Polish ClientRegistrations, (Reactive)JwtDecoders

Simplifed some of the branching logic in the implementations. Updated
the JavaDocs. Simplified some of the test support.

Issue: gh-6500

Author: jzheaux

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java

@@ -16,26 +16,31 @@
 
 package org.springframework.security.oauth2.client.registration;
 
+import java.net.URI;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
 import com.nimbusds.oauth2.sdk.GrantType;
 import com.nimbusds.oauth2.sdk.ParseException;
 import com.nimbusds.oauth2.sdk.Scope;
 import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import net.minidev.json.JSONObject;
+
+import org.springframework.core.ParameterizedTypeReference;
+import org.springframework.http.RequestEntity;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.util.Assert;
+import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
 import org.springframework.web.util.UriComponentsBuilder;
 
-import java.net.URI;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.LinkedHashMap;
-import java.util.List;
-import java.util.Map;
-
 /**
  * Allows creating a {@link ClientRegistration.Builder} from an
  * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig">OpenID Provider Configuration</a>
@@ -49,11 +54,10 @@
  */
 public final class ClientRegistrations {
 	private static final String OIDC_METADATA_PATH = "/.well-known/openid-configuration";
-	private static final String OAUTH2_METADATA_PATH = "/.well-known/oauth-authorization-server";
-
-	enum ProviderType {
-		OIDCV1, OIDC, OAUTH2;
-	}
+	private static final String OAUTH_METADATA_PATH = "/.well-known/oauth-authorization-server";
+	private static final RestTemplate rest = new RestTemplate();
+	private static final ParameterizedTypeReference<Map<String, Object>> typeReference =
+			new ParameterizedTypeReference<Map<String, Object>>() {};
 
 	/**
 	 * Creates a {@link ClientRegistration.Builder}  using the provided
@@ -63,12 +67,6 @@ enum ProviderType {
 	 * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">OpenID
 	 * Provider Configuration Response</a> to initialize the {@link ClientRegistration.Builder}.
 	 *
-	 * When deployed in legacy environments using OpenID Connect Discovery 1.0 and if the provided issuer has
-	 * a path i.e. /issuer1 then as per <a href="https://tools.ietf.org/html/rfc8414#section-5">Compatibility Notes</a>
-	 * first make an <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">OpenID Provider
-	 * Configuration Request</a> using path /.well-known/openid-configuration/issuer1 and only if the retrieval
-	 * fail then a subsequent request to path /issuer1/.well-known/openid-configuration should be made.
-	 *
 	 * <p>
 	 * For example, if the issuer provided is "https://example.com", then an "OpenID Provider Configuration Request" will
 	 * be made to "https://example.com/.well-known/openid-configuration". The result is expected to be an "OpenID
@@ -88,42 +86,41 @@ enum ProviderType {
 	 * @return a {@link ClientRegistration.Builder} that was initialized by the OpenID Provider Configuration.
 	 */
 	public static ClientRegistration.Builder fromOidcIssuerLocation(String issuer) {
-		Map<ProviderType, String> configuration = getIssuerConfiguration(issuer, OIDC_METADATA_PATH);
-		OIDCProviderMetadata metadata = parse(configuration.get(ProviderType.OIDCV1), OIDCProviderMetadata::parse);
+		Assert.hasText(issuer, "issuer cannot be empty");
+		Map<String, Object> configuration = getConfiguration(issuer, oidc(URI.create(issuer)));
+		OIDCProviderMetadata metadata = parse(configuration, OIDCProviderMetadata::parse);
 		return withProviderConfiguration(metadata, issuer)
 				.userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString());
 	}
 
