spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
Lines changed: 30 additions & 3 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
Lines changed: 30 additions & 3 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser.java
Lines changed: 8 additions & 0 deletions b/‎config/src/main/java/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParser.java
Lines changed: 8 additions & 0 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
Lines changed: 25 additions & 2 deletions b/‎config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
Lines changed: 25 additions & 2 deletions
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/OpaqueTokenDsl.kt
Lines changed: 4 additions & 1 deletion b/‎config/src/main/kotlin/org/springframework/security/config/annotation/web/oauth2/resourceserver/OpaqueTokenDsl.kt
Lines changed: 4 additions & 1 deletion
diff --git a/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerOpaqueTokenDsl.kt
Lines changed: 4 additions & 1 deletion b/‎config/src/main/kotlin/org/springframework/security/config/web/server/ServerOpaqueTokenDsl.kt
Lines changed: 4 additions & 1 deletion
diff --git a/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
Lines changed: 3 additions & 0 deletions b/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.rnc
Lines changed: 3 additions & 0 deletions
diff --git a/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
Lines changed: 7 additions & 0 deletions b/‎config/src/main/resources/org/springframework/security/config/spring-security-5.8.xsd
Lines changed: 7 additions & 0 deletions
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
Lines changed: 43 additions & 0 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
Lines changed: 43 additions & 0 deletions
@@ -44,6 +44,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
 import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
@@ -105,8 +106,8 @@
  * </ul>
  *
  * <p>
- * When using {@link #opaqueToken(Customizer)}, supply an introspection endpoint and its
- * authentication configuration
+ * When using {@link #opaqueToken(Customizer)}, supply an introspection endpoint with its
+ * client credentials and an OpaqueTokenAuthenticationConverter
  * </p>
  *
  * <h2>Security Filters</h2>
@@ -136,6 +137,7 @@
  *
  * @author Josh Cummings
  * @author Evgeniy Cheban
+ * @author Jerome Wacongne &lt;[email protected]&gt;
  * @since 5.1
  * @see BearerTokenAuthenticationFilter
  * @see JwtAuthenticationProvider
@@ -448,6 +450,8 @@ public class OpaqueTokenConfigurer {
 
 		private Supplier<OpaqueTokenIntrospector> introspector;
 
+		private OpaqueTokenAuthenticationConverter authenticationConverter;
+
 		OpaqueTokenConfigurer(ApplicationContext context) {
 			this.context = context;
 		}
@@ -482,19 +486,42 @@ public OpaqueTokenConfigurer introspector(OpaqueTokenIntrospector introspector)
 			return this;
 		}
 
+		public OpaqueTokenConfigurer authenticationConverter(
+				OpaqueTokenAuthenticationConverter authenticationConverter) {
+			Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+			this.authenticationConverter = authenticationConverter;
+			return this;
+		}
+
 		OpaqueTokenIntrospector getIntrospector() {
 			if (this.introspector != null) {
 				return this.introspector.get();
 			}
 			return this.context.getBean(OpaqueTokenIntrospector.class);
 		}
 
+		OpaqueTokenAuthenticationConverter getAuthenticationConverter() {
+			if (this.authenticationConverter != null) {
+				return this.authenticationConverter;
+			}
+			if (this.context.getBeanNamesForType(OpaqueTokenAuthenticationConverter.class).length > 0) {
+				return this.context.getBean(OpaqueTokenAuthenticationConverter.class);
+			}
+			return null;
+		}
+
 		AuthenticationProvider getAuthenticationProvider() {
 			if (this.authenticationManager != null) {
 				return null;
 			}
 			OpaqueTokenIntrospector introspector = getIntrospector();
-			return new OpaqueTokenAuthenticationProvider(introspector);
+			OpaqueTokenAuthenticationProvider opaqueTokenAuthenticationProvider = new OpaqueTokenAuthenticationProvider(
+					introspector);
+			OpaqueTokenAuthenticationConverter authenticationConverter = getAuthenticationConverter();
+			if (authenticationConverter != null) {
+				opaqueTokenAuthenticationProvider.setAuthenticationConverter(authenticationConverter);
+			}
+			return opaqueTokenAuthenticationProvider;
 		}
 
 		AuthenticationManager getAuthenticationManager(H http) {
 
@@ -244,16 +244,24 @@ static final class OpaqueTokenBeanDefinitionParser implements BeanDefinitionPars
 
 		static final String CLIENT_SECRET = "client-secret";
 
+		static final String AUTHENTICATION_CONVERTER_REF = "authentication-converter-ref";
+
+		static final String AUTHENTICATION_CONVERTER = "authenticationConverter";
+
 		OpaqueTokenBeanDefinitionParser() {
 		}
 
