Add support for OAuth 2.0 Protected Resource Metadata

Closes gh-17244

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java

@@ -20,6 +20,7 @@
 import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.function.Consumer;
 import java.util.function.Supplier;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -43,6 +44,7 @@
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.resource.OAuth2ProtectedResourceMetadata;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
 import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider;
@@ -51,6 +53,7 @@
 import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationEntryPoint;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
+import org.springframework.security.oauth2.server.resource.web.OAuth2ProtectedResourceMetadataFilter;
 import org.springframework.security.oauth2.server.resource.web.access.BearerTokenAccessDeniedHandler;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
@@ -59,6 +62,7 @@
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
 import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
 import org.springframework.security.web.csrf.CsrfException;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
@@ -172,6 +176,8 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 	private OpaqueTokenConfigurer opaqueTokenConfigurer;
 
+	private final ProtectedResourceMetadataConfigurer protectedResourceMetadataConfigurer = new ProtectedResourceMetadataConfigurer();
+
 	private AccessDeniedHandler accessDeniedHandler = new DelegatingAccessDeniedHandler(
 			new LinkedHashMap<>(Map.of(CsrfException.class, new AccessDeniedHandlerImpl())),
 			new BearerTokenAccessDeniedHandler());
@@ -250,6 +256,18 @@ public OAuth2ResourceServerConfigurer<H> opaqueToken(Customizer<OpaqueTokenConfi
 		return this;
 	}
 
+	/**
+	 * Configure OAuth 2.0 Protected Resource Metadata.
+	 * @param protectedResourceMetadataCustomizer the {@link Customizer} to provide more
+	 * options for the {@link ProtectedResourceMetadataConfigurer}
+	 * @return the {@link OAuth2ResourceServerConfigurer} for further customizations
+	 */
+	public OAuth2ResourceServerConfigurer<H> protectedResourceMetadata(
+			Customizer<ProtectedResourceMetadataConfigurer> protectedResourceMetadataCustomizer) {
+		protectedResourceMetadataCustomizer.customize(this.protectedResourceMetadataConfigurer);
+		return this;
+	}
+
 	@Override
 	public void init(H http) {
 		validateConfiguration();
@@ -277,10 +295,19 @@ public void configure(H http) {
 		filter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		filter = postProcess(filter);
 		http.addFilter(filter);
+
 		if (dPoPAuthenticationAvailable) {
 			DPoPAuthenticationConfigurer<H> dPoPAuthenticationConfigurer = new DPoPAuthenticationConfigurer<>();
 			dPoPAuthenticationConfigurer.configure(http);
 		}
+
+		OAuth2ProtectedResourceMetadataFilter protectedResourceMetadataFilter = new OAuth2ProtectedResourceMetadataFilter();
+		if (this.protectedResourceMetadataConfigurer.protectedResourceMetadataCustomizer != null) {
+			protectedResourceMetadataFilter.setProtectedResourceMetadataCustomizer(
+					this.protectedResourceMetadataConfigurer.protectedResourceMetadataCustomizer);
+		}
+		protectedResourceMetadataFilter = postProcess(protectedResourceMetadataFilter);
+		http.addFilterBefore(protectedResourceMetadataFilter, AbstractPreAuthenticatedProcessingFilter.class);
 	}
 
 	private void validateConfiguration() {
@@ -562,6 +589,30 @@ AuthenticationManager getAuthenticationManager(H http) {
 
 	}
 
+	public static final class ProtectedResourceMetadataConfigurer {
+
+		private Consumer<OAuth2ProtectedResourceMetadata.Builder> protectedResourceMetadataCustomizer;
+
+		private ProtectedResourceMetadataConfigurer() {
+		}
+
+		/**
+		 * Sets the {@code Consumer} providing access to the
+		 * {@link OAuth2ProtectedResourceMetadata.Builder} allowing the ability to
+		 * customize the claims of the Resource Server's configuration.
+		 * @param protectedResourceMetadataCustomizer the {@code Consumer} providing
+		 * access to the {@link OAuth2ProtectedResourceMetadata.Builder}
+		 * @return the {@link ProtectedResourceMetadataConfigurer} for further
+		 * configuration
+		 */
+		public ProtectedResourceMetadataConfigurer protectedResourceMetadataCustomizer(
+				Consumer<OAuth2ProtectedResourceMetadata.Builder> protectedResourceMetadataCustomizer) {
+			this.protectedResourceMetadataCustomizer = protectedResourceMetadataCustomizer;
+			return this;
+		}
+
+	}
+
 	private static final class BearerTokenRequestMatcher implements RequestMatcher {
 
 		private AuthenticationConverter authenticationConverter;