 	/**
-	 * Unlike <strong>fromOidcIssuerLocation</strong> the <strong>fromIssuerLocation</strong> queries three different endpoints and uses the
-	 * returned response from whichever that returns successfully. When <strong>fromIssuerLocation</strong> is invoked with an issuer
-	 * the following sequence of actions take place
+	 * Creates a {@link ClientRegistration.Builder}  using the provided
+	 * <a href="https://openid.net/specs/openid-connect-core-1_0.html#IssuerIdentifier">Issuer</a> by querying
+	 * three different discovery endpoints serially, using the values in the first successful response to
+	 * initialize. If an endpoint returns anything other than a 200 or a 4xx, the method will exit without
+	 * attempting subsequent endpoints.
+	 *
+	 * The three endpoints are computed as follows, given that the {@code issuer} is composed of a {@code host}
+	 * and a {@code path}:
 	 *
 	 * <ol>
 	 * 	<li>
-	 *     The first request is made against <i>{host}/.well-known/openid-configuration/issuer1</i> where issuer is equal to
-	 *     <strong>issuer1</strong>. See <a href="https://tools.ietf.org/html/rfc8414#section-5">Compatibility Notes</a> of RFC 8414
-	 *     specification for more details.
+	 * 	   {@code host/.well-known/openid-configuration/path}, as defined in
+	 * 	   <a href="https://tools.ietf.org/html/rfc8414#section-5">RFC 8414's Compatibility Notes</a>.
 	 *  </li>
 	 *  <li>
-	 *  	If the first attempt request returned non-Success (i.e. 200 status code) response then based on <strong>Compatibility Notes</strong> of
-	 *  <strong>RFC 8414</strong> a fallback <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">
-	 *  OpenID Provider Configuration Request</a> is made to <i>{host}/issuer1/.well-known/openid-configuration</i>
+	 *      {@code issuer/.well-known/openid-configuration}, as defined in
+	 *  	<a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">
+	 * 	    OpenID Provider Configuration</a>.
 	 *  </li>
 	 *  <li>
-	 *  	If the second attempted request returns a non-Success (i.e. 200 status code) response then based a final
-	 *  <a href="https://tools.ietf.org/html/rfc8414#section-3.1">Authorization Server Metadata Request</a> is being made to
-	 *  <i>{host}/.well-known/oauth-authorization-server/issuer1</i>.
+	 *      {@code host/.well-known/oauth-authorization-server/path}, as defined in
+	 *  	<a href="https://tools.ietf.org/html/rfc8414#section-3.1">Authorization Server Metadata Request</a>.
 	 *  </li>
 	 * </ol>
 	 *
-	 *
-	 * As explained above, <strong>fromIssuerLocation</strong> would behave the exact same way as <strong>fromOidcIssuerLocation</strong> and that is
-	 * because <strong>fromIssuerLocation</strong> does the exact same processing as <strong>fromOidcIssuerLocation</strong> behind the scene. Use of
-	 * <strong>fromIssuerLocation</strong> is encouraged due to the fact that it is well-aligned with RFC 8414 specification and more specifically
-	 * it queries latest OIDC metadata endpoint with a fallback to legacy OIDC v1 discovery endpoint.
-	 *
-	 * The <strong>fromIssuerLocation</strong> is based on <a href="https://tools.ietf.org/html/rfc8414">RFC 8414</a> specification.
+	 * Note that the second endpoint is the equivalent of calling
+	 * {@link ClientRegistrations#fromOidcIssuerLocation(String)}.
 	 *
 	 * <p>
 	 * Example usage:
@@ -136,24 +133,65 @@ public static ClientRegistration.Builder fromOidcIssuerLocation(String issuer) {
 	 * </pre>
 	 *
 	 * @param issuer
-	 * @return a {@link ClientRegistration.Builder} that was initialized by the Authorization Sever Metadata Provider
+	 * @return a {@link ClientRegistration.Builder} that was initialized by one of the described endpoints
 	 */
 	public static ClientRegistration.Builder fromIssuerLocation(String issuer) {
-		Map<ProviderType, String> configuration = getIssuerConfiguration(issuer, OIDC_METADATA_PATH, OAUTH2_METADATA_PATH);
+		Assert.hasText(issuer, "issuer cannot be empty");
+		URI uri = URI.create(issuer);
+		Map<String, Object> configuration = getConfiguration(issuer, oidc(uri), oidcRfc8414(uri), oauth(uri));
+		AuthorizationServerMetadata metadata = parse(configuration, AuthorizationServerMetadata::parse);
+		ClientRegistration.Builder builder = withProviderConfiguration(metadata, issuer);
+		return Optional.ofNullable((String) configuration.get("userinfo_endpoint"))
+				.map(builder::userInfoUri).orElse(builder);
+	}
 
