Merge pull request #35460 from sjohnr

* pr/35460:
  Polish "Add property defaults for Spring Authorization Server"
  Add property defaults for Spring Authorization Server

Closes gh-35460

Author: philwebb

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java

@@ -97,37 +97,37 @@ public static class Endpoint {
 		/**
 		 * Authorization Server's OAuth 2.0 Authorization Endpoint.
 		 */
-		private String authorizationUri;
+		private String authorizationUri = "/oauth2/authorize";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Device Authorization Endpoint.
 		 */
-		private String deviceAuthorizationUri;
+		private String deviceAuthorizationUri = "/oauth2/device_authorization";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Device Verification Endpoint.
 		 */
-		private String deviceVerificationUri;
+		private String deviceVerificationUri = "/oauth2/device_verification";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Token Endpoint.
 		 */
-		private String tokenUri;
+		private String tokenUri = "/oauth2/token";
 
 		/**
 		 * Authorization Server's JWK Set Endpoint.
 		 */
-		private String jwkSetUri;
+		private String jwkSetUri = "/oauth2/jwks";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Token Revocation Endpoint.
 		 */
-		private String tokenRevocationUri;
+		private String tokenRevocationUri = "/oauth2/revoke";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Token Introspection Endpoint.
 		 */
-		private String tokenIntrospectionUri;
+		private String tokenIntrospectionUri = "/oauth2/introspect";
 
 		/**
 		 * OpenID Connect 1.0 endpoints.
@@ -205,17 +205,17 @@ public static class OidcEndpoint {
 		/**
 		 * Authorization Server's OpenID Connect 1.0 Logout Endpoint.
 		 */
-		private String logoutUri;
+		private String logoutUri = "/connect/logout";
 
 		/**
 		 * Authorization Server's OpenID Connect 1.0 Client Registration Endpoint.
 		 */
-		private String clientRegistrationUri;
+		private String clientRegistrationUri = "/connect/register";
 
 		/**
 		 * Authorization Server's OpenID Connect 1.0 UserInfo Endpoint.
 		 */
-		private String userInfoUri;
+		private String userInfoUri = "/userinfo";
 
 		public String getLogoutUri() {
 			return this.logoutUri;
@@ -258,12 +258,12 @@ public static class Client {
 		 * Whether the client is required to provide a proof key challenge and verifier
 		 * when performing the Authorization Code Grant flow.
 		 */
-		private boolean requireProofKey;
+		private boolean requireProofKey = false;
 
 		/**
 		 * Whether authorization consent is required when the client requests access.
 		 */
-		private boolean requireAuthorizationConsent;
+		private boolean requireAuthorizationConsent = false;
 
 		/**
 		 * URL for the client's JSON Web Key Set.
@@ -444,17 +444,17 @@ public static class Token {
 		/**
 		 * Time-to-live for an authorization code.
 		 */
-		private Duration authorizationCodeTimeToLive;
+		private Duration authorizationCodeTimeToLive = Duration.ofMinutes(5);
 
 		/**
 		 * Time-to-live for an access token.
 		 */
-		private Duration accessTokenTimeToLive;
+		private Duration accessTokenTimeToLive = Duration.ofMinutes(5);
 
 		/**
 		 * Token format for an access token.
 		 */
-		private String accessTokenFormat;
+		private String accessTokenFormat = "self-contained";
 
 		/**
 		 * Time-to-live for a device code.
@@ -465,17 +465,17 @@ public static class Token {
 		 * Whether refresh tokens are reused or a new refresh token is issued when
 		 * returning the access token response.
 		 */
-		private boolean reuseRefreshTokens;
+		private boolean reuseRefreshTokens = true;
 
 		/**
 		 * Time-to-live for a refresh token.
 		 */
-		private Duration refreshTokenTimeToLive;
+		private Duration refreshTokenTimeToLive = Duration.ofMinutes(60);
 
 		/**
 		 * JWS algorithm for signing the ID Token.
 		 */
-		private String idTokenSignatureAlgorithm;
+		private String idTokenSignatureAlgorithm = "RS256";
 
 		public Duration getAuthorizationCodeTimeToLive() {
 			return this.authorizationCodeTimeToLive;

