Remove Nimbus introspector reliance on oauth2-oidc-sdk

asvanberg · asvanberg · commit fb89286cab49 · 2025-02-23T13:22:41.000+01:00
Signed-off-by: Andreas Svanberg &lt;andreas.svanberg@mensa.se&gt;
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/introspection/NimbusOpaqueTokenIntrospector.java
@@ -16,38 +16,11 @@
 
 package org.springframework.security.oauth2.server.resource.introspection;
 
-import java.net.URI;
-import java.time.Instant;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
-
-import com.nimbusds.oauth2.sdk.ErrorObject;
-import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
-import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
-import com.nimbusds.oauth2.sdk.http.HTTPResponse;
-import com.nimbusds.oauth2.sdk.id.Audience;
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-
 import org.springframework.core.convert.converter.Converter;
-import org.springframework.http.HttpHeaders;
-import org.springframework.http.HttpMethod;
-import org.springframework.http.MediaType;
 import org.springframework.http.RequestEntity;
-import org.springframework.http.ResponseEntity;
-import org.springframework.http.client.support.BasicAuthenticationInterceptor;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
-import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames;
 import org.springframework.util.Assert;
-import org.springframework.util.LinkedMultiValueMap;
-import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.RestOperations;
-import org.springframework.web.client.RestTemplate;
 
 /**
  * A Nimbus implementation of {@link OpaqueTokenIntrospector} that verifies and
@@ -63,13 +36,7 @@
 @Deprecated
 public class NimbusOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
 
-	private static final String AUTHORITY_PREFIX = "SCOPE_";
-
-	private final Log logger = LogFactory.getLog(getClass());
-
-	private final RestOperations restOperations;
-
-	private Converter<String, RequestEntity<?>> requestEntityConverter;
+	private final SpringOpaqueTokenIntrospector delegate;
 
 	/**
 	 * Creates a {@code OpaqueTokenAuthenticationProvider} with the provided parameters
@@ -81,10 +48,7 @@ public NimbusOpaqueTokenIntrospector(String introspectionUri, String clientId, S
 		Assert.notNull(introspectionUri, "introspectionUri cannot be null");
 		Assert.notNull(clientId, "clientId cannot be null");
 		Assert.notNull(clientSecret, "clientSecret cannot be null");
-		this.requestEntityConverter = this.defaultRequestEntityConverter(URI.create(introspectionUri));
-		RestTemplate restTemplate = new RestTemplate();
-		restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(clientId, clientSecret));
-		this.restOperations = restTemplate;
+		this.delegate = new SpringOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
 	}
 
 	/**
@@ -98,47 +62,12 @@ public NimbusOpaqueTokenIntrospector(String introspectionUri, String clientId, S
 	public NimbusOpaqueTokenIntrospector(String introspectionUri, RestOperations restOperations) {
 		Assert.notNull(introspectionUri, "introspectionUri cannot be null");
 		Assert.notNull(restOperations, "restOperations cannot be null");
-		this.requestEntityConverter = this.defaultRequestEntityConverter(URI.create(introspectionUri));
-		this.restOperations = restOperations;
-	}
-
-	private Converter<String, RequestEntity<?>> defaultRequestEntityConverter(URI introspectionUri) {
-		return (token) -> {
-			HttpHeaders headers = requestHeaders();
-			MultiValueMap<String, String> body = requestBody(token);
-			return new RequestEntity<>(body, headers, HttpMethod.POST, introspectionUri);
-		};
-	}
-
-	private HttpHeaders requestHeaders() {
-		HttpHeaders headers = new HttpHeaders();
-		headers.setAccept(Collections.singletonList(MediaType.APPLICATION_JSON));
-		return headers;
-	}
-
-	private MultiValueMap<String, String> requestBody(String token) {
-		MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
-		body.add("token", token);
-		return body;
+		this.delegate = new SpringOpaqueTokenIntrospector(introspectionUri, restOperations);
 	}
 
 	@Override
 	public OAuth2AuthenticatedPrincipal introspect(String token) {
-		RequestEntity<?> requestEntity = this.requestEntityConverter.convert(token);
-		if (requestEntity == null) {
-			throw new OAuth2IntrospectionException("requestEntityConverter returned a null entity");
-		}
-		ResponseEntity<String> responseEntity = makeRequest(requestEntity);
-		HTTPResponse httpResponse = adaptToNimbusResponse(responseEntity);
-		TokenIntrospectionResponse introspectionResponse = parseNimbusResponse(httpResponse);
-		TokenIntrospectionSuccessResponse introspectionSuccessResponse = castToNimbusSuccess(introspectionResponse);
-		// relying solely on the authorization server to validate this token (not checking
-		// 'exp', for example)
-		if (!introspectionSuccessResponse.isActive()) {
-			this.logger.trace("Did not validate token since it is inactive");
-			throw new BadOpaqueTokenException("Provided token isn't active");
-		}
-		return convertClaimsSet(introspectionSuccessResponse);
+		return this.delegate.introspect(token);
 	}
 
