Fix to save after encoding the secret when registering the client #1056
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
| this.registeredClientRepository.save(registeredClient); | ||
|
|
||
| // Copy RegisteredClient and encode only secret | ||
| String rawClientSecret = registeredClient.getClientSecret(); |
There was a problem hiding this comment.
The extension point for customizing client metadata before it's saved to RegisteredClientRepository is OidcClientRegistrationAuthenticationProvider.setRegisteredClientConverter(). It's not currently documented in the reference manual but there is an open issue gh-1044 that provides sample code on how to configure.
|
@uc4w6c Not all I'm going to close this PR as the preference is to leverage the extension point |
jgrandja
added
status: declined
|
@jgrandja I don't want to customize the client metadata before saving it to the RegisteredClientRepository. I would like to solve the bug that the newly created client cannot be authenticated because the secret is not encoded at the time of client registration, but the secret is decoded at the time of client authentication. I have created a simple example below.
Also, if I were to encode the secret with the RegisteredClientConverter, the encoded secret would be returned as json in the response, which is not a desirable behavior. |
You could customize the response by setting a custom I'm really not keen on exposing I'll re-open this to look into this further. |
jgrandja
added
type: enhancement
|
@jgrandja My explanation so far may have been difficult to understand, so I will describe the phenomenon again.
An error occurs. The reason for the error is that the Pardon my broken English. |
|
@jgrandja |
There was a problem hiding this comment.
Thank you for your patience @uc4w6c.
I'm really not keen on exposing
OidcClientRegistrationAuthenticationProvider.setPasswordEncoder(). However, exposingOidcClientRegistrationAuthenticationProvider.setClientRegistrationConverter()might be the option to consider.
After further analysis, adding OidcClientRegistrationAuthenticationProvider.setPasswordEncoder() is the correct solution.
Please see review comments for requested changes.
| @@ -26,6 +26,7 @@ | |||
| import org.springframework.security.authentication.AuthenticationProvider; | |||
| import org.springframework.security.config.annotation.ObjectPostProcessor; | |||
There was a problem hiding this comment.
Please update copyright year to 2023
| import java.util.Map; | ||
| import java.util.Set; | ||
| import java.util.UUID; | ||
| import java.util.*; |
There was a problem hiding this comment.
Please revert as wildcard imports are not allowed.
|
|
||
| /** | ||
| * Sets the {@link PasswordEncoder} used to validate | ||
| * the {@link RegisteredClient#getClientSecret() client secret}. |
There was a problem hiding this comment.
Please update the javadoc as the passwordencoder is not used to validate the clientSecret but instead used to encode the clientSecret.
Also, please add @since 1.1.0
| if (rawClientSecret != null) { | ||
| clientSecret = passwordEncoder.encode(rawClientSecret); | ||
| } | ||
| RegisteredClient saveRegisteredClient = RegisteredClient.withId(registeredClient.getId()) |
There was a problem hiding this comment.
Use RegisteredClient.from(registeredClient) to make a copy and then update clientSecret. Also, the RegisteredClient should only be copied/updated if the clientSecret is set, otherwise it should use the original returned from the converter.
| @@ -67,8 +69,7 @@ | |||
| import static org.assertj.core.api.Assertions.assertThat; | |||
| import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; | |||
| import static org.assertj.core.api.Assertions.assertThatThrownBy; | |||
| import static org.mockito.ArgumentMatchers.any; | |||
| import static org.mockito.ArgumentMatchers.eq; | |||
| import static org.mockito.ArgumentMatchers.*; | |||
There was a problem hiding this comment.
Revert as wildcard imports are not allowed.
| @@ -627,6 +650,60 @@ public void authenticateWhenValidAccessTokenThenReturnClientRegistration() { | |||
| assertThat(clientRegistrationResult.getRegistrationAccessToken()).isEqualTo(jwt.getTokenValue()); | |||
| } | |||
|
|
|||
| @Test | |||
| public void authenticateWhenSettingPasswordEncoder() { | |||
There was a problem hiding this comment.
Please remove this test and add an integration test to OidcClientRegistrationTests.
Here's a template of the test:
// gh-1056
@Test
public void requestWhenClientRegistersWithSecretThenClientAuthenticationSuccess() throws Exception {
// TODO Update the PasswordEncoder @Bean to PasswordEncoderFactories.createDelegatingPasswordEncoder()
this.spring.register(AuthorizationServerConfiguration.class).autowire();
// TODO
// Create new client with client_credentials grant
OidcClientRegistration clientRegistration = OidcClientRegistration.builder() ...
