From b0b97fb1d21af2fb4d052d0792c9e5eae71f1030 Mon Sep 17 00:00:00 2001 From: shenqicheng <1317225796@qq.com> Date: Tue, 9 Jul 2024 09:52:38 +0800 Subject: [PATCH 1/2] Add configuration property to allow multiple issuers See gh-41355 --- .../OAuth2AuthorizationServerProperties.java | 24 +++++++++++++++++++ ...h2AuthorizationServerPropertiesMapper.java | 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java index 196afbdc75fe..fbce47a683b8 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java @@ -42,6 +42,30 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean { */ private String issuer; + /** + * Set to {@code true} if multiple issuers are allowed per host. Using path + * components in the URL of the issuer identifier enables supporting multiple + * issuers per host in a multi-tenant hosting configuration. + * + *
+ * For example: + *
+ * NOTE: Explicitly configuring the issuer identifier via
+ * {@link #issuer(String)} forces to a single-tenant configuration. Avoid
+ * configuring the issuer identifier when using a multi-tenant hosting
+ * configuration, allowing the issuer identifier to be resolved from the
+ * "current" request.
+ * @param multipleIssuersAllowed {@code true} if multiple issuers are allowed per
+ * host, {@code false} otherwise
+ * @return the {@link Builder} for further configuration
+ */
+ private boolean multipleIssuersAllowed = false;
+
/**
* Registered clients of the Authorization Server.
*/
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
index e53d587e192c..a4fe537dbfc9 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
@@ -51,7 +51,8 @@ AuthorizationServerSettings asAuthorizationServerSettings() {
OAuth2AuthorizationServerProperties.Endpoint endpoint = this.properties.getEndpoint();
OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc();
AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder();
- map.from(this.properties::getIssuer).to(builder::issuer);
+ map.from(this.properties::getIssuer).whenHasText().to(builder::issuer);
+ map.from(this.properties::isMultipleIssuersAllowed).to(builder::multipleIssuersAllowed);
map.from(endpoint::getAuthorizationUri).to(builder::authorizationEndpoint);
map.from(endpoint::getDeviceAuthorizationUri).to(builder::deviceAuthorizationEndpoint);
map.from(endpoint::getDeviceVerificationUri).to(builder::deviceVerificationEndpoint);
From 1a6760e21d1f95d3bf7169c1e062733cde66cff6 Mon Sep 17 00:00:00 2001
From: Andy Wilkinson
- * For example:
- *
- * NOTE: Explicitly configuring the issuer identifier via
- * {@link #issuer(String)} forces to a single-tenant configuration. Avoid
- * configuring the issuer identifier when using a multi-tenant hosting
- * configuration, allowing the issuer identifier to be resolved from the
- * "current" request.
- * @param multipleIssuersAllowed {@code true} if multiple issuers are allowed per
- * host, {@code false} otherwise
- * @return the {@link Builder} for further configuration
+ * Whether multiple issuers are allowed per host. Using path components in the URL of
+ * the issuer identifier enables supporting multiple issuers per host in a
+ * multi-tenant hosting configuration.
*/
private boolean multipleIssuersAllowed = false;
@@ -76,6 +59,14 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean {
*/
private final Endpoint endpoint = new Endpoint();
+ public boolean isMultipleIssuersAllowed() {
+ return this.multipleIssuersAllowed;
+ }
+
+ public void setMultipleIssuersAllowed(boolean multipleIssuersAllowed) {
+ this.multipleIssuersAllowed = multipleIssuersAllowed;
+ }
+
public String getIssuer() {
return this.issuer;
}
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
index a4fe537dbfc9..58083756c537 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -51,7 +51,7 @@ AuthorizationServerSettings asAuthorizationServerSettings() {
OAuth2AuthorizationServerProperties.Endpoint endpoint = this.properties.getEndpoint();
OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc();
AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder();
- map.from(this.properties::getIssuer).whenHasText().to(builder::issuer);
+ map.from(this.properties::getIssuer).to(builder::issuer);
map.from(this.properties::isMultipleIssuersAllowed).to(builder::multipleIssuersAllowed);
map.from(endpoint::getAuthorizationUri).to(builder::authorizationEndpoint);
map.from(endpoint::getDeviceAuthorizationUri).to(builder::deviceAuthorizationEndpoint);
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java
index 8fbfb1eb4f2f..5773df36336b 100644
--- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java
+++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -113,6 +113,37 @@ void getAuthorizationServerSettingsWhenValidParametersShouldAdapt() {
oidc.setUserInfoUri("/user");
AuthorizationServerSettings settings = this.mapper.asAuthorizationServerSettings();
assertThat(settings.getIssuer()).isEqualTo("https://example.com");
+ assertThat(settings.isMultipleIssuersAllowed()).isFalse();
+ assertThat(settings.getAuthorizationEndpoint()).isEqualTo("/authorize");
+ assertThat(settings.getDeviceAuthorizationEndpoint()).isEqualTo("/device_authorization");
+ assertThat(settings.getDeviceVerificationEndpoint()).isEqualTo("/device_verification");
+ assertThat(settings.getTokenEndpoint()).isEqualTo("/token");
+ assertThat(settings.getJwkSetEndpoint()).isEqualTo("/jwks");
+ assertThat(settings.getTokenRevocationEndpoint()).isEqualTo("/revoke");
+ assertThat(settings.getTokenIntrospectionEndpoint()).isEqualTo("/introspect");
+ assertThat(settings.getOidcLogoutEndpoint()).isEqualTo("/logout");
+ assertThat(settings.getOidcClientRegistrationEndpoint()).isEqualTo("/register");
+ assertThat(settings.getOidcUserInfoEndpoint()).isEqualTo("/user");
+ }
+
+ @Test
+ void getAuthorizationServerSettingsWhenMultipleIssuersAllowedShouldAdapt() {
+ this.properties.setMultipleIssuersAllowed(true);
+ OAuth2AuthorizationServerProperties.Endpoint endpoints = this.properties.getEndpoint();
+ endpoints.setAuthorizationUri("/authorize");
+ endpoints.setDeviceAuthorizationUri("/device_authorization");
+ endpoints.setDeviceVerificationUri("/device_verification");
+ endpoints.setTokenUri("/token");
+ endpoints.setJwkSetUri("/jwks");
+ endpoints.setTokenRevocationUri("/revoke");
+ endpoints.setTokenIntrospectionUri("/introspect");
+ OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoints.getOidc();
+ oidc.setLogoutUri("/logout");
+ oidc.setClientRegistrationUri("/register");
+ oidc.setUserInfoUri("/user");
+ AuthorizationServerSettings settings = this.mapper.asAuthorizationServerSettings();
+ assertThat(settings.getIssuer()).isNull();
+ assertThat(settings.isMultipleIssuersAllowed()).isTrue();
assertThat(settings.getAuthorizationEndpoint()).isEqualTo("/authorize");
assertThat(settings.getDeviceAuthorizationEndpoint()).isEqualTo("/device_authorization");
assertThat(settings.getDeviceVerificationEndpoint()).isEqualTo("/device_verification");
- *
- *
- *