spring-projects
diff --git a/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
Lines changed: 3 additions & 7 deletions b/‎config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerTests.java
Lines changed: 3 additions & 7 deletions
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java
Lines changed: 8 additions & 7 deletions b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeAuthenticationProvider.java
Lines changed: 8 additions & 7 deletions
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.java
Lines changed: 10 additions & 11 deletions b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcAuthorizationCodeReactiveAuthenticationManager.java
Lines changed: 10 additions & 11 deletions
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
Lines changed: 19 additions & 17 deletions b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java
Lines changed: 19 additions & 17 deletions
diff --git a/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
Lines changed: 19 additions & 17 deletions b/‎oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java
Lines changed: 19 additions & 17 deletions
@@ -75,7 +75,6 @@
  * Tests for {@link OAuth2ClientConfigurer}.
  *
  * @author Joe Grandja
- * @author Mark Heckler
  */
 public class OAuth2ClientConfigurerTests {
 	private static ClientRegistrationRepository clientRegistrationRepository;
@@ -139,8 +138,7 @@ public void configureWhenAuthorizationCodeRequestThenRedirectForAuthorization()
 		assertThat(mvcResult.getResponse().getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?" +
 				"response_type=code&client_id=client-1&" +
 				"scope=user&state=.{15,}&" +
-				"redirect_uri=http://localhost/client-1&" +
-				"nonce=([a-zA-Z0-9\\-\\.\\_\\~]){43}");
+				"redirect_uri=http://localhost/client-1");
 	}
 
 	@Test
@@ -153,8 +151,7 @@ public void configureWhenOauth2ClientInLambdaThenRedirectForAuthorization() thro
 		assertThat(mvcResult.getResponse().getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?" +
 				"response_type=code&client_id=client-1&" +
 				"scope=user&state=.{15,}&" +
-				"redirect_uri=http://localhost/client-1&" +
-				"nonce=([a-zA-Z0-9\\-\\.\\_\\~]){43}");
+				"redirect_uri=http://localhost/client-1");
 	}
 
 	@Test
@@ -206,8 +203,7 @@ public void configureWhenRequestCacheProvidedAndClientAuthorizationRequiredExcep
 		assertThat(mvcResult.getResponse().getRedirectedUrl()).matches("https://provider.com/oauth2/authorize\\?" +
 				"response_type=code&client_id=client-1&" +
 				"scope=user&state=.{15,}&" +
-				"redirect_uri=http://localhost/client-1&" +
-				"nonce=([a-zA-Z0-9\\-\\.\\_\\~]){43}");
+				"redirect_uri=http://localhost/client-1");
 
 		verify(requestCache).saveRequest(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
@@ -158,21 +158,22 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				null);
 			throw new OAuth2AuthenticationException(invalidIdTokenError, invalidIdTokenError.toString());
 		}
-			OidcIdToken idToken = createOidcToken(clientRegistration, accessTokenResponse);
+		OidcIdToken idToken = createOidcToken(clientRegistration, accessTokenResponse);
 
+		// Validate nonce
 		String requestNonce = authorizationRequest.getAttribute(OidcParameterNames.NONCE);
 		if (requestNonce != null) {
 			String nonceHash;
-
 			try {
 				nonceHash = createHash(requestNonce);
 			} catch (NoSuchAlgorithmException e) {
-				throw new OAuth2AuthenticationException(new OAuth2Error(INVALID_NONCE_ERROR_CODE));
+				OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
+				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 			}
-
-			String nonceHashClaim = idToken.getClaim(OidcParameterNames.NONCE);
+			String nonceHashClaim = idToken.getNonce();
 			if (nonceHashClaim == null || !nonceHashClaim.equals(nonceHash)) {
-				throw new OAuth2AuthenticationException(new OAuth2Error(INVALID_NONCE_ERROR_CODE));
+				OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
+				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 			}
 		}
 
@@ -234,7 +235,7 @@ private OidcIdToken createOidcToken(ClientRegistration clientRegistration, OAuth
 		return idToken;
 	}
 
-	private String createHash(String nonce) throws NoSuchAlgorithmException {
+	static String createHash(String nonce) throws NoSuchAlgorithmException {
 		MessageDigest md = MessageDigest.getInstance("SHA-256");
 		byte[] digest = md.digest(nonce.getBytes(StandardCharsets.US_ASCII));
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 
@@ -65,6 +65,7 @@
  * to complete the authentication.
  *
  * @author Rob Winch
+ * @author Mark Heckler
  * @since 5.1
  * @see OAuth2LoginAuthenticationToken
  * @see ReactiveOAuth2AccessTokenResponseClient
@@ -199,30 +200,28 @@ private Mono<OidcIdToken> createOidcToken(ClientRegistration clientRegistration,
 				.map(jwt -> new OidcIdToken(jwt.getTokenValue(), jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims()));
 	}
 