 		@Override
 		public BeanDefinition parse(Element element, ParserContext pc) {
 			validateConfiguration(element, pc);
 			BeanMetadataElement introspector = getIntrospector(element);
+			String authenticationConverterRef = element.getAttribute(AUTHENTICATION_CONVERTER_REF);
 			BeanDefinitionBuilder opaqueTokenProviderBuilder = BeanDefinitionBuilder
 					.rootBeanDefinition(OpaqueTokenAuthenticationProvider.class);
 			opaqueTokenProviderBuilder.addConstructorArgValue(introspector);
+			if (StringUtils.hasText(authenticationConverterRef)) {
+				opaqueTokenProviderBuilder.addPropertyReference(AUTHENTICATION_CONVERTER, authenticationConverterRef);
+			}
 			return opaqueTokenProviderBuilder.getBeanDefinition();
 		}
 
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -95,6 +95,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenReactiveAuthenticationManager;
 import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.introspection.NimbusReactiveOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.web.access.server.BearerTokenServerAccessDeniedHandler;
 import org.springframework.security.oauth2.server.resource.web.server.BearerTokenServerAuthenticationEntryPoint;
@@ -4285,6 +4286,8 @@ public final class OpaqueTokenSpec {
 
 			private Supplier<ReactiveOpaqueTokenIntrospector> introspector;
 
+			private ReactiveOpaqueTokenAuthenticationConverter authenticationConverter;
+
 			private OpaqueTokenSpec() {
 			}
 
@@ -4323,6 +4326,13 @@ public OpaqueTokenSpec introspector(ReactiveOpaqueTokenIntrospector introspector
 				return this;
 			}
 
+			public OpaqueTokenSpec authenticationConverter(
+					ReactiveOpaqueTokenAuthenticationConverter authenticationConverter) {
+				Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
+				this.authenticationConverter = authenticationConverter;
+				return this;
+			}
+
 			/**
 			 * Allows method chaining to continue configuring the
 			 * {@link ServerHttpSecurity}
@@ -4333,7 +4343,13 @@ public OAuth2ResourceServerSpec and() {
 			}
 
 			protected ReactiveAuthenticationManager getAuthenticationManager() {
-				return new OpaqueTokenReactiveAuthenticationManager(getIntrospector());
+				OpaqueTokenReactiveAuthenticationManager authenticationManager = new OpaqueTokenReactiveAuthenticationManager(
+						getIntrospector());
+				ReactiveOpaqueTokenAuthenticationConverter authenticationConverter = getAuthenticationConverter();
+				if (authenticationConverter != null) {
+					authenticationManager.setAuthenticationConverter(authenticationConverter);
+				}
+				return authenticationManager;
 			}
 
 			protected ReactiveOpaqueTokenIntrospector getIntrospector() {
@@ -4343,6 +4359,13 @@ protected ReactiveOpaqueTokenIntrospector getIntrospector() {
 				return getBean(ReactiveOpaqueTokenIntrospector.class);
 			}
 
+			protected ReactiveOpaqueTokenAuthenticationConverter getAuthenticationConverter() {
+				if (this.authenticationConverter != null) {
+					return this.authenticationConverter;
+				}
+				return getBeanOrNull(ReactiveOpaqueTokenAuthenticationConverter.class);
+			}
+
 			protected void configure(ServerHttpSecurity http) {
 				ReactiveAuthenticationManager authenticationManager = getAuthenticationManager();
 				AuthenticationWebFilter oauth2 = new AuthenticationWebFilter(authenticationManager);
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer
 import org.springframework.security.core.Authentication
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenAuthenticationConverter
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector
 
 /**
@@ -54,6 +55,7 @@ class OpaqueTokenDsl {
             clientCredentials = null
         }
 
+    var authenticationConverter: OpaqueTokenAuthenticationConverter? = null
 
     /**
      * Configures the credentials for Introspection endpoint.
@@ -70,6 +72,7 @@ class OpaqueTokenDsl {
         return { opaqueToken ->
             introspectionUri?.also { opaqueToken.introspectionUri(introspectionUri) }
             introspector?.also { opaqueToken.introspector(introspector) }
+            authenticationConverter?.also { opaqueToken.authenticationConverter(authenticationConverter) }
             clientCredentials?.also { opaqueToken.introspectionClientCredentials(clientCredentials!!.first, clientCredentials!!.second) }
             authenticationManager?.also { opaqueToken.authenticationManager(authenticationManager) }
         }
 
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,6 +16,7 @@
 
 package org.springframework.security.config.web.server
 
+import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenAuthenticationConverter
 import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector
 
 /**
@@ -45,6 +46,7 @@ class ServerOpaqueTokenDsl {
             _introspectionUri = null
             clientCredentials = null
         }
+    var authenticationConverter: ReactiveOpaqueTokenAuthenticationConverter? = null
 
