AuthorizationServerContext is accessible in custom consent controller

jgrandja · jgrandja · commit 9addcf65b3d7 · 2024-07-19T15:35:47.000-04:00
Closes spring-projectsgh-1668
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2023 the original author or authors.
+ * Copyright 2020-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -237,12 +237,15 @@ void setSessionAuthenticationStrategy(SessionAuthenticationStrategy sessionAuthe
 	void init(HttpSecurity httpSecurity) {
 		AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils
 			.getAuthorizationServerSettings(httpSecurity);
-		this.requestMatcher = new OrRequestMatcher(
-				new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(),
-						HttpMethod.GET.name()),
-				new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(),
-						HttpMethod.POST.name()));
-
+		List<RequestMatcher> requestMatchers = new ArrayList<>();
+		requestMatchers.add(new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(),
+				HttpMethod.GET.name()));
+		requestMatchers.add(new AntPathRequestMatcher(authorizationServerSettings.getAuthorizationEndpoint(),
+				HttpMethod.POST.name()));
+		if (StringUtils.hasText(this.consentPage)) {
+			requestMatchers.add(new AntPathRequestMatcher(this.consentPage));
+		}
+		this.requestMatcher = new OrRequestMatcher(requestMatchers);
 		List<AuthenticationProvider> authenticationProviders = createDefaultAuthenticationProviders(httpSecurity);
 		if (!this.authenticationProviders.isEmpty()) {
 			authenticationProviders.addAll(0, this.authenticationProviders);
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
@@ -104,6 +104,7 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
 import org.springframework.security.oauth2.server.authorization.jackson2.TestingAuthenticationTokenMixin;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
@@ -125,11 +126,14 @@
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.stereotype.Controller;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
 import org.springframework.web.util.UriUtils;
@@ -746,6 +750,15 @@ public void requestWhenCustomConsentPageConfiguredThenRedirect() throws Exceptio
 		assertThat(authorization).isNotNull();
 	}
 
+	// gh-1668
+	@Test
+	public void requestWhenCustomConsentPageConfiguredThenAuthorizationServerContextIsAccessible() throws Exception {
+		this.spring.register(AuthorizationServerConfigurationCustomConsentPageAccessAuthorizationServerContext.class)
+			.autowire();
+
+		this.mvc.perform(get(consentPage).with(user("user"))).andExpect(status().isOk());
+	}
+
 	@Test
 	public void requestWhenCustomConsentCustomizerConfiguredThenUsed() throws Exception {
 		this.spring.register(AuthorizationServerConfigurationCustomConsentRequest.class).autowire();
@@ -1166,6 +1179,26 @@ SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) th
 
 	}
 
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class AuthorizationServerConfigurationCustomConsentPageAccessAuthorizationServerContext
+			extends AuthorizationServerConfigurationCustomConsentPage {
+
+		@Controller
+		class ConsentController {
+
+			@GetMapping("/oauth2/consent")
+			@ResponseBody
+			String consent() {
+				// Ensure the AuthorizationServerContext is accessible
+				AuthorizationServerContextHolder.getContext().getIssuer();
+				return "";
+			}
+
+		}
+
+	}
+
 	@EnableWebSecurity
 	@Configuration(proxyBeanMethods = false)
 	static class AuthorizationServerConfigurationCustomConsentRequest extends AuthorizationServerConfiguration {