-	private Mono<OidcIdToken> validateNonce(OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication, OidcIdToken idToken) {
-		String requestNonce = authorizationCodeAuthentication
-				.getAuthorizationExchange()
-				.getAuthorizationRequest()
-				.getAttribute(OidcParameterNames.NONCE);
+	private static Mono<OidcIdToken> validateNonce(OAuth2AuthorizationCodeAuthenticationToken authorizationCodeAuthentication, OidcIdToken idToken) {
+		String requestNonce = authorizationCodeAuthentication.getAuthorizationExchange()
+				.getAuthorizationRequest().getAttribute(OidcParameterNames.NONCE);
 		if (requestNonce != null) {
 			String nonceHash;
-
 			try {
 				nonceHash = createHash(requestNonce);
 			} catch (NoSuchAlgorithmException e) {
-				throw new OAuth2AuthenticationException(new OAuth2Error(INVALID_NONCE_ERROR_CODE));
+				OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
+				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 			}
-
-			String nonceHashClaim = idToken.getClaim(OidcParameterNames.NONCE);
+			String nonceHashClaim = idToken.getNonce();
 			if (nonceHashClaim == null || !nonceHashClaim.equals(nonceHash)) {
-				throw new OAuth2AuthenticationException(new OAuth2Error(INVALID_NONCE_ERROR_CODE));
+				OAuth2Error oauth2Error = new OAuth2Error(INVALID_NONCE_ERROR_CODE);
+				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
 			}
 		}
 
 		return Mono.just(idToken);
 	}
 
-	private String createHash(String nonce) throws NoSuchAlgorithmException {
+	static String createHash(String nonce) throws NoSuchAlgorithmException {
 		MessageDigest md = MessageDigest.getInstance("SHA-256");
 		byte[] digest = md.digest(nonce.getBytes(StandardCharsets.US_ASCII));
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 
@@ -24,10 +24,12 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.web.util.UrlUtils;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.util.UriComponents;
 import org.springframework.web.util.UriComponentsBuilder;
@@ -63,7 +65,7 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
 	private final ClientRegistrationRepository clientRegistrationRepository;
 	private final AntPathRequestMatcher authorizationRequestMatcher;
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
-	private final StringKeyGenerator stringKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
+	private final StringKeyGenerator secureKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
 
 	/**
 	 * Constructs a {@code DefaultOAuth2AuthorizationRequestResolver} using the provided parameters.
@@ -121,13 +123,16 @@ private OAuth2AuthorizationRequest resolve(HttpServletRequest request, String re
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.authorizationCode();
 			Map<String, Object> additionalParameters = new HashMap<>();
-
-			addNonceParameters(attributes, additionalParameters);
-
+			if (!CollectionUtils.isEmpty(clientRegistration.getScopes()) &&
+					clientRegistration.getScopes().contains(OidcScopes.OPENID)) {
+				// Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+				// scope
+				// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
+				addNonceParameters(attributes, additionalParameters);
+			}
 			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
 				addPkceParameters(attributes, additionalParameters);
 			}
-
 			builder.additionalParameters(additionalParameters);
 		} else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.implicit();
@@ -208,24 +213,21 @@ private static String expandRedirectUri(HttpServletRequest request, ClientRegist
 	}
 
 	/**
-	 * Creates nonce and its hash for use in OpenID Connect Authentication Requests
+	 * Creates nonce and its hash for use in OpenID Connect 1.0 Authentication Requests.
 	 *
-	 * @param attributes where {@link OidcParameterNames#NONCE} is stored for the token request
-	 * @param additionalParameters where hash of {@link OidcParameterNames#NONCE} is added to the authentication request
+	 * @param attributes where the {@link OidcParameterNames#NONCE} is stored for the authentication request
+	 * @param additionalParameters where the {@link OidcParameterNames#NONCE} hash is added for the authentication request
 	 *
 	 * @since 5.2
-	 * @see <a target="_blank" href="https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes">15.5.2.  Nonce Implementation Notes</a>
-	 * @see <a target="_blank" href="https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation">3.1.3.7.  ID Token Validation</a>
+	 * @see <a target="_blank" href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest">3.1.2.1.  Authentication Request</a>
 	 */
 	private void addNonceParameters(Map<String, Object> attributes, Map<String, Object> additionalParameters) {
 		try {
-			String nonce = this.stringKeyGenerator.generateKey();
-			attributes.put(OidcParameterNames.NONCE, nonce);
-			
+			String nonce = this.secureKeyGenerator.generateKey();
 			String nonceHash = createHash(nonce);
+			attributes.put(OidcParameterNames.NONCE, nonce);
 			additionalParameters.put(OidcParameterNames.NONCE, nonceHash);
-		} catch (NoSuchAlgorithmException ignored) {
-		}
+		} catch (NoSuchAlgorithmException e) { }
 	}
 
