Skip to content

Commit 8354eea

Browse files
fix : clarify basic token error messages and correct the postman sample
1 parent a5b47d0 commit 8354eea

File tree

4 files changed

+93
-90
lines changed

4 files changed

+93
-90
lines changed
Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,13 +12,14 @@
1212
import java.util.Map;
1313

1414
@RequiredArgsConstructor
15-
public final class OpaqueGrantTypeAccessTokenRequestConverter implements AuthenticationConverter {
15+
public final class OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter implements AuthenticationConverter {
1616

1717
@Override
1818
public Authentication convert(HttpServletRequest request) {
1919

2020
Map<String, Object> allParameters = EasyPlusOAuth2EndpointUtils.getApiParametersContainingEasyPlusHeaders(request);
2121

22+
// ClientId is a must
2223
String clientId = allParameters.get("client_id").toString();
2324

2425
// All token requests are "CLIENT_SECRET_BASIC"
@@ -34,11 +35,11 @@ public Authentication convert(HttpServletRequest request) {
3435
allParameters.put(OAuth2AuthorizationRequest.class.getName(), authorizationRequest);
3536

3637
return new OAuth2ClientAuthenticationToken(
37-
clientId,
38-
clientAuthenticationMethod,
39-
credentials,
40-
allParameters
41-
);
38+
clientId,
39+
clientAuthenticationMethod,
40+
credentials,
41+
allParameters
42+
);
4243
}
4344

4445

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/OpaqueGrantTypeAuthenticationProvider.java

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -53,18 +53,16 @@ public Authentication authenticate(Authentication authentication)
5353
try {
5454
if (authentication instanceof OAuth2ClientAuthenticationToken token) {
5555

56-
// [NOTICE] If an incorrect client ID or Secret is detected, the OpaqueGrantTypeAccessTokenRequestConverter is not be invoked, which means there is NO additional parameters.
56+
// [NOTICE] If an incorrect client ID or Secret is detected, the OpaqueGrantTypeAccessTokenRequestConverter is not be invoked, which means there is NO mandatory client_id header parameter.
5757
// For reference, if an incorrect Basic header, such as base64(client_id:<--no secret here-->), is detected, the ClientSecretBasicAuthenticationConverter handles it directly and passes it to the AuthenticationFailureHandler.
58-
if (token.getAdditionalParameters() == null || token.getAdditionalParameters().isEmpty()) {
59-
throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("No additional parameters found. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate an incorrect client_id.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
58+
String clientId = token.getAdditionalParameters().getOrDefault("client_id", "").toString();
59+
if (clientId.isEmpty()) {
60+
throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("Invalid Request. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate incorrect payloads.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
6061
}
6162

6263
Map<String, Object> modifiableAdditionalParameters = new HashMap<>(token.getAdditionalParameters());
6364

64-
String clientId = modifiableAdditionalParameters.getOrDefault("client_id", "").toString();
65-
if (clientId.isEmpty()) {
66-
throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("No client_id key found").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
67-
}
65+
6866
UserDetails userDetails;
6967

7068
String grantType = modifiableAdditionalParameters.getOrDefault("grant_type", "").toString();

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/server/EasyPlusServerConfig.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.aop.DefaultSecurityPointCut;
55
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.aop.SecurityPointCut;
66
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.AuthorizationCodeAuthorizationRequestConverter;
7-
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.OpaqueGrantTypeAccessTokenRequestConverter;
7+
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter;
88
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.IntrospectionRequestConverter;
99
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.dao.EasyPlusAuthorizationConsentRepository;
1010
import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.introspector.DefaultResourceServerTokenIntrospector;
@@ -145,7 +145,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(
145145
.tokenEndpoint(tokenEndpoint ->
146146
tokenEndpoint
147147
// Converter
148-
.accessTokenRequestConverter(new OpaqueGrantTypeAccessTokenRequestConverter())
148+
.accessTokenRequestConverter(new OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter())
149149
// Provider
150150
.authenticationProvider(new OpaqueGrantTypeAuthenticationProvider(
151151
commonOAuth2AuthorizationSaver, conditionalDetailsService, oauth2AuthenticationHashCheckService,