// Register client
OidcClientRegistration clientRegistrationResponse = registerClient(clientRegistration);
// TODO
// Use the newly registered client to obtain an access token using the client_credentials grant
// if the access token is obtained then client authentication succeeded
}
jgrandja
added
type: bug
uc4w6c
force-pushed
the
fix_encode_secret_when_register_client
branch
2 times, most recently
from
b76eaf9
to
a722052
Compare
uc4w6c
force-pushed
the
fix_encode_secret_when_register_client
branch
from
a722052
to
f35b126
Compare
| @@ -290,7 +291,6 @@ public void requestWhenClientConfigurationRequestAuthorizedThenClientRegistratio | |||
|
|
|||
| assertThat(clientConfigurationResponse.getClientId()).isEqualTo(clientRegistrationResponse.getClientId()); | |||
| assertThat(clientConfigurationResponse.getClientIdIssuedAt()).isEqualTo(clientRegistrationResponse.getClientIdIssuedAt()); | |||
| assertThat(clientConfigurationResponse.getClientSecret()).isEqualTo(clientRegistrationResponse.getClientSecret()); | |||
There was a problem hiding this comment.
ClientConfigurationResponse.getClientSecret() returns plain Secret, but ClientRegitionrationRespone. getClientSecret() returns the encoded secret, so do not assert.
|
@jgrandja |
…nticationProvider Issue gh-1056
|
Thanks for the updates @uc4w6c. FYI, I added a polish commit with some minor updates. Also, the setPasswordEncoder() method could not be exposed in the patch releases |
|
@jgrandja |
* Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.35 Closes spring-projectsgh-1089 * Update to jackson-bom:2.14.2 Closes spring-projectsgh-1090 * Update to junit-jupiter:5.9.2 Closes spring-projectsgh-1091 * Release 1.0.1 * Next Development Version * Update to Spring Security 6.1.0-M1 Closes spring-projectsgh-1093 * Update to nimbus-jose-jwt:9.30.2 Closes spring-projectsgh-1094 * Update to assertj-core:3.24.2 Closes spring-projectsgh-1095 * Update to mockito-core:4.11.0 Closes spring-projectsgh-1096 * Release 1.1.0-M1 * Next Development Version * Add user property to deploy_docs workflow * Fix broken support link Closes spring-projectsgh-1092 * Fix client secret encoding when client dynamically registered Closes spring-projectsgh-1056 * Polish spring-projectsgh-1056 * Allow PasswordEncoder to be configured in OidcClientRegistrationAuthenticationProvider Issue spring-projectsgh-1056 * Upgrade client secret when available Closes spring-projectsgh-1099 * Polish spring-projectsgh-1105 * Add support for OAuth 2.0 Device Authorization Grant Closes spring-projectsgh-44 * Switch to spring-security SNAPSHOT dependencies Issue spring-projectsgh-44 * Use spring-security 6.1 in snapshot tests Issue spring-projectsgh-1106 * Update to actions/checkout@v3 Closes spring-projectsgh-1117 * Use spring-io/spring-gradle-build-action Closes spring-projectsgh-1120 * Use spring-io/spring-gradle-build-action Closes spring-projectsgh-1120 * Revert accidental change in versions Issue spring-projectsgh-1120 * Polish spring-projectsgh-1106 * Update to Spring Framework 6.0.7 Closes spring-projectsgh-1130 * Update to Spring Security 1.1.0-M2 Closes spring-projectsgh-1131 * Update to nimbus-jose-jwt:9.31 Closes spring-projectsgh-1132 * Update to Spring Framework 6.0.7 in buildSrc Issue spring-projectsgh-1130 * Release 1.1.0-M2 * Next Development Version * Polish spring-projectsgh-1106 Device Authorization Grant * Avoid persisting client principal in device authorization request Issue spring-projectsgh-1106 * Polish spring-projectsgh-1068 Issue spring-projectsgh-1077 * Add OidcLogoutAuthenticationToken.isPrincipalAuthenticated() Issue spring-projectsgh-1077 * Ensure ID Token is active before processing logout request Issue spring-projectsgh-1077 * Allow localhost in redirect_uri Closes spring-projectsgh-651 * Fix refresh token error code INVALID_CLIENT to INVALID_GRANT Closes