		return tokenGranters;
+        return tokenGranters;
 	}
 
 	private TokenGranter tokenGranter() {

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java

@@ -28,6 +28,7 @@
 import org.springframework.security.oauth2.provider.code.AuthorizationCodeTokenGranter;
 import org.springframework.security.oauth2.provider.code.InMemoryAuthorizationCodeServices;
 import org.springframework.security.oauth2.provider.endpoint.*;
+import org.springframework.security.oauth2.provider.exchange.TokenExchangeTokenGranter;
 import org.springframework.security.oauth2.provider.implicit.ImplicitTokenGranter;
 import org.springframework.security.oauth2.provider.password.ResourceOwnerPasswordTokenGranter;
 import org.springframework.security.oauth2.provider.refresh.RefreshTokenGranter;
@@ -209,20 +210,29 @@ protected AbstractBeanDefinition parseEndpointAndReturnFilter(Element element,
 					"password");
 			if (clientPasswordElement != null && !"true"
 					.equalsIgnoreCase(clientPasswordElement.getAttribute("disabled"))) {
-				BeanDefinitionBuilder clientPasswordTokenGranter = BeanDefinitionBuilder
-						.rootBeanDefinition(ResourceOwnerPasswordTokenGranter.class);
 				String authenticationManagerRef = clientPasswordElement
 						.getAttribute("authentication-manager-ref");
 				if (!StringUtils.hasText(authenticationManagerRef)) {
 					authenticationManagerRef = BeanIds.AUTHENTICATION_MANAGER;
 				}
+				BeanDefinitionBuilder clientPasswordTokenGranter = BeanDefinitionBuilder
+						.rootBeanDefinition(ResourceOwnerPasswordTokenGranter.class);
 				clientPasswordTokenGranter
 						.addConstructorArgReference(authenticationManagerRef);
 				clientPasswordTokenGranter.addConstructorArgReference(tokenServicesRef);
 				clientPasswordTokenGranter.addConstructorArgReference(clientDetailsRef);
 				clientPasswordTokenGranter
 						.addConstructorArgReference(oAuth2RequestFactoryRef);
 				tokenGranters.add(clientPasswordTokenGranter.getBeanDefinition());
+				BeanDefinitionBuilder tokenExchangeTokenGranter = BeanDefinitionBuilder
+						.rootBeanDefinition(TokenExchangeTokenGranter.class);
+				tokenExchangeTokenGranter
+						.addConstructorArgReference(authenticationManagerRef);
+				tokenExchangeTokenGranter.addConstructorArgReference(tokenServicesRef);
+				tokenExchangeTokenGranter.addConstructorArgReference(clientDetailsRef);
+				tokenExchangeTokenGranter
+						.addConstructorArgReference(oAuth2RequestFactoryRef);
+				tokenGranters.add(tokenExchangeTokenGranter.getBeanDefinition());
 			}
 			List<Element> customGrantElements = DomUtils
 					.getChildElementsByTagName(element, "custom-grant");

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/exchange/DefaultTokenExchangeAuthenticationProvider.java

@@ -0,0 +1,46 @@
+package org.springframework.security.oauth2.provider.exchange;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.util.Assert;
+
+/**
+ * {@link AuthenticationProvider} that supports {@link TokenExchangeAuthenticationToken}.
+ *
+ * @author Ryan Murfitt
+ */
+public class DefaultTokenExchangeAuthenticationProvider implements AuthenticationProvider {
+
+    private TokenExchangeService tokenExchangeService;
+    private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        Assert.isInstanceOf(TokenExchangeAuthenticationToken.class, authentication, "Only TokenExchangeAuthenticationToken is supported");
+        UserDetails user = this.tokenExchangeService.loadUserDetailsFromToken((TokenExchangeAuthenticationToken) authentication);
+        return createSuccessAuthentication(user, (TokenExchangeAuthenticationToken) authentication);
+    }
+
+    private Authentication createSuccessAuthentication(UserDetails user, TokenExchangeAuthenticationToken token) {
+        TokenExchangeAuthenticationToken result = new TokenExchangeAuthenticationToken(user, token.getPrincipal(), token.getClientDetails(), this.authoritiesMapper.mapAuthorities(user.getAuthorities()));
+        result.setDetails(token.getDetails());
+        return result;
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return TokenExchangeAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+
+    public void setTokenExchangeService(TokenExchangeService tokenExchangeService) {
+        this.tokenExchangeService = tokenExchangeService;
+    }
+
+    public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
+        this.authoritiesMapper = authoritiesMapper;
+    }
+}

spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/exchange/TokenExchangeAuthenticationToken.java

@@ -0,0 +1,53 @@
+package org.springframework.security.oauth2.provider.exchange;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.provider.ClientDetails;
+
+import java.util.Collection;
+
+/**
+ * Token that represents a token-exchange authentication request.
+ *
+ * Similar to {@link org.springframework.security.authentication.UsernamePasswordAuthenticationToken} where the principal
+ * represents the 'subject_token', but once authenticated, the principal represents the user, and the credentials represents
+ * the 'subject_token'.
+ *
+ * @author Ryan Murfitt
+ */
+public class TokenExchangeAuthenticationToken extends AbstractAuthenticationToken {
+
+    private final Object principal;
+    private final ClientDetails clientDetails;
+    private final Object credentials;
+
+    TokenExchangeAuthenticationToken(Object principal, ClientDetails clientDetails) {
+        super(null);
+        this.principal = principal;
+        this.credentials = null;
+        this.clientDetails = clientDetails;
+        this.setAuthenticated(false);
+    }
+
+    TokenExchangeAuthenticationToken(Object principal, Object credentials, ClientDetails clientDetails, Collection<? extends GrantedAuthority> authorities) {
+        super(authorities);
+        this.principal = principal;
+        this.credentials = credentials;
+        this.clientDetails = clientDetails;
+        this.setAuthenticated(true);
+    }
+
+    @Override
+    public Object getCredentials() {
+        return credentials;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return principal;
+    }
+
+    public ClientDetails getClientDetails() {
+        return clientDetails;
+    }
+}