Provide configurable Clock in OAuth2AuthorizedClientProvider impls

Fixes gh-7114

Author: jgrandja

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientCredentialsOAuth2AuthorizedClientProvider.java

@@ -25,6 +25,7 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.util.Assert;
 
+import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
 
@@ -41,6 +42,7 @@ public final class ClientCredentialsOAuth2AuthorizedClientProvider implements OA
 	private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient =
 			new DefaultClientCredentialsTokenResponseClient();
 	private Duration clockSkew = Duration.ofSeconds(60);
+	private Clock clock = Clock.systemUTC();
 
 	/**
 	 * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
@@ -84,7 +86,7 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 	}
 
 	private boolean hasTokenExpired(AbstractOAuth2Token token) {
-		return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew));
+		return token.getExpiresAt().isBefore(Instant.now(this.clock).minus(this.clockSkew));
 	}
 
 	/**
@@ -100,7 +102,7 @@ public void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2C
 	/**
 	 * Sets the maximum acceptable clock skew, which is used when checking the
 	 * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds.
-	 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+	 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 	 *
 	 * @param clockSkew the maximum acceptable clock skew
 	 */
@@ -109,4 +111,14 @@ public void setClockSkew(Duration clockSkew) {
 		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
+
+	/**
+	 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+	 *
+	 * @param clock the clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ClientCredentialsReactiveOAuth2AuthorizedClientProvider.java

@@ -24,6 +24,7 @@
 import org.springframework.util.Assert;
 import reactor.core.publisher.Mono;
 
+import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
 
@@ -40,6 +41,7 @@ public final class ClientCredentialsReactiveOAuth2AuthorizedClientProvider imple
 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient =
 			new WebClientReactiveClientCredentialsTokenResponseClient();
 	private Duration clockSkew = Duration.ofSeconds(60);
+	private Clock clock = Clock.systemUTC();
 
 	/**
 	 * Attempt to authorize (or re-authorize) the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
@@ -80,7 +82,7 @@ public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context
 	}
 
 	private boolean hasTokenExpired(AbstractOAuth2Token token) {
-		return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew));
+		return token.getExpiresAt().isBefore(Instant.now(this.clock).minus(this.clockSkew));
 	}
 
 	/**
@@ -96,7 +98,7 @@ public void setAccessTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient
 	/**
 	 * Sets the maximum acceptable clock skew, which is used when checking the
 	 * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds.
-	 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+	 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 	 *
 	 * @param clockSkew the maximum acceptable clock skew
 	 */
@@ -105,4 +107,14 @@ public void setClockSkew(Duration clockSkew) {
 		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
+
+	/**
+	 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+	 *
+	 * @param clock the clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java

@@ -20,7 +20,9 @@
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.util.Assert;
 
+import java.time.Clock;
 import java.time.Duration;
+import java.time.Instant;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -128,6 +130,7 @@ public OAuth2AuthorizedClientProviderBuilder refreshToken(Consumer<RefreshTokenG
 	public class RefreshTokenGrantBuilder implements Builder {
 		private OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient;
 		private Duration clockSkew;
+		private Clock clock;
 
 		private RefreshTokenGrantBuilder() {
 		}
@@ -145,7 +148,7 @@ public RefreshTokenGrantBuilder accessTokenResponseClient(OAuth2AccessTokenRespo
 
 		/**
 		 * Sets the maximum acceptable clock skew, which is used when checking the access token expiry.
-		 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+		 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 		 *
 		 * @param clockSkew the maximum acceptable clock skew
 		 * @return the {@link RefreshTokenGrantBuilder}
@@ -155,6 +158,17 @@ public RefreshTokenGrantBuilder clockSkew(Duration clockSkew) {
 			return this;
 		}
 
+		/**
+		 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+		 *
+		 * @param clock the clock
+		 * @return the {@link RefreshTokenGrantBuilder}
+		 */
+		public RefreshTokenGrantBuilder clock(Clock clock) {
+			this.clock = clock;
+			return this;
+		}
+
 		/**
 		 * Builds an instance of {@link RefreshTokenOAuth2AuthorizedClientProvider}.
 		 *
@@ -169,6 +183,9 @@ public OAuth2AuthorizedClientProvider build() {
 			if (this.clockSkew != null) {
 				authorizedClientProvider.setClockSkew(this.clockSkew);
 			}
+			if (this.clock != null) {
+				authorizedClientProvider.setClock(this.clock);
+			}
 			return authorizedClientProvider;
 		}
 	}
@@ -202,6 +219,7 @@ public OAuth2AuthorizedClientProviderBuilder clientCredentials(Consumer<ClientCr
 	public class ClientCredentialsGrantBuilder implements Builder {
 		private OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
 		private Duration clockSkew;
+		private Clock clock;
 
 		private ClientCredentialsGrantBuilder() {
 		}
@@ -219,7 +237,7 @@ public ClientCredentialsGrantBuilder accessTokenResponseClient(OAuth2AccessToken
 