spring-projectsgh-1139 * Do not require authorizationRequest for device grant Issue spring-projectsgh-1127 * Add tests for OAuth 2.0 Device Authorization Grant This commit adds tests for the following components: * AuthenticationConverters * AuthenticationProviders * Endpoint Filters Issue spring-projectsgh-44 Closes spring-projectsgh-1127 * JDBC device_code authorization Issue spring-projectsgh-1156 * Polish spring-projectsgh-1143 * Add tests and update examples in docs Closes spring-projectsgh-1156 * Polish ref-doc Issue spring-projectsgh-1156 * Add customization to support public clients for device grant Issue spring-projectsgh-1157 * Polish samples Closes spring-projectsgh-1157 * Add documentation for OAuth 2.0 Device Authorization Grant Closes spring-projectsgh-1158 * Polish spring-projectsgh-1127 * Polish spring-projectsgh-1158 * Add documentation for OpenID Connect 1.0 Logout Endpoint Closes spring-projectsgh-1069 * Update Stack Overflow tag to spring-authorization-server * Update to Spring Framework 5.3.27 Closes spring-projectsgh-1162 * Update to Spring Security 5.8.3 Closes spring-projectsgh-1163 * Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.38 Closes spring-projectsgh-1164 * Update to Spring Framework 6.0.8 Closes spring-projectsgh-1165 * Update to Spring Security 6.0.3 Closes spring-projectsgh-1166 * Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.38 Closes spring-projectsgh-1167 * Update to Spring Framework 6.0.8 Closes spring-projectsgh-1168 * Update to Spring Security 6.1.0-RC1 Closes spring-projectsgh-1169 * Update to io.spring.javaformat:spring-javaformat-checkstyle:0.0.38 Closes spring-projectsgh-1170 * Update to json-path:2.8.0 Closes spring-projectsgh-1171 * Release 0.4.2 * Next Development Version * Release 1.0.2 * Next Development Version * Release 1.1.0-RC1 * Next Development Version * Update to org.jfrog.buildinfo:build-info-extractor-gradle:4.29.0 Closes spring-projectsgh-1175 * Apply ArtifactoryPlugin to SpringRootProjectPlugin Closes spring-projectsgh-1177 * Fix artifact build properties for Artifactory - Apply SpringArtifactoryPlugin in SpringRootProjectPlugin (which applies ArtifactoryPlugin) - In SpringArtifactoryPlugin don't set publication if MavenPublishPlugin is not applied Closes spring-projectsgh-1179 * Add test for dynamic client registration with custom metadata Issue spring-projectsgh-1172 * Add logout success page to default client sample Sample client (located in 'samples/messages-client' directory) is configured with a custom logout success page where the end-user is redirected to upon successful logout action. Fixes spring-projectsgh-1142 * Add sample featured-authorizationserver Issue spring-projectsgh-1189 * Merge custom-consent-authorizationserver into featured-authorizationserver Issue spring-projectsgh-1189 * Merge federated-identity-authorizationserver into featured-authorizationserver Issue spring-projectsgh-1189 * Update io.spring.ge.conventions plugin to 0.0.13 Closes spring-projectsgh-1190 * Update spring-asciidoctor-backends to 0.0.5 Closes spring-projectsgh-1192 * Merge device-grant-authorizationserver into featured-authorizationserver Issue spring-projectsgh-1189 * Merge device-client into messages-client Issue spring-projectsgh-1189 * Use custom consent page for device code flow Issue spring-projectsgh-1189 * Use current authentication for device authorization Issue spring-projectsgh-1189 * Reuse error handling Issue spring-projectsgh-1189 * Handle web client response error Issue spring-projectsgh-1189 * Update @SInCE * Rename featured-authorizationserver to demo-authorizationserver Issue spring-projectsgh-1189 * Rename messages-client to demo-client Issue spring-projectsgh-1189 * Update sample README Issue spring-projectsgh-1189 * Add integration tests for device grant Issue spring-projectsgh-1116 * Update web ui design for demo-client Issue spring-projectsgh-1196 * Polish web ui design for demo-client Issue spring-projectsgh-1196 * Update web ui design for demo-authorizationserver Issue spring-projectsgh-1196 * Polish web ui design for demo-client Issue spring-projectsgh-1196 * Polish demo sample Issue spring-projectsgh-1189 * Update to Spring Boot 3.1.0-RC1 Closes spring-projectsgh-1198 * Refresh Getting Started example Closes spring-projectsgh-1186 * Use Spring Boot starter in samples Closes spring-projectsgh-1187 * Invalidate tokens previously issued when code is reused Closes spring-projectsgh-1152 * Polish spring-projectsgh-1152 * Add How-to: Authenticate using Social Login Closes spring-projectsgh-538 * Add How-to: Authenticate using a Single Page Application with PKCE Closes spring-projectsgh-539 * Hash the sid claim in the ID Token Closes spring-projectsgh-1207 * Simplified federated login in demo sample Closes spring-projectsgh-1208 * Polish spring-projectsgh-1186 * Polish spring-projectsgh-538 * Remove FederatedIdentityConfigurer from demo sample Issue spring-projectsgh-1208 * Update exception handling config in ref-doc Closes spring-projectsgh-1205 * Update exception handling config in samples Closes spring-projectsgh-1204 * Polish ref-doc Issue spring-projectsgh-1205 * Polish tests * Add How-to: Implement an Extension Authorization Grant Type Closes spring-projectsgh-686 * Update to Spring Framework 6.0.9 Closes spring-projectsgh-1213 * Update to Spring Security 6.1.0 Closes spring-projectsgh-1214 * Update to jackson-bom 2.15.0 Closes spring-projectsgh-1215 * Update to junit-jupiter 5.9.3 Closes spring-projectsgh-1216 * Release 1.1.0 * Next Development Version * Revert serialVersionUID to 0.4.0 Closes spring-projectsgh-1218 * Revert serialVersionUID to 1.0.0 Closes spring-projectsgh-1219 * Revert serialVersionUID to 1.1.0 Closes spring-projectsgh-1220 * Exclude project dependency from spring-boot-dependencies Closes spring-projectsgh-1228 * Update to Spring Boot 3.1.0 * Update com.gradle.enterprise plugin to 3.13.3 Closes spring-projectsgh-1234 Issue spring-projectsgh-1231 * Prepare for automated validation scripts See https://github.com/gradle/gradle-enterprise-build-validation-scripts/blob/main/Gradle.md Issue spring-projectsgh-1231 * ID Token contains sid claim after refresh_token grant Closes spring-projectsgh-1224 * Use substring instead of replaceFirst in OAuth2AuthorizationConsent Closes spring-projectsgh-1222 * Validate authorized principal instead of sub during logout Closes spring-projectsgh-1235 * Revert "Prepare for automated validation scripts" This reverts commit ece9f10. Issue spring-projectsgh-1231 * Add debug log entries Closes spring-projectsgh-1245 Closes spring-projectsgh-1246 Closes spring-projectsgh-1247 Closes spring-projectsgh-1248 * Polish additional logging Issue spring-projectsgh-1245, spring-projectsgh-1246, spring-projectsgh-1247, spring-projectsgh-1248 * Enable caching of :asciidoctor gradle task * Use direct code import Issue spring-projectsgh-1231 * Next Minor Version * Fix NPE on access token in OAuth2AuthorizationCodeAuthenticationProvider Closes spring-projectsgh-1233 * Polish spring-projectsgh-1233 * Fix to save all values for multi-valued request parameters Fixes spring-projectsgh-1250 * Polish spring-projectsgh-1252 * Fix to save all values for multi-valued device grant parameters Fixes spring-projectsgh-1269 * Polish spring-projectsgh-1252 * Update to Spring Framework 5.3.28 Closes spring-projectsgh-1272 * Update to Spring Security 5.8.4 Closes spring-projectsgh-1273 * Update to jackson-bom 2.14.3 Closes spring-projectsgh-1274 * Update to Spring Framework 6.0.10 Closes spring-projectsgh-1276 * Update to Spring Security 6.0.4 Closes spring-projectsgh-1277 * Update to Spring Framework 6.0.10 Closes spring-projectsgh-1278 * Update to Spring Security 6.1.1 Closes spring-projectsgh-1279 * Update to junit-jupiter 5.9.3 Closes spring-projectsgh-1280 * Update to junit-jupiter 5.9.3 Closes spring-projectsgh-1281 * Update to jackson-bom 2.15.2 Closes spring-projectsgh-1282 * Update feature planning section to using GitHub Projects * Release 1.1.1 * Next Development Version * Fix generating ID token with null sid when refresh_token grant Closes spring-projectsgh-1283 * Polish spring-projectsgh-1289 * Fix NPE in DefaultErrorController Closes spring-projectsgh-1286 * Migrate docs to Antora Issue spring-projectsgh-1295 * Polish Antora migration Issue spring-projectsgh-1292 Closes spring-projectsgh-1295 * Remove unused antora-playbook.yml * Replaces 'install' with 'publishToMavenLocal' command in README * Adds how-to guide on adding authorities to access tokens Closes spring-projectsgh-542 * Polish spring-projectsgh-1264 * Update order of guides in nav.adoc * Fix userCode validation Issue spring-projectsgh-44 * Polish spring-projectsgh-1309 * Add Revved up by Gradle Enterprise badge * Move badges to header This is similar to Spring Boot: https://github.com/spring-projects/spring-boot/blob/main/README.adoc * Fix workflow status link * Fix samples test suite execution and failing tests Closes spring-projectsgh-1324 * Polish spring-projectsgh-1325 * Move deploy-docs.yml to correct folder Issue spring-projectsgh-1295 * Remove manual list of guides Issue spring-projectsgh-1295 * Remove reference to gh-pages Issue spring-projectsgh-1295 * Update to Spring Framework 6.0.11 Closes spring-projectsgh-1338 * Update to Spring Security 6.1.2 Closes spring-projectsgh-1339 * Update to org.hsqldb:hsqldb 2.7.2 Closes spring-projectsgh-1340 * Release 1.1.2 * Next Development Version * Adds ability to inject custom metadata at client registration Closes spring-projectsgh-1172 * Polish spring-projectsgh-1326 * Adds dynamic client registration how-to guide Closes spring-projectsgh-647 * Polish spring-projectsgh-1320 * Add code challenge methods for oidc provider configuration response Closes spring-projectsgh-1302 * Update to Spring Framework 6.1.0-M5 Closes spring-projectsgh-1364 * Update to Spring Security 6.2.0-M3 Closes spring-projectsgh-1365 * Update to nimbus-jose-jwt 9.35 Closes spring-projectsgh-1366 * Update to junit-jupiter 5.10.0 Closes spring-projectsgh-1367 * Update to okhttp 4.11.0 Closes spring-projectsgh-1368 * Release 1.2.0-M1 * Next Development Version --------- Co-authored-by: Joe Grandja <jgrandja@vmware.com> Co-authored-by: Siva Kumar Edupuganti <esivakumar18@gmail.com> Co-authored-by: Yuta Saito <uc4w6c@bma.biglobe.ne.jp> Co-authored-by: Shannon Pamperl <shanman190@gmail.com> Co-authored-by: Steve Riesenberg <sriesenberg@vmware.com> Co-authored-by: HuiYeong <huiyeong@lguplus.co.kr> Co-authored-by: Xu Xiaowei <xuxiaowei@xuxiaowei.com.cn> Co-authored-by: Janne Valkealahti <janne.valkealahti@gmail.com> Co-authored-by: Dmitriy Dubson <ddubson@vmware.com> Co-authored-by: neochae <neochae@lguplus.co.kr> Co-authored-by: heartape <heartape@163.com> Co-authored-by: Dejan Varmedja <114813331+fndejan@users.noreply.github.com> Co-authored-by: Jerome Prinet <jprinet@gradle.com> Co-authored-by: Pavel Efros <efros.pavel@gmail.com> Co-authored-by: Martin Lindström <martin.lindstrom@litsec.se> Co-authored-by: cbilodeau <cbilodeau@upgrade.com> Co-authored-by: Rob Winch <rwinch@users.noreply.github.com> Co-authored-by: Dmitriy Dubson <d.dubson@gmail.com> Co-authored-by: Martin Bogusz <m.bogusz@celonis.com> Co-authored-by: Eric Haag <ehaag@gradle.com> Co-authored-by: Tuxzx <tuxzx@outlook.com>
In the Client Registration Endpoint the authentication method is client_secret_basic or client_secret_post or client_secret_jwt When , it should encode the secret and save it.
Since it is currently stored as plain text, the client cannot issue tokens.