-		if (configuration.containsKey(ProviderType.OAUTH2)) {
-			AuthorizationServerMetadata metadata = parse(configuration.get(ProviderType.OAUTH2), AuthorizationServerMetadata::parse);
-			ClientRegistration.Builder builder = withProviderConfiguration(metadata, issuer);
-			return builder;
-		} else {
-			String response = configuration.getOrDefault(ProviderType.OIDC, configuration.get(ProviderType.OIDCV1));
-			OIDCProviderMetadata metadata = parse(response, OIDCProviderMetadata::parse);
-			ClientRegistration.Builder builder = withProviderConfiguration(metadata, issuer)
-					.userInfoUri(metadata.getUserInfoEndpointURI().toASCIIString());
-			return builder;
+	private static URI oidc(URI issuer) {
+		return UriComponentsBuilder.fromUri(issuer)
+				.replacePath(issuer.getPath() + OIDC_METADATA_PATH).build(Collections.emptyMap());
+	}
+
+	private static URI oidcRfc8414(URI issuer) {
+		return UriComponentsBuilder.fromUri(issuer)
+				.replacePath(OIDC_METADATA_PATH + issuer.getPath()).build(Collections.emptyMap());
+	}
+
+	private static URI oauth(URI issuer) {
+		return UriComponentsBuilder.fromUri(issuer)
+				.replacePath(OAUTH_METADATA_PATH + issuer.getPath()).build(Collections.emptyMap());
+	}
+
+	private static Map<String, Object> getConfiguration(String issuer, URI... uris) {
+		String errorMessage = "Unable to resolve Configuration with the provided Issuer of \"" + issuer + "\"";
+		for (URI uri : uris) {
+			try {
+				RequestEntity<Void> request = RequestEntity.get(uri).build();
+				return rest.exchange(request, typeReference).getBody();
+			} catch (HttpClientErrorException e) {
+				if (!e.getStatusCode().is4xxClientError()) {
+					throw e;
+				}
+				// else try another endpoint
+			} catch (RuntimeException e) {
+				throw new IllegalArgumentException(errorMessage, e);
+			}
+		}
+		throw new IllegalArgumentException(errorMessage);
+	}
+
+	private static <T> T parse(Map<String, Object> body,
+			ThrowingFunction<JSONObject, T, ParseException> parser) {
+
+		try {
+			return parser.apply(new JSONObject(body));
+		} catch (ParseException e) {
+			throw new RuntimeException(e);
 		}
 	}
 
+	private interface ThrowingFunction<S, T, E extends Throwable> {
+		T apply(S src) throws E;
+	}
+
 	private static ClientRegistration.Builder withProviderConfiguration(AuthorizationServerMetadata metadata, String issuer) {
 		String metadataIssuer = metadata.getIssuer().getValue();
 		if (!issuer.equals(metadataIssuer)) {
@@ -185,112 +223,6 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio
 				.clientName(issuer);
 	}
 
-	/**
-	 * When the length of paths is equal to one (1) then it's a request for OpenId v1 discovery endpoint
-	 * hence the request is made to <strong>{host}/issuer1/.well-known/openid-configuration</strong>.
-	 * Otherwise, all three (3) metadata endpoints are queried one after another.
-	 *
-	 * @param issuer
-	 * @param paths
-	 * @throws IllegalArgumentException if the paths is null or empty or if none of the providers
-	 * responded to given issuer and paths requests
-	 * @return Map<String, Object> - Configuration Metadata from the given issuer
-	 */
-	private static Map<ProviderType, String> getIssuerConfiguration(String issuer, String... paths) {
-		Assert.notEmpty(paths, "paths cannot be empty or null.");
-
-		Map<ProviderType, String> providersUrl = buildIssuerConfigurationUrls(issuer, paths);
-		Map<ProviderType, String> providerResponse = new HashMap<>();
-
-		if (providersUrl.containsKey(ProviderType.OIDC)) {
-			providerResponse = mapResponse(providersUrl, ProviderType.OIDC);
-		}
-
-		// Fallback to OpenId v1 Discovery Endpoint based on RFC 8414 Compatibility Notes
-		if (providerResponse.isEmpty() && providersUrl.containsKey(ProviderType.OIDCV1)) {
-			providerResponse = mapResponse(providersUrl, ProviderType.OIDCV1);
-		}
-
-		if (providerResponse.isEmpty() && providersUrl.containsKey(ProviderType.OAUTH2)) {
-			providerResponse = mapResponse(providersUrl, ProviderType.OAUTH2);
-		}
-
-		if (providerResponse.isEmpty()) {
-			throw new IllegalArgumentException("Unable to resolve Configuration with the provided Issuer of \"" + issuer + "\"");
-		}
-		return providerResponse;
-	}
-
-	private static Map<ProviderType, String> mapResponse(Map<ProviderType, String> providersUrl, ProviderType providerType) {
-		Map<ProviderType, String> providerResponse = new HashMap<>();
-		String response = makeIssuerRequest(providersUrl.get(providerType));
-		if (response != null) {
-			providerResponse.put(providerType, response);
-		}
-		return providerResponse;
-	}
-
-	private static String makeIssuerRequest(String uri) {
-		RestTemplate rest = new RestTemplate();
-		try {
-			return rest.getForObject(uri, String.class);
-		} catch(RuntimeException ex) {
-			return null;
-		}
-	}
-
-	/**
-	 * When invoked with a path then make a
-	 * <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest">
-	 * OpenID Provider Configuration Request</a> by querying the OpenId Connection Discovery 1.0 endpoint
-	 * and the url would look as follow <strong>{host}/issuer1/.well-known/openid-configuration</strong>
-	 *
-	 * <p>
-	 * When more than one path is provided then query all the three (3) endpoints for metadata configuration
-	 * as per <a href="https://tools.ietf.org/html/rfc8414#section-5">Section 5</a> of RF 8414 specification
-	 * and the URLs would look as follow
-	 * </p>
-	 *
-	 * <ol>
-	 * <li>
-	 * <strong>{host}/.well-known/openid-configuration/issuer1</strong>  - OpenID as per RFC 8414
-	 * </li>
-	 * <li>
-	 * <strong>{host}/issuer1/.well-known/openid-configuration</strong> -  OpenID Connect 1.0 Discovery Compatibility as per RFC 8414
-	 * </li>
-	 * <li>
-	 * <strong>/.well-known/oauth-authorization-server/issuer1</strong> - OAuth2 Authorization Server Metadata as per RFC 8414
-	 * </li>
-	 * </ol>
-	 *
-	 * @param issuer
-	 * @param paths
-	 * @throws IllegalArgumentException throws exception if paths length is not 1 or 3, 1 for <strong>fromOidcLocationIssuer</strong>
-	 * and 3 for the newly introduced <strong>fromIssuerLocation</strong> to support querying 3 different metadata provider endpoints
-	 * @return Map<ProviderType, String> key-value map of provider with its request url
-	 */
-	private static Map<ProviderType, String> buildIssuerConfigurationUrls(String issuer, String... paths) {
-		Assert.isTrue(paths.length != 1 || paths.length != 3, "paths length can either be 1 or 3");
-
-		Map<ProviderType, String> providersUrl = new HashMap<>();
-
-		URI issuerURI = URI.create(issuer);
-
-		if (paths.length == 1) {
-			providersUrl.put(ProviderType.OIDCV1,
-					UriComponentsBuilder.fromUri(issuerURI).replacePath(issuerURI.getPath() + paths[0]).toUriString());
-		} else {
-			providersUrl.put(ProviderType.OIDC,
-					UriComponentsBuilder.fromUri(issuerURI).replacePath(paths[0] + issuerURI.getPath()).toUriString());
-			providersUrl.put(ProviderType.OIDCV1,
-					UriComponentsBuilder.fromUri(issuerURI).replacePath(issuerURI.getPath() + paths[0]).toUriString());
-			providersUrl.put(ProviderType.OAUTH2,
-					UriComponentsBuilder.fromUri(issuerURI).replacePath(paths[1] + issuerURI.getPath()).toUriString());
-		}
-
-		return providersUrl;
-	}
-
 	private static ClientAuthenticationMethod getClientAuthenticationMethod(String issuer,
 			List<com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod> metadataAuthMethods) {
 		if (metadataAuthMethods == null || metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) {
@@ -317,18 +249,6 @@ private static List<String> getScopes(AuthorizationServerMetadata metadata) {
 		}
 	}
 
-	private static <T> T parse(String body, ThrowingFunction<String, T, ParseException> parser) {
-		try {
-			return parser.apply(body);
-		} catch (ParseException e) {
-			throw new RuntimeException(e);
-		}
-	}
-
-	private interface ThrowingFunction<S, T, E extends Throwable> {
-		T apply(S src) throws E;
-	}
-
 	private ClientRegistrations() {}
 
 }