     /**
      * Configures the credentials for Introspection endpoint.
@@ -62,6 +64,7 @@ class ServerOpaqueTokenDsl {
             introspectionUri?.also { opaqueToken.introspectionUri(introspectionUri) }
             clientCredentials?.also { opaqueToken.introspectionClientCredentials(clientCredentials!!.first, clientCredentials!!.second) }
             introspector?.also { opaqueToken.introspector(introspector) }
+            authenticationConverter?.also { opaqueToken.authenticationConverter(authenticationConverter) }
         }
     }
 }
@@ -667,6 +667,9 @@ opaque-token.attlist &=
 opaque-token.attlist &=
     ## Reference to an OpaqueTokenIntrospector
     attribute introspector-ref {xsd:token}?
+opaque-token.attlist &=
+    ## Reference to an OpaqueTokenAuthenticationConverter responsible for converting successful introspection result into an Authentication.
+    attribute authentication-converter-ref {xsd:token}?
 
 openid-login =
 	## Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 
@@ -2060,6 +2060,13 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="authentication-converter-ref" type="xs:token">
+         <xs:annotation>
+            <xs:documentation>Reference to an OpaqueTokenAuthenticationConverter responsible for converting successful
+                introspection result into an Authentication.
+                </xs:documentation>
+         </xs:annotation>
+      </xs:attribute>
   </xs:attributeGroup>
 
   <xs:element name="attribute-exchange">
 
@@ -80,6 +80,7 @@
 import org.springframework.security.authentication.AuthenticationManagerResolver;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
@@ -98,6 +99,7 @@
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
 import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
@@ -116,6 +118,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
@@ -1353,6 +1356,22 @@ public void getJwtAuthenticationConverterWhenDuplicateConverterBeansThenThrowsEx
 				.isThrownBy(jwtConfigurer::getJwtAuthenticationConverter);
 	}
 
+	@Test
+	public void getWhenCustomAuthenticationConverterThenConverts() throws Exception {
+		this.spring.register(RestOperationsConfig.class, OpaqueTokenAuthenticationConverterConfig.class,
+				BasicController.class).autowire();
+		OpaqueTokenAuthenticationConverter authenticationConverter = this.spring.getContext()
+				.getBean(OpaqueTokenAuthenticationConverter.class);
+		given(authenticationConverter.convert(anyString(), any(OAuth2AuthenticatedPrincipal.class)))
+				.willReturn(new TestingAuthenticationToken("jdoe", null, Collections.emptyList()));
+		mockRestOperations(json("Active"));
+		// @formatter:off
+		this.mvc.perform(get("/authenticated").with(bearerToken("token")))
+				.andExpect(status().isOk())
+				.andExpect(content().string("jdoe"));
+		// @formatter:on
+	}
+
 	private static <T> void registerMockBean(GenericApplicationContext context, String name, Class<T> clazz) {
 		context.registerBean(name, clazz, () -> mock(clazz));
 	}
@@ -2444,6 +2463,30 @@ protected void configure(HttpSecurity http) throws Exception {
 
 	}
 
+	@EnableWebSecurity
+	static class OpaqueTokenAuthenticationConverterConfig extends WebSecurityConfigurerAdapter {
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+					.authorizeRequests()
+					.antMatchers("/requires-read-scope").hasAuthority("SCOPE_message:read")
+					.anyRequest().authenticated()
+					.and()
+					.oauth2ResourceServer()
+					.opaqueToken()
+					.authenticationConverter(authenticationConverter());
+			// @formatter:on
+		}
+
+		@Bean
+		OpaqueTokenAuthenticationConverter authenticationConverter() {
+			return mock(OpaqueTokenAuthenticationConverter.class);
+		}
+
+	}
+
 	@Configuration
 	static class JwtDecoderConfig {
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * Copyright 2002-2020 the original author or authors.`
	`2`	`+ * Copyright 2002-2022 the original author or authors.`
`3`	`3`	`*`
`4`	`4`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`5`	`5`	`* you may not use this file except in compliance with the License.`
`@@ -16,6 +16,7 @@`
`16`	`16`
`17`	`17`	`package org.springframework.security.config.web.server`
`18`	`18`
	`19`	`+import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenAuthenticationConverter`
`19`	`20`	`import org.springframework.security.oauth2.server.resource.introspection.ReactiveOpaqueTokenIntrospector`
`20`	`21`
`21`	`22`	`/**`
`@@ -45,6 +46,7 @@ class ServerOpaqueTokenDsl {`
`45`	`46`	`_introspectionUri = null`
`46`	`47`	`clientCredentials = null`
`47`	`48`	`}`
	`49`	`+ var authenticationConverter: ReactiveOpaqueTokenAuthenticationConverter? = null`
`48`	`50`
`49`	`51`	`/**`
`50`	`52`	`* Configures the credentials for Introspection endpoint.`
`@@ -62,6 +64,7 @@ class ServerOpaqueTokenDsl {`
`62`	`64`	`introspectionUri?.also { opaqueToken.introspectionUri(introspectionUri) }`
`63`	`65`	`clientCredentials?.also { opaqueToken.introspectionClientCredentials(clientCredentials!!.first, clientCredentials!!.second) }`
`64`	`66`	`introspector?.also { opaqueToken.introspector(introspector) }`
	`67`	`+ authenticationConverter?.also { opaqueToken.authenticationConverter(authenticationConverter) }`
`65`	`68`	`}`
`66`	`69`	`}`
`67`	`70`	`}`