 		/**
 		 * Sets the maximum acceptable clock skew, which is used when checking the access token expiry.
-		 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+		 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 		 *
 		 * @param clockSkew the maximum acceptable clock skew
 		 * @return the {@link ClientCredentialsGrantBuilder}
@@ -229,6 +247,17 @@ public ClientCredentialsGrantBuilder clockSkew(Duration clockSkew) {
 			return this;
 		}
 
+		/**
+		 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+		 *
+		 * @param clock the clock
+		 * @return the {@link ClientCredentialsGrantBuilder}
+		 */
+		public ClientCredentialsGrantBuilder clock(Clock clock) {
+			this.clock = clock;
+			return this;
+		}
+
 		/**
 		 * Builds an instance of {@link ClientCredentialsOAuth2AuthorizedClientProvider}.
 		 *
@@ -243,6 +272,9 @@ public OAuth2AuthorizedClientProvider build() {
 			if (this.clockSkew != null) {
 				authorizedClientProvider.setClockSkew(this.clockSkew);
 			}
+			if (this.clock != null) {
+				authorizedClientProvider.setClock(this.clock);
+			}
 			return authorizedClientProvider;
 		}
 	}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java

@@ -20,7 +20,9 @@
 import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
 import org.springframework.util.Assert;
 
+import java.time.Clock;
 import java.time.Duration;
+import java.time.Instant;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -128,6 +130,7 @@ public ReactiveOAuth2AuthorizedClientProviderBuilder refreshToken(Consumer<Refre
 	public class RefreshTokenGrantBuilder implements Builder {
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient;
 		private Duration clockSkew;
+		private Clock clock;
 
 		private RefreshTokenGrantBuilder() {
 		}
@@ -145,7 +148,7 @@ public RefreshTokenGrantBuilder accessTokenResponseClient(ReactiveOAuth2AccessTo
 
 		/**
 		 * Sets the maximum acceptable clock skew, which is used when checking the access token expiry.
-		 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+		 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 		 *
 		 * @param clockSkew the maximum acceptable clock skew
 		 * @return the {@link RefreshTokenGrantBuilder}
@@ -155,6 +158,17 @@ public RefreshTokenGrantBuilder clockSkew(Duration clockSkew) {
 			return this;
 		}
 
+		/**
+		 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+		 *
+		 * @param clock the clock
+		 * @return the {@link RefreshTokenGrantBuilder}
+		 */
+		public RefreshTokenGrantBuilder clock(Clock clock) {
+			this.clock = clock;
+			return this;
+		}
+
 		/**
 		 * Builds an instance of {@link RefreshTokenReactiveOAuth2AuthorizedClientProvider}.
 		 *
@@ -169,6 +183,9 @@ public ReactiveOAuth2AuthorizedClientProvider build() {
 			if (this.clockSkew != null) {
 				authorizedClientProvider.setClockSkew(this.clockSkew);
 			}
+			if (this.clock != null) {
+				authorizedClientProvider.setClock(this.clock);
+			}
 			return authorizedClientProvider;
 		}
 	}
@@ -202,6 +219,7 @@ public ReactiveOAuth2AuthorizedClientProviderBuilder clientCredentials(Consumer<
 	public class ClientCredentialsGrantBuilder implements Builder {
 		private ReactiveOAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> accessTokenResponseClient;
 		private Duration clockSkew;
+		private Clock clock;
 
 		private ClientCredentialsGrantBuilder() {
 		}
@@ -219,7 +237,7 @@ public ClientCredentialsGrantBuilder accessTokenResponseClient(ReactiveOAuth2Acc
 
 		/**
 		 * Sets the maximum acceptable clock skew, which is used when checking the access token expiry.
-		 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+		 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 		 *
 		 * @param clockSkew the maximum acceptable clock skew
 		 * @return the {@link ClientCredentialsGrantBuilder}
@@ -229,6 +247,17 @@ public ClientCredentialsGrantBuilder clockSkew(Duration clockSkew) {
 			return this;
 		}
 