 	/**
@@ -241,7 +243,7 @@ private void addNonceParameters(Map<String, Object> attributes, Map<String, Obje
 	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.2">4.2.  Client Creates the Code Challenge</a>
 	 */
 	private void addPkceParameters(Map<String, Object> attributes, Map<String, Object> additionalParameters) {
-		String codeVerifier = this.stringKeyGenerator.generateKey();
+		String codeVerifier = this.secureKeyGenerator.generateKey();
 		attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);
 		try {
 			String codeChallenge = createHash(codeVerifier);
@@ -252,7 +254,7 @@ private void addPkceParameters(Map<String, Object> attributes, Map<String, Objec
 		}
 	}
 
-	private String createHash(String value) throws NoSuchAlgorithmException {
+	private static String createHash(String value) throws NoSuchAlgorithmException {
 		MessageDigest md = MessageDigest.getInstance("SHA-256");
 		byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 
@@ -27,10 +27,12 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.server.ServerWebExchange;
@@ -77,7 +79,7 @@ public class DefaultServerOAuth2AuthorizationRequestResolver
 
 	private final StringKeyGenerator stateGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder());
 
-	private final StringKeyGenerator stringKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
+	private final StringKeyGenerator secureKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96);
 
 	/**
 	 * Creates a new instance
@@ -135,13 +137,16 @@ private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange exchan
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.authorizationCode();
 			Map<String, Object> additionalParameters = new HashMap<>();
-
-			addNonceParameters(attributes, additionalParameters);
-
+			if (!CollectionUtils.isEmpty(clientRegistration.getScopes()) &&
+					clientRegistration.getScopes().contains(OidcScopes.OPENID)) {
+				// Section 3.1.2.1 Authentication Request - https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+				// scope
+				// 		REQUIRED. OpenID Connect requests MUST contain the "openid" scope value.
+				addNonceParameters(attributes, additionalParameters);
+			}
 			if (ClientAuthenticationMethod.NONE.equals(clientRegistration.getClientAuthenticationMethod())) {
 				addPkceParameters(attributes, additionalParameters);
 			}
-
 			builder.additionalParameters(additionalParameters);
 		} else if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
 			builder = OAuth2AuthorizationRequest.implicit();
@@ -212,24 +217,21 @@ private static String expandRedirectUri(ServerHttpRequest request, ClientRegistr
 	}
 
 	/**
-	 * Creates nonce and its hash for use in OpenID Connect Authentication Requests
+	 * Creates nonce and its hash for use in OpenID Connect 1.0 Authentication Requests.
 	 *
-	 * @param attributes where {@link OidcParameterNames#NONCE} is stored for the token request
-	 * @param additionalParameters where hash of {@link OidcParameterNames#NONCE} is added to the authentication request
+	 * @param attributes where the {@link OidcParameterNames#NONCE} is stored for the authentication request
+	 * @param additionalParameters where the {@link OidcParameterNames#NONCE} hash is added for the authentication request
 	 *
 	 * @since 5.2
-	 * @see <a target="_blank" href="https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes">15.5.2.  Nonce Implementation Notes</a>
-	 * @see <a target="_blank" href="https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation">3.1.3.7.  ID Token Validation</a>
+	 * @see <a target="_blank" href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest">3.1.2.1.  Authentication Request</a>
 	 */
 	private void addNonceParameters(Map<String, Object> attributes, Map<String, Object> additionalParameters) {
 		try {
-			String nonce = this.stringKeyGenerator.generateKey();
-			attributes.put(OidcParameterNames.NONCE, nonce);
-			
+			String nonce = this.secureKeyGenerator.generateKey();
 			String nonceHash = createHash(nonce);
+			attributes.put(OidcParameterNames.NONCE, nonce);
 			additionalParameters.put(OidcParameterNames.NONCE, nonceHash);
-		} catch (NoSuchAlgorithmException ignored) {
-		}
+		} catch (NoSuchAlgorithmException e) { }
 	}
 
 	/**
@@ -245,7 +247,7 @@ private void addNonceParameters(Map<String, Object> attributes, Map<String, Obje
 	 * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7636#section-4.2">4.2.  Client Creates the Code Challenge</a>
 	 */
 	private void addPkceParameters(Map<String, Object> attributes, Map<String, Object> additionalParameters) {
-		String codeVerifier = this.stringKeyGenerator.generateKey();
+		String codeVerifier = this.secureKeyGenerator.generateKey();
 		attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);
 		try {
 			String codeChallenge = createHash(codeVerifier);
@@ -256,7 +258,7 @@ private void addPkceParameters(Map<String, Object> attributes, Map<String, Objec
 		}
 	}
 
-	private String createHash(String value) throws NoSuchAlgorithmException {
+	private static String createHash(String value) throws NoSuchAlgorithmException {
 		MessageDigest md = MessageDigest.getInstance("SHA-256");
 		byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII));
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);