config/src/test/java/org/springframework/security/SerializationSamples.java

@@ -192,6 +192,7 @@
 import org.springframework.security.oauth2.server.resource.BearerTokenError;
 import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
 import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
+import org.springframework.security.oauth2.server.resource.OAuth2ProtectedResourceMetadata;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.DPoPAuthenticationToken;
@@ -406,6 +407,15 @@ final class SerializationSamples {
 				(r) -> new OAuth2IntrospectionException("message", new RuntimeException()));
 		generatorByClassName.put(DPoPAuthenticationToken.class,
 				(r) -> applyDetails(new DPoPAuthenticationToken("token", "proof", "method", "uri")));
+		generatorByClassName.put(OAuth2ProtectedResourceMetadata.class,
+				(r) -> OAuth2ProtectedResourceMetadata.builder()
+					.resource("https://localhost/resource")
+					.authorizationServer("https://localhost/authorizationServer")
+					.scope("scope")
+					.bearerMethod("bearerMethod")
+					.resourceName("resourceName")
+					.tlsClientCertificateBoundAccessTokens(true)
+					.build());
 
 		// oauth2-authorization-server
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ProtectedResourceMetadataTests.java

@@ -0,0 +1,200 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configurers.oauth2.server.resource;
+
+import java.util.function.Consumer;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.oauth2.jose.TestKeys;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.resource.OAuth2ProtectedResourceMetadata;
+import org.springframework.security.oauth2.server.resource.OAuth2ProtectedResourceMetadataClaimNames;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.test.web.servlet.MockMvc;
+
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.hasSize;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+/**
+ * Integration tests for OAuth 2.0 Protected Resource Metadata Requests.
+ *
+ * @author Joe Grandja
+ */
+@ExtendWith(SpringTestContextExtension.class)
+public class OAuth2ProtectedResourceMetadataTests {
+
+	private static final String DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI = "/.well-known/oauth-protected-resource";
+
+	private static final String RESOURCE = "https://resource.com:8443";
+
+	private static final String ISSUER_1 = "https://provider1.com";
+
+	private static final String ISSUER_2 = "https://provider2.com";
+
+	public final SpringTestContext spring = new SpringTestContext(this);
+
+	@Autowired
+	private MockMvc mvc;
+
+	@Test
+	public void requestWhenProtectedResourceMetadataRequestThenReturnMetadataResponse() throws Exception {
+		this.spring.register(ResourceServerConfiguration.class).autowire();
+
+		this.mvc.perform(get(RESOURCE.concat(DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI)))
+			.andExpect(status().is2xxSuccessful())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.RESOURCE).value(RESOURCE))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.BEARER_METHODS_SUPPORTED).isArray())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.BEARER_METHODS_SUPPORTED).value(hasSize(1)))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.BEARER_METHODS_SUPPORTED)
+				.value(hasItem("header")))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.TLS_CLIENT_CERTIFICATE_BOUND_ACCESS_TOKENS)
+				.value(true))
+			.andReturn();
+	}
+
+	@Test
+	public void requestWhenProtectedResourceMetadataRequestIncludesResourcePathThenMetadataResponseHasResourcePath()
+			throws Exception {
+		this.spring.register(ResourceServerConfiguration.class).autowire();
+
+		String host = RESOURCE;
+
+		String resourcePath = "/resource1";
+		String resource = host.concat(resourcePath);
+		this.mvc.perform(get(host.concat(DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI).concat(resourcePath)))
+			.andExpect(status().is2xxSuccessful())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.RESOURCE).value(resource))
+			.andReturn();
+
+		resourcePath = "/path1/resource2";
+		resource = host.concat(resourcePath);
+		this.mvc.perform(get(host.concat(DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI).concat(resourcePath)))
+			.andExpect(status().is2xxSuccessful())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.RESOURCE).value(resource))
+			.andReturn();
+
+		resourcePath = "/path1/path2/resource3";
+		resource = host.concat(resourcePath);
+		this.mvc.perform(get(host.concat(DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI).concat(resourcePath)))
+			.andExpect(status().is2xxSuccessful())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.RESOURCE).value(resource))
+			.andReturn();
+	}
+
+	@Test
+	public void requestWhenProtectedResourceMetadataRequestAndMetadataCustomizerSetThenReturnCustomMetadataResponse()
+			throws Exception {
+		this.spring.register(ResourceServerConfigurationWithMetadataCustomizer.class).autowire();
+
+		this.mvc.perform(get(RESOURCE.concat(DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI)))
+			.andExpect(status().is2xxSuccessful())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.RESOURCE).value(RESOURCE))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.AUTHORIZATION_SERVERS).isArray())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.AUTHORIZATION_SERVERS).value(hasSize(2)))
+			.andExpect(
+					jsonPath(OAuth2ProtectedResourceMetadataClaimNames.AUTHORIZATION_SERVERS).value(hasItem(ISSUER_1)))
+			.andExpect(
+					jsonPath(OAuth2ProtectedResourceMetadataClaimNames.AUTHORIZATION_SERVERS).value(hasItem(ISSUER_2)))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.SCOPES_SUPPORTED).isArray())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.SCOPES_SUPPORTED).value(hasSize(2)))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.SCOPES_SUPPORTED).value(hasItem("scope1")))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.SCOPES_SUPPORTED).value(hasItem("scope2")))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.BEARER_METHODS_SUPPORTED).isArray())
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.BEARER_METHODS_SUPPORTED).value(hasSize(1)))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.BEARER_METHODS_SUPPORTED)
+				.value(hasItem("header")))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.RESOURCE_NAME).value("resourceName"))
+			.andExpect(jsonPath(OAuth2ProtectedResourceMetadataClaimNames.TLS_CLIENT_CERTIFICATE_BOUND_ACCESS_TOKENS)
+				.value(true))
+			.andReturn();
+	}
+
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class ResourceServerConfiguration {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) {
+			// @formatter:off
+			http
+				.authorizeHttpRequests((authorize) ->
+					authorize
+						.anyRequest().authenticated()
+				)
+				.oauth2ResourceServer((oauth2) ->
+					oauth2
+						.jwt(Customizer.withDefaults())
+				);
+			// @formatter:on
+			return http.build();
+		}
+
+		@Bean
+		JwtDecoder jwtDecoder() {
+			return NimbusJwtDecoder.withPublicKey(TestKeys.DEFAULT_PUBLIC_KEY).build();
+		}
+
+	}
+
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class ResourceServerConfigurationWithMetadataCustomizer extends ResourceServerConfiguration {
+
+		@Bean
+		SecurityFilterChain securityFilterChain(HttpSecurity http) {
+			// @formatter:off
+			http
+				.authorizeHttpRequests((authorize) ->
+					authorize
+						.anyRequest().authenticated()
+				)
+				.oauth2ResourceServer((oauth2) ->
+					oauth2
+						.jwt(Customizer.withDefaults())
+						.protectedResourceMetadata((metadata) ->
+							metadata.protectedResourceMetadataCustomizer(protectedResourceMetadataCustomizer())
+						)
+				);
+			// @formatter:on
+			return http.build();
+		}
+
+		private Consumer<OAuth2ProtectedResourceMetadata.Builder> protectedResourceMetadataCustomizer() {
+			return (protectedResourceMetadata) -> protectedResourceMetadata.authorizationServer(ISSUER_1)
+				.authorizationServer(ISSUER_2)
+				.scope("scope1")
+				.scope("scope2")
+				.resourceName("resourceName");
+		}
+
+	}
+
+}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -415,7 +415,7 @@ public void postWhenCsrfDisabledWithBearerTokenAsFormParameterThenIgnoresToken()
 		// @formatter:off
 		this.mvc.perform(post("/").header(HttpHeaders.CONTENT_TYPE, MediaType.APPLICATION_FORM_URLENCODED_VALUE).with(bearerToken("token").asParam()))
 				.andExpect(status().isUnauthorized())
-				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
+				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\""));
 		// @formatter:on
 	}
 