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesTests.java

@@ -18,6 +18,8 @@
 
 import org.junit.jupiter.api.Test;
 
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -73,9 +75,46 @@ void authorizationGrantTypesEmptyThrowsException() {
 	}
 
 	@Test
-	void defaultDeviceCodeTimeToLiveMatchesBuilderDefault() {
-		assertThat(new OAuth2AuthorizationServerProperties.Client().getToken().getDeviceCodeTimeToLive())
-			.isEqualTo(TokenSettings.builder().build().getDeviceCodeTimeToLive());
+	void defaultEndpointPropertiesMatchBuilderDefaults() {
+		OAuth2AuthorizationServerProperties.Endpoint properties = new OAuth2AuthorizationServerProperties.Endpoint();
+		AuthorizationServerSettings defaults = AuthorizationServerSettings.builder().build();
+		assertThat(properties.getAuthorizationUri()).isEqualTo(defaults.getAuthorizationEndpoint());
+		assertThat(properties.getDeviceAuthorizationUri()).isEqualTo(defaults.getDeviceAuthorizationEndpoint());
+		assertThat(properties.getDeviceVerificationUri()).isEqualTo(defaults.getDeviceVerificationEndpoint());
+		assertThat(properties.getTokenUri()).isEqualTo(defaults.getTokenEndpoint());
+		assertThat(properties.getJwkSetUri()).isEqualTo(defaults.getJwkSetEndpoint());
+		assertThat(properties.getTokenRevocationUri()).isEqualTo(defaults.getTokenRevocationEndpoint());
+		assertThat(properties.getTokenIntrospectionUri()).isEqualTo(defaults.getTokenIntrospectionEndpoint());
+		OAuth2AuthorizationServerProperties.OidcEndpoint oidc = properties.getOidc();
+		assertThat(oidc.getLogoutUri()).isEqualTo(defaults.getOidcLogoutEndpoint());
+		assertThat(oidc.getClientRegistrationUri()).isEqualTo(defaults.getOidcClientRegistrationEndpoint());
+		assertThat(oidc.getUserInfoUri()).isEqualTo(defaults.getOidcUserInfoEndpoint());
+	}
+
+	@Test
+	void defaultClientPropertiesMatchBuilderDefaults() {
+		OAuth2AuthorizationServerProperties.Client properties = new OAuth2AuthorizationServerProperties.Client();
+		ClientSettings defaults = ClientSettings.builder().build();
+		assertThat(properties.isRequireProofKey()).isEqualTo(defaults.isRequireProofKey());
+		assertThat(properties.isRequireAuthorizationConsent()).isEqualTo(defaults.isRequireAuthorizationConsent());
+		assertThat(properties.getJwkSetUri()).isEqualTo(defaults.getJwkSetUrl());
+		assertThat(properties.getTokenEndpointAuthenticationSigningAlgorithm())
+			.isEqualTo((defaults.getTokenEndpointAuthenticationSigningAlgorithm() != null)
+					? defaults.getTokenEndpointAuthenticationSigningAlgorithm().getName() : null);
+	}
+
+	@Test
+	void defaultTokenPropertiesMatchBuilderDefaults() {
+		OAuth2AuthorizationServerProperties.Token properties = new OAuth2AuthorizationServerProperties.Token();
+		TokenSettings defaults = TokenSettings.builder().build();
+		assertThat(properties.getAuthorizationCodeTimeToLive()).isEqualTo(defaults.getAuthorizationCodeTimeToLive());
+		assertThat(properties.getAccessTokenTimeToLive()).isEqualTo(defaults.getAccessTokenTimeToLive());
+		assertThat(properties.getAccessTokenFormat()).isEqualTo(defaults.getAccessTokenFormat().getValue());
+		assertThat(properties.getDeviceCodeTimeToLive()).isEqualTo(defaults.getDeviceCodeTimeToLive());
+		assertThat(properties.isReuseRefreshTokens()).isEqualTo(defaults.isReuseRefreshTokens());
+		assertThat(properties.getRefreshTokenTimeToLive()).isEqualTo(defaults.getRefreshTokenTimeToLive());
+		assertThat(properties.getIdTokenSignatureAlgorithm())
+			.isEqualTo(defaults.getIdTokenSignatureAlgorithm().getName());
 	}
 
 }