Add support for implicit grant type

Fixes gh-4500

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java

@@ -78,7 +78,7 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
 		put(LogoutFilter.class, order);
 		order += STEP;
 		filterToOrder.put(
-			"org.springframework.security.oauth2.client.web.AuthorizationCodeRequestRedirectFilter",
+			"org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter",
 			order);
 		order += STEP;
 		put(X509AuthenticationFilter.class, order);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeGrantConfigurer.java

@@ -35,7 +35,7 @@
 import org.springframework.security.oauth2.client.user.DelegatingOAuth2UserService;
 import org.springframework.security.oauth2.client.user.OAuth2UserService;
 import org.springframework.security.oauth2.client.web.AuthorizationCodeAuthenticationFilter;
-import org.springframework.security.oauth2.client.web.AuthorizationCodeRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter;
 import org.springframework.security.oauth2.client.web.AuthorizationGrantTokenExchanger;
 import org.springframework.security.oauth2.client.web.AuthorizationRequestRepository;
 import org.springframