Introduce OAuth2AuthorizationRequest.attributes

Fixes gh-5940

Author: jgrandja

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -146,14 +146,14 @@ public void configureWhenAuthorizationCodeResponseSuccessThenAuthorizedClientSav
 		this.spring.register(OAuth2ClientConfig.class).autowire();
 
 		// Setup the Authorization Request in the session
-		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put(OAuth2ParameterNames.REGISTRATION_ID, this.registration1.getRegistrationId());
+		Map<String, Object> attributes = new HashMap<>();
+		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, this.registration1.getRegistrationId());
 		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
 				.authorizationUri(this.registration1.getProviderDetails().getAuthorizationUri())
 				.clientId(this.registration1.getClientId())
 				.redirectUri("http://localhost/client-1")
 				.state("state")
-				.additionalParameters(additionalParameters)
+				.attributes(attributes)
 				.build();
 
 		AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository =

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -473,7 +473,7 @@ private OAuth2AuthorizationRequest createOAuth2AuthorizationRequest(ClientRegist
 				.clientId(registration.getClientId())
 				.state("state123")
 				.redirectUri("http://localhost")
-				.additionalParameters(
+				.attributes(
 						Collections.singletonMap(
 								OAuth2ParameterNames.REGISTRATION_ID,
 								registration.getRegistrationId()))

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -115,16 +115,16 @@ private OAuth2AuthorizationRequest resolve(HttpServletRequest request, String re
 
 		String redirectUriStr = this.expandRedirectUri(request, clientRegistration, redirectUriAction);
 
-		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
+		Map<String, Object> attributes = new HashMap<>();
+		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
 
 		OAuth2AuthorizationRequest authorizationRequest = builder
 				.clientId(clientRegistration.getClientId())
 				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
 				.redirectUri(redirectUriStr)
 				.scopes(clientRegistration.getScopes())
 				.state(this.stateGenerator.generateKey())
-				.additionalParameters(additionalParameters)
+				.attributes(attributes)
 				.build();
 
 		return authorizationRequest;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationCodeGrantFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -161,7 +161,7 @@ private void processAuthorizationResponse(HttpServletRequest request, HttpServle
 		OAuth2AuthorizationRequest authorizationRequest =
 				this.authorizationRequestRepository.removeAuthorizationRequest(request, response);
 
-		String registrationId = (String) authorizationRequest.getAdditionalParameters().get(OAuth2ParameterNames.REGISTRATION_ID);
+		String registrationId = authorizationRequest.getAttribute(OAuth2ParameterNames.REGISTRATION_ID);
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
 
 		MultiValueMap<String, String> params = OAuth2AuthorizationResponseUtils.toMultiMap(request.getParameterMap());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -165,7 +165,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 		}
 
-		String registrationId = (String) authorizationRequest.getAdditionalParameters().get(OAuth2ParameterNames.REGISTRATION_ID);
+		String registrationId = authorizationRequest.getAttribute(OAuth2ParameterNames.REGISTRATION_ID);
 		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
 		if (clientRegistration == null) {
 			OAuth2Error oauth2Error = new OAuth2Error(CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE,

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -118,9 +118,8 @@ private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange exchan
 		String redirectUriStr = this
 					.expandRedirectUri(exchange.getRequest(), clientRegistration);
 
-		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put(OAuth2ParameterNames.REGISTRATION_ID,
-				clientRegistration.getRegistrationId());
+		Map<String, Object> attributes = new HashMap<>();
+		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId());
 
 		OAuth2AuthorizationRequest.Builder builder;
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
@@ -139,7 +138,7 @@ else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizat
 				.authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
 				.redirectUri(redirectUriStr).scopes(clientRegistration.getScopes())
 				.state(this.stateGenerator.generateKey())
-				.additionalParameters(additionalParameters)
+				.attributes(attributes)
 				.build();
 	}
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -85,9 +85,9 @@ private <T> Mono<T> oauth2AuthorizationException(String errorCode) {
 
 	private Mono<OAuth2AuthorizationCodeAuthenticationToken> authenticationRequest(ServerWebExchange exchange, OAuth2AuthorizationRequest authorizationRequest) {
 		return Mono.just(authorizationRequest)
-				.map(OAuth2AuthorizationRequest::getAdditionalParameters)
-				.flatMap(additionalParams -> {
-					String id = (String) additionalParams.get(OAuth2ParameterNames.REGISTRATION_ID);
+				.map(OAuth2AuthorizationRequest::getAttributes)
+				.flatMap(attributes -> {
+					String id = (String) attributes.get(OAuth2ParameterNames.REGISTRATION_ID);
 					if (id == null) {
 						return oauth2AuthorizationException(CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE);
 					}