postman/sc-oauth2-pji.postman_collection.json

Lines changed: 79 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -175,17 +175,6 @@
175175
"key": "grant_type",
176176
"value": "password",
177177
"type": "text"
178-
},
179-
{
180-
"key": "otp_value",
181-
"value": "555555",
182-
"type": "text"
183-
},
184-
{
185-
"key": "",
186-
"value": "aaab",
187-
"type": "text",
188-
"disabled": true
189178
}
190179
]
191180
},
@@ -204,7 +193,7 @@
204193
"response": []
205194
},
206195
{
207-
"name": "oauth2/token (Authorization code)",
196+
"name": "oauth2/token (Access Token, Response Type = code)",
208197
"protocolProfileBehavior": {
209198
"disabledSystemHeaders": {
210199
"accept-encoding": true,
@@ -256,29 +245,97 @@
256245
{
257246
"key": "username",
258247
"value": "[email protected]",
259-
"type": "text",
260-
"disabled": true
248+
"type": "text"
261249
},
262250
{
263251
"key": "password",
264252
"value": "1234",
265-
"type": "text",
266-
"disabled": true
253+
"type": "text"
267254
},
268255
{
269256
"key": "grant_type",
257+
"value": "password",
258+
"type": "text"
259+
},
260+
{
261+
"key": "response_type",
270262
"value": "code",
271263
"type": "text"
264+
}
265+
]
266+
},
267+
"url": {
268+
"raw": "{{PROTOCOL}}://{{HOST}}/oauth2/token",
269+
"protocol": "{{PROTOCOL}}",
270+
"host": [
271+
"{{HOST}}"
272+
],
273+
"path": [
274+
"oauth2",
275+
"token"
276+
]
277+
}
278+
},
279+
"response": []
280+
},
281+
{
282+
"name": "oauth2/token (Authorization code)",
283+
"protocolProfileBehavior": {
284+
"disabledSystemHeaders": {
285+
"accept-encoding": true,
286+
"content-type": true,
287+
"accept": true,
288+
"connection": true
289+
}
290+
},
291+
"request": {
292+
"auth": {
293+
"type": "basic",
294+
"basic": [
295+
{
296+
"key": "username",
297+
"value": "client_customer",
298+
"type": "string"
272299
},
273300
{
274-
"key": "otp_value",
275-
"value": "555555",
276-
"type": "text",
277-
"disabled": true
301+
"key": "password",
302+
"value": "12345",
303+
"type": "string"
304+
}
305+
]
306+
},
307+
"method": "POST",
308+
"header": [
309+
{
310+
"key": "Accept",
311+
"value": "application/json"
312+
},
313+
{
314+
"key": "X-Requested-With",
315+
"value": "XMLHttpRequest",
316+
"disabled": true
317+
},
318+
{
319+
"key": "Content-Type",
320+
"value": "application/x-www-form-urlencoded"
321+
},
322+
{
323+
"key": "App-Token",
324+
"value": "aaa",
325+
"type": "text"
326+
}
327+
],
328+
"body": {
329+
"mode": "urlencoded",
330+
"urlencoded": [
331+
{
332+
"key": "grant_type",
333+
"value": "authorization_code",
334+
"type": "text"
278335
},
279336
{
280337
"key": "code",
281-
"value": "dab73d72-e27d-4018-88f2-36e4f342221d",
338+
"value": "692b2017-d14a-4279-b673-371c24fb18951",
282339
"type": "text"
283340
}
284341
]
@@ -342,33 +399,9 @@
342399
"body": {
343400
"mode": "urlencoded",
344401
"urlencoded": [
345-
{
346-
"key": "username",
347-
"value": "[email protected]",
348-
"type": "text",
349-
"disabled": true
350-
},
351-
{
352-
"key": "password",
353-
"value": "ged22sgesA",
354-
"type": "text",
355-
"disabled": true
356-
},
357-
{
358-
"key": "grant_type",
359-
"value": "password",
360-
"type": "text",
361-
"disabled": true
362-
},
363-
{
364-
"key": "otp_value",
365-
"value": "555555",
366-
"type": "text",
367-
"disabled": true
368-
},
369402
{
370403
"key": "token",
371-
"value": "rVI-3U176t2RfP5U0fqmJrCjaWPYg1loD25rKsrcT2rfG2cpfhJYjloapw9MGVbGNTYWN_U_8uPG9nlFrt_96DFb2SKhRIzxTQqieh7xQxNzs1SkBLZuxZ4YlobASwfC",
404+
"value": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjaWNkQHRlc3QuY29tIiwiYXVkIjoiY2xpZW50X2N1c3RvbWVyIiwibmJmIjoxNzM2NTY3NjI4LCJzY29wZSI6WyJyZWFkIiwib3BlbmlkIiwicHJvZmlsZSIsIndyaXRlIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODM3MCIsImV4cCI6MTczNjU2ODIyOCwiaWF0IjoxNzM2NTY3NjI4LCJqdGkiOiJiZTg1MmVmNi00OWU1LTQ1NDMtYjMyOC00MDQ2OWI2MzVmZTUiLCJjbGllbnRfaWQiOiJjbGllbnRfY3VzdG9tZXIiLCJ1c2VybmFtZSI6ImNpY2RAdGVzdC5jb20ifQ.D2NfJuDDcBqP_zp7AbYdwxdP033h18Pu-oVm72RR8to1",
372405
"type": "text"
373406
}
374407
]
@@ -437,22 +470,10 @@
437470
"value": "e1f3f851-30a2-491c-8c7e-040350029061",
438471
"type": "text"
439472
},
440-
{
441-
"key": "password",
442-
"value": "#ys350791A",
443-
"type": "text",
444-
"disabled": true
445-
},
446473
{
447474
"key": "grant_type",
448475
"value": "refresh_token",
449476
"type": "text"
450-
},
451-
{
452-
"key": "otp_value",
453-
"value": "555555",
454-
"type": "text",
455-
"disabled": true
456477
}
457478
]
458479
},
@@ -502,11 +523,6 @@
502523
"key": "Accept",
503524
"value": "application/json"
504525
},
505-
{
506-
"key": "X-Requested-With",
507-
"value": "XMLHttpRequest",
508-
"disabled": true
509-
},
510526
{
511527
"key": "Content-Type",
512528
"value": "application/x-www-form-urlencoded"
@@ -520,22 +536,10 @@
520536
"value": "e1f3f851-30a2-491c-8c7e-040350029061",
521537
"type": "text"
522538
},
523-
{
524-
"key": "password",
525-
"value": "#ys350791A",
526-
"type": "text",
527-
"disabled": true
528-
},
529539
{
530540
"key": "grant_type",
531541
"value": "refresh_token",
532542
"type": "text"
533-
},
534-
{
535-
"key": "otp_value",
536-
"value": "555555",
537-
"type": "text",
538-
"disabled": true
539543
}
540544
]
541545
},

0 commit comments

Comments
 (0)