From b0b97fb1d21af2fb4d052d0792c9e5eae71f1030 Mon Sep 17 00:00:00 2001 From: shenqicheng <1317225796@qq.com> Date: Tue, 9 Jul 2024 09:52:38 +0800 Subject: [PATCH 1/2] Add configuration property to allow multiple issuers See gh-41355 --- .../OAuth2AuthorizationServerProperties.java | 24 +++++++++++++++++++ ...h2AuthorizationServerPropertiesMapper.java | 3 ++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java index 196afbdc75fe..fbce47a683b8 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java @@ -42,6 +42,30 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean { */ private String issuer; + /** + * Set to {@code true} if multiple issuers are allowed per host. Using path + * components in the URL of the issuer identifier enables supporting multiple + * issuers per host in a multi-tenant hosting configuration. + * + *

+ * For example: + *

+ * + *

+ * NOTE: Explicitly configuring the issuer identifier via + * {@link #issuer(String)} forces to a single-tenant configuration. Avoid + * configuring the issuer identifier when using a multi-tenant hosting + * configuration, allowing the issuer identifier to be resolved from the + * "current" request. + * @param multipleIssuersAllowed {@code true} if multiple issuers are allowed per + * host, {@code false} otherwise + * @return the {@link Builder} for further configuration + */ + private boolean multipleIssuersAllowed = false; + /** * Registered clients of the Authorization Server. */ diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java index e53d587e192c..a4fe537dbfc9 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java @@ -51,7 +51,8 @@ AuthorizationServerSettings asAuthorizationServerSettings() { OAuth2AuthorizationServerProperties.Endpoint endpoint = this.properties.getEndpoint(); OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc(); AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder(); - map.from(this.properties::getIssuer).to(builder::issuer); + map.from(this.properties::getIssuer).whenHasText().to(builder::issuer); + map.from(this.properties::isMultipleIssuersAllowed).to(builder::multipleIssuersAllowed); map.from(endpoint::getAuthorizationUri).to(builder::authorizationEndpoint); map.from(endpoint::getDeviceAuthorizationUri).to(builder::deviceAuthorizationEndpoint); map.from(endpoint::getDeviceVerificationUri).to(builder::deviceVerificationEndpoint); From 1a6760e21d1f95d3bf7169c1e062733cde66cff6 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Wed, 17 Jul 2024 11:58:59 +0100 Subject: [PATCH 2/2] Polish "Add configuration property to allow multiple issuers" See gh-41355 --- .../OAuth2AuthorizationServerProperties.java | 33 +++++++------------ ...h2AuthorizationServerPropertiesMapper.java | 4 +-- ...horizationServerPropertiesMapperTests.java | 33 ++++++++++++++++++- 3 files changed, 46 insertions(+), 24 deletions(-) diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java index fbce47a683b8..fd7ceba3c338 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2023 the original author or authors. + * Copyright 2012-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,26 +43,9 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean { private String issuer; /** - * Set to {@code true} if multiple issuers are allowed per host. Using path - * components in the URL of the issuer identifier enables supporting multiple - * issuers per host in a multi-tenant hosting configuration. - * - *