 	/**
@@ -149,121 +78,7 @@ public OAuth2AuthenticatedPrincipal introspect(String token) {
 	 */
 	public void setRequestEntityConverter(Converter<String, RequestEntity<?>> requestEntityConverter) {
 		Assert.notNull(requestEntityConverter, "requestEntityConverter cannot be null");
-		this.requestEntityConverter = requestEntityConverter;
-	}
-
-	private ResponseEntity<String> makeRequest(RequestEntity<?> requestEntity) {
-		try {
-			return this.restOperations.exchange(requestEntity, String.class);
-		}
-		catch (Exception ex) {
-			throw new OAuth2IntrospectionException(ex.getMessage(), ex);
-		}
-	}
-
-	private HTTPResponse adaptToNimbusResponse(ResponseEntity<String> responseEntity) {
-		MediaType contentType = responseEntity.getHeaders().getContentType();
-
-		if (contentType == null) {
-			this.logger.trace("Did not receive Content-Type from introspection endpoint in response");
-
-			throw new OAuth2IntrospectionException(
-					"Introspection endpoint response was invalid, as no Content-Type header was provided");
-		}
-
-		// Nimbus expects JSON, but does not appear to validate this header first.
-		if (!contentType.isCompatibleWith(MediaType.APPLICATION_JSON)) {
-			this.logger.trace("Did not receive JSON-compatible Content-Type from introspection endpoint in response");
-
-			throw new OAuth2IntrospectionException("Introspection endpoint response was invalid, as content type '"
-					+ contentType + "' is not compatible with JSON");
-		}
-
-		HTTPResponse response = new HTTPResponse(responseEntity.getStatusCode().value());
-		response.setHeader(HttpHeaders.CONTENT_TYPE, contentType.toString());
-		response.setContent(responseEntity.getBody());
-
-		if (response.getStatusCode() != HTTPResponse.SC_OK) {
-			this.logger.trace("Introspection endpoint returned non-OK status code");
-
-			throw new OAuth2IntrospectionException(
-					"Introspection endpoint responded with HTTP status code " + response.getStatusCode());
-		}
-		return response;
-	}
-
-	private TokenIntrospectionResponse parseNimbusResponse(HTTPResponse response) {
-		try {
-			return TokenIntrospectionResponse.parse(response);
-		}
-		catch (Exception ex) {
-			throw new OAuth2IntrospectionException(ex.getMessage(), ex);
-		}
-	}
-
-	private TokenIntrospectionSuccessResponse castToNimbusSuccess(TokenIntrospectionResponse introspectionResponse) {
-		if (!introspectionResponse.indicatesSuccess()) {
-			ErrorObject errorObject = introspectionResponse.toErrorResponse().getErrorObject();
-			String message = "Token introspection failed with response " + errorObject.toJSONObject().toJSONString();
-			this.logger.trace(message);
-			throw new OAuth2IntrospectionException(message);
-		}
-		return (TokenIntrospectionSuccessResponse) introspectionResponse;
-	}
-
-	private OAuth2AuthenticatedPrincipal convertClaimsSet(TokenIntrospectionSuccessResponse response) {
-		Collection<GrantedAuthority> authorities = new ArrayList<>();
-		Map<String, Object> claims = response.toJSONObject();
-		if (response.getAudience() != null) {
-			List<String> audiences = new ArrayList<>();
-			for (Audience audience : response.getAudience()) {
-				audiences.add(audience.getValue());
-			}
-			claims.put(OAuth2TokenIntrospectionClaimNames.AUD, Collections.unmodifiableList(audiences));
-		}
-		if (response.getClientID() != null) {
-			claims.put(OAuth2TokenIntrospectionClaimNames.CLIENT_ID, response.getClientID().getValue());
-		}
-		if (response.getExpirationTime() != null) {
-			Instant exp = response.getExpirationTime().toInstant();
-			claims.put(OAuth2TokenIntrospectionClaimNames.EXP, exp);
-		}
-		if (response.getIssueTime() != null) {
-			Instant iat = response.getIssueTime().toInstant();
-			claims.put(OAuth2TokenIntrospectionClaimNames.IAT, iat);
-		}
-		if (response.getIssuer() != null) {
-			// RFC-7662 page 7 directs users to RFC-7519 for defining the values of these
-			// issuer fields.
-			// https://datatracker.ietf.org/doc/html/rfc7662#page-7
-			//
-			// RFC-7519 page 9 defines issuer fields as being 'case-sensitive' strings
-			// containing
-			// a 'StringOrURI', which is defined on page 5 as being any string, but
-			// strings containing ':'
-			// should be treated as valid URIs.
-			// https://datatracker.ietf.org/doc/html/rfc7519#section-2
-			//
-			// It is not defined however as to whether-or-not normalized URIs should be
-			// treated as the same literal
-			// value. It only defines validation itself, so to avoid potential ambiguity
-			// or unwanted side effects that
-			// may be awkward to debug, we do not want to manipulate this value. Previous
-			// versions of Spring Security
-			// would *only* allow valid URLs, which is not what we wish to achieve here.
-			claims.put(OAuth2TokenIntrospectionClaimNames.ISS, response.getIssuer().getValue());
-		}
-		if (response.getNotBeforeTime() != null) {
-			claims.put(OAuth2TokenIntrospectionClaimNames.NBF, response.getNotBeforeTime().toInstant());
-		}
-		if (response.getScope() != null) {
-			List<String> scopes = Collections.unmodifiableList(response.getScope().toStringList());
-			claims.put(OAuth2TokenIntrospectionClaimNames.SCOPE, scopes);
-			for (String scope : scopes) {
-				authorities.add(new SimpleGrantedAuthority(AUTHORITY_PREFIX + scope));
-			}
-		}
-		return new OAuth2IntrospectionAuthenticatedPrincipal(claims, authorities);
+		this.delegate.setRequestEntityConverter(requestEntityConverter);
 	}
 
 }