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -105,7 +105,8 @@ public void resolveWhenAuthorizationRequestWithValidClientThenResolves() {
 				.isEqualTo("http://localhost/login/oauth2/code/" + clientRegistration.getRegistrationId());
 		assertThat(authorizationRequest.getScopes()).isEqualTo(clientRegistration.getScopes());
 		assertThat(authorizationRequest.getState()).isNotNull();
-		assertThat(authorizationRequest.getAdditionalParameters())
+		assertThat(authorizationRequest.getAdditionalParameters()).doesNotContainKey(OAuth2ParameterNames.REGISTRATION_ID);
+		assertThat(authorizationRequest.getAttributes())
 				.containsExactly(entry(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId()));
 		assertThat(authorizationRequest.getAuthorizationRequestUri())
 				.matches("https://example.com/login/oauth/authorize\\?" +
@@ -123,7 +124,7 @@ public void resolveWhenClientAuthorizationRequiredExceptionAvailableThenResolves
 
 		OAuth2AuthorizationRequest authorizationRequest = this.resolver.resolve(request, clientRegistration.getRegistrationId());
 		assertThat(authorizationRequest).isNotNull();
-		assertThat(authorizationRequest.getAdditionalParameters())
+		assertThat(authorizationRequest.getAttributes())
 				.containsExactly(entry(OAuth2ParameterNames.REGISTRATION_ID, clientRegistration.getRegistrationId()));
 	}
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilterTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -402,15 +402,15 @@ public void doFilterWhenAuthorizationResponseHasNonDefaultPortThenRedirectUriMat
 
 	private void setUpAuthorizationRequest(HttpServletRequest request, HttpServletResponse response,
 											ClientRegistration registration, String state) {
-		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put(OAuth2ParameterNames.REGISTRATION_ID, registration.getRegistrationId());
+		Map<String, Object> attributes = new HashMap<>();
+		attributes.put(OAuth2ParameterNames.REGISTRATION_ID, registration.getRegistrationId());
 		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
 				.authorizationUri(registration.getProviderDetails().getAuthorizationUri())
 				.clientId(registration.getClientId())
 				.redirectUri(expandRedirectUri(request, registration))
 				.scopes(registration.getScopes())
 				.state(state)
-				.additionalParameters(additionalParameters)
+				.attributes(attributes)
 				.build();
 		this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, request, response);
 	}

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/server/ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -74,7 +74,7 @@ public class ServerOAuth2AuthorizationCodeAuthenticationTokenConverterTest {
 			.clientId("client-id")
 			.redirectUri("http://localhost/client-1")
 			.state("state")
-			.additionalParameters(Collections.singletonMap(OAuth2ParameterNames.REGISTRATION_ID, this.clientRegistrationId));
+			.attributes(Collections.singletonMap(OAuth2ParameterNames.REGISTRATION_ID, this.clientRegistrationId));
 
 	private final MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/");
 
@@ -95,8 +95,8 @@ public void applyWhenAuthorizationRequestEmptyThenOAuth2AuthorizationException()
 	}
 
 	@Test
-	public void applyWhenAdditionalParametersMissingThenOAuth2AuthorizationException() {
-		this.authorizationRequest.additionalParameters(Collections.emptyMap());
+	public void applyWhenAttributesMissingThenOAuth2AuthorizationException() {
+		this.authorizationRequest.attributes(Collections.emptyMap());
 		when(this.authorizationRequestRepository.removeAuthorizationRequest(any())).thenReturn(Mono.just(this.authorizationRequest.build()));
 
 		assertThatThrownBy(() -> applyConverter())

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,15 @@
  */
 package org.springframework.security.oauth2.core.endpoint;
 
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.UriComponentsBuilder;
+
 import java.io.Serializable;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
@@ -25,15 +34,6 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
-import org.springframework.security.core.SpringSecurityCoreVersion;
-import org.springframework.security.oauth2.core.AuthorizationGrantType;
-import org.springframework.util.Assert;
-import org.springframework.util.CollectionUtils;
-import org.springframework.util.LinkedMultiValueMap;
-import org.springframework.util.MultiValueMap;
-import org.springframework.util.StringUtils;
-import org.springframework.web.util.UriComponentsBuilder;
-
 /**
  * A representation of an OAuth 2.0 Authorization Request
  * for the authorization code grant type or implicit grant type.
@@ -56,6 +56,7 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 	private String state;
 	private Map<String, Object> additionalParameters;
 	private String authorizationRequestUri;
+	private Map<String, Object> attributes;
 
 	private OAuth2AuthorizationRequest() {
 	}
@@ -132,6 +133,29 @@ public Map<String, Object> getAdditionalParameters() {
 		return this.additionalParameters;
 	}
 
+	/**
+	 * Returns the attributes associated to the request.
+	 *
+	 * @since 5.2
+	 * @return a {@code Map} of the attributes associated to the request
+	 */
+	public Map<String, Object> getAttributes() {
+		return this.attributes;
+	}
+
+	/**
+	 * Returns the value of an attribute associated to the request, or {@code null} if not available.
+	 *
+	 * @since 5.2
+	 * @param name the name of the attribute
+	 * @param <T> the type of the attribute
+	 * @return the value of the attribute associated to the request
+	 */
+	@SuppressWarnings("unchecked")
+	public <T> T getAttribute(String name) {
+		return (T) this.getAttributes().get(name);
+	}
+
 	/**
 	 * Returns the {@code URI} string representation of the OAuth 2.0 Authorization Request.
 	 *
@@ -181,7 +205,8 @@ public static Builder from(OAuth2AuthorizationRequest authorizationRequest) {
 				.redirectUri(authorizationRequest.getRedirectUri())
 				.scopes(authorizationRequest.getScopes())
 				.state(authorizationRequest.getState())
-				.additionalParameters(authorizationRequest.getAdditionalParameters());
+				.additionalParameters(authorizationRequest.getAdditionalParameters())
+				.attributes(authorizationRequest.getAttributes());
 	}
 
 	/**
@@ -197,6 +222,7 @@ public static class Builder {
 		private String state;
 		private Map<String, Object> additionalParameters;
 		private String authorizationRequestUri;
+		private Map<String, Object> attributes;
 
 		private Builder(AuthorizationGrantType authorizationGrantType) {
 			Assert.notNull(authorizationGrantType, "authorizationGrantType cannot be null");
@@ -288,6 +314,18 @@ public Builder additionalParameters(Map<String, Object> additionalParameters) {
 			return this;
 		}
 
+		/**
+		 * Sets the attributes associated to the request.
+		 *
+		 * @since 5.2
+		 * @param attributes the attributes associated to the request
+		 * @return the {@link Builder}
+		 */
+		public Builder attributes(Map<String, Object> attributes) {
+			this.attributes = attributes;
+			return this;
+		}
+
 		/**
 		 * Sets the {@code URI} string representation of the OAuth 2.0 Authorization Request.
 		 *
@@ -332,6 +370,9 @@ public OAuth2AuthorizationRequest build() {
 			authorizationRequest.authorizationRequestUri =
 					StringUtils.hasText(this.authorizationRequestUri) ?
 						this.authorizationRequestUri : this.buildAuthorizationRequestUri();
+			authorizationRequest.attributes = Collections.unmodifiableMap(
+					CollectionUtils.isEmpty(this.attributes) ?
+							Collections.emptyMap() : new LinkedHashMap<>(this.attributes));
 
 			return authorizationRequest;
 		}
@@ -351,9 +392,7 @@ private String buildAuthorizationRequestUri() {
 				parameters.set(OAuth2ParameterNames.REDIRECT_URI, this.redirectUri);
 			}
 			if (!CollectionUtils.isEmpty(this.additionalParameters)) {
-				this.additionalParameters.entrySet().stream()
-						.filter(e -> !e.getKey().equals(OAuth2ParameterNames.REGISTRATION_ID))
-						.forEach(e -> parameters.set(e.getKey(), e.getValue().toString()));
+				this.additionalParameters.forEach((k, v) -> parameters.set(k, v.toString()));
 			}
 
 			return UriComponentsBuilder.fromHttpUrl(this.authorizationUri)