@@ -437,7 +437,7 @@ public void getWhenUsingDefaultsWithNoBearerTokenThenUnauthorized() throws Excep
 		// @formatter:off
 		this.mvc.perform(get("/"))
 				.andExpect(status().isUnauthorized())
-				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer"));
+				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, "Bearer resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\""));
 		// @formatter:on
 	}
 
@@ -1472,14 +1472,18 @@ private static ResultMatcher invalidRequestHeader(String message) {
 		return header().string(HttpHeaders.WWW_AUTHENTICATE,
 				AllOf.allOf(new StringStartsWith("Bearer " + "error=\"invalid_request\", " + "error_description=\""),
 						new StringContains(message),
-						new StringEndsWith(", " + "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"")));
+						new StringContains(", " + "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""),
+						new StringEndsWith(
+								", " + "resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\"")));
 	}
 
 	private static ResultMatcher invalidTokenHeader(String message) {
 		return header().string(HttpHeaders.WWW_AUTHENTICATE,
 				AllOf.allOf(new StringStartsWith("Bearer " + "error=\"invalid_token\", " + "error_description=\""),
 						new StringContains(message),
-						new StringEndsWith(", " + "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"")));
+						new StringContains(", " + "error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""),
+						new StringEndsWith(
+								", " + "resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\"")));
 	}
 
 	private static ResultMatcher insufficientScopeHeader() {