+		/**
+		 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+		 *
+		 * @param clock the clock
+		 * @return the {@link ClientCredentialsGrantBuilder}
+		 */
+		public ClientCredentialsGrantBuilder clock(Clock clock) {
+			this.clock = clock;
+			return this;
+		}
+
 		/**
 		 * Builds an instance of {@link ClientCredentialsReactiveOAuth2AuthorizedClientProvider}.
 		 *
@@ -243,6 +272,9 @@ public ReactiveOAuth2AuthorizedClientProvider build() {
 			if (this.clockSkew != null) {
 				authorizedClientProvider.setClockSkew(this.clockSkew);
 			}
+			if (this.clock != null) {
+				authorizedClientProvider.setClock(this.clock);
+			}
 			return authorizedClientProvider;
 		}
 	}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenOAuth2AuthorizedClientProvider.java

@@ -24,6 +24,7 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
 import org.springframework.util.Assert;
 
+import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Arrays;
@@ -44,6 +45,7 @@ public final class RefreshTokenOAuth2AuthorizedClientProvider implements OAuth2A
 	private OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient =
 			new DefaultRefreshTokenTokenResponseClient();
 	private Duration clockSkew = Duration.ofSeconds(60);
+	private Clock clock = Clock.systemUTC();
 
 	/**
 	 * Attempt to re-authorize the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
@@ -92,7 +94,7 @@ public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context) {
 	}
 
 	private boolean hasTokenExpired(AbstractOAuth2Token token) {
-		return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew));
+		return token.getExpiresAt().isBefore(Instant.now(this.clock).minus(this.clockSkew));
 	}
 
 	/**
@@ -108,7 +110,7 @@ public void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2R
 	/**
 	 * Sets the maximum acceptable clock skew, which is used when checking the
 	 * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds.
-	 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+	 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 	 *
 	 * @param clockSkew the maximum acceptable clock skew
 	 */
@@ -117,4 +119,14 @@ public void setClockSkew(Duration clockSkew) {
 		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
+
+	/**
+	 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+	 *
+	 * @param clock the clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/RefreshTokenReactiveOAuth2AuthorizedClientProvider.java

@@ -24,6 +24,7 @@
 import org.springframework.util.Assert;
 import reactor.core.publisher.Mono;
 
+import java.time.Clock;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Arrays;
@@ -44,6 +45,7 @@ public final class RefreshTokenReactiveOAuth2AuthorizedClientProvider implements
 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> accessTokenResponseClient =
 			new WebClientReactiveRefreshTokenTokenResponseClient();
 	private Duration clockSkew = Duration.ofSeconds(60);
+	private Clock clock = Clock.systemUTC();
 
 	/**
 	 * Attempt to re-authorize the {@link OAuth2AuthorizationContext#getClientRegistration() client} in the provided {@code context}.
@@ -91,7 +93,7 @@ public Mono<OAuth2AuthorizedClient> authorize(OAuth2AuthorizationContext context
 	}
 
 	private boolean hasTokenExpired(AbstractOAuth2Token token) {
-		return token.getExpiresAt().isBefore(Instant.now().minus(this.clockSkew));
+		return token.getExpiresAt().isBefore(Instant.now(this.clock).minus(this.clockSkew));
 	}
 
 	/**
@@ -107,7 +109,7 @@ public void setAccessTokenResponseClient(ReactiveOAuth2AccessTokenResponseClient
 	/**
 	 * Sets the maximum acceptable clock skew, which is used when checking the
 	 * {@link OAuth2AuthorizedClient#getAccessToken() access token} expiry. The default is 60 seconds.
-	 * An access token is considered expired if it's before {@code Instant.now() - clockSkew}.
+	 * An access token is considered expired if it's before {@code Instant.now(this.clock) - clockSkew}.
 	 *
 	 * @param clockSkew the maximum acceptable clock skew
 	 */
@@ -116,4 +118,14 @@ public void setClockSkew(Duration clockSkew) {
 		Assert.isTrue(clockSkew.getSeconds() >= 0, "clockSkew must be >= 0");
 		this.clockSkew = clockSkew;
 	}
+
+	/**
+	 * Sets the {@link Clock} used in {@link Instant#now(Clock)} when checking the access token expiry.
+	 *
+	 * @param clock the clock
+	 */
+	public void setClock(Clock clock) {
+		Assert.notNull(clock, "clock cannot be null");
+		this.clock = clock;
+	}
 }