- * For example: - *

- * - *

- * NOTE: Explicitly configuring the issuer identifier via - * {@link #issuer(String)} forces to a single-tenant configuration. Avoid - * configuring the issuer identifier when using a multi-tenant hosting - * configuration, allowing the issuer identifier to be resolved from the - * "current" request. - * @param multipleIssuersAllowed {@code true} if multiple issuers are allowed per - * host, {@code false} otherwise - * @return the {@link Builder} for further configuration + * Whether multiple issuers are allowed per host. Using path components in the URL of + * the issuer identifier enables supporting multiple issuers per host in a + * multi-tenant hosting configuration. */ private boolean multipleIssuersAllowed = false; @@ -76,6 +59,14 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean { */ private final Endpoint endpoint = new Endpoint(); + public boolean isMultipleIssuersAllowed() { + return this.multipleIssuersAllowed; + } + + public void setMultipleIssuersAllowed(boolean multipleIssuersAllowed) { + this.multipleIssuersAllowed = multipleIssuersAllowed; + } + public String getIssuer() { return this.issuer; } diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java index a4fe537dbfc9..58083756c537 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2023 the original author or authors. + * Copyright 2012-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -51,7 +51,7 @@ AuthorizationServerSettings asAuthorizationServerSettings() { OAuth2AuthorizationServerProperties.Endpoint endpoint = this.properties.getEndpoint(); OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc(); AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder(); - map.from(this.properties::getIssuer).whenHasText().to(builder::issuer); + map.from(this.properties::getIssuer).to(builder::issuer); map.from(this.properties::isMultipleIssuersAllowed).to(builder::multipleIssuersAllowed); map.from(endpoint::getAuthorizationUri).to(builder::authorizationEndpoint); map.from(endpoint::getDeviceAuthorizationUri).to(builder::deviceAuthorizationEndpoint); diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java index 8fbfb1eb4f2f..5773df36336b 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2023 the original author or authors. + * Copyright 2012-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -113,6 +113,37 @@ void getAuthorizationServerSettingsWhenValidParametersShouldAdapt() { oidc.setUserInfoUri("/user"); AuthorizationServerSettings settings = this.mapper.asAuthorizationServerSettings(); assertThat(settings.getIssuer()).isEqualTo("https://example.com"); + assertThat(settings.isMultipleIssuersAllowed()).isFalse(); + assertThat(settings.getAuthorizationEndpoint()).isEqualTo("/authorize"); + assertThat(settings.getDeviceAuthorizationEndpoint()).isEqualTo("/device_authorization"); + assertThat(settings.getDeviceVerificationEndpoint()).isEqualTo("/device_verification"); + assertThat(settings.getTokenEndpoint()).isEqualTo("/token"); + assertThat(settings.getJwkSetEndpoint()).isEqualTo("/jwks"); + assertThat(settings.getTokenRevocationEndpoint()).isEqualTo("/revoke"); + assertThat(settings.getTokenIntrospectionEndpoint()).isEqualTo("/introspect"); + assertThat(settings.getOidcLogoutEndpoint()).isEqualTo("/logout"); + assertThat(settings.getOidcClientRegistrationEndpoint()).isEqualTo("/register"); + assertThat(settings.getOidcUserInfoEndpoint()).isEqualTo("/user"); + } + + @Test + void getAuthorizationServerSettingsWhenMultipleIssuersAllowedShouldAdapt() { + this.properties.setMultipleIssuersAllowed(true); + OAuth2AuthorizationServerProperties.Endpoint endpoints = this.properties.getEndpoint(); + endpoints.setAuthorizationUri("/authorize"); + endpoints.setDeviceAuthorizationUri("/device_authorization"); + endpoints.setDeviceVerificationUri("/device_verification"); + endpoints.setTokenUri("/token"); + endpoints.setJwkSetUri("/jwks"); + endpoints.setTokenRevocationUri("/revoke"); + endpoints.setTokenIntrospectionUri("/introspect"); + OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoints.getOidc(); + oidc.setLogoutUri("/logout"); + oidc.setClientRegistrationUri("/register"); + oidc.setUserInfoUri("/user"); + AuthorizationServerSettings settings = this.mapper.asAuthorizationServerSettings(); + assertThat(settings.getIssuer()).isNull(); + assertThat(settings.isMultipleIssuersAllowed()).isTrue(); assertThat(settings.getAuthorizationEndpoint()).isEqualTo("/authorize"); assertThat(settings.getDeviceAuthorizationEndpoint()).isEqualTo("/device_authorization"); assertThat(settings.getDeviceVerificationEndpoint()).isEqualTo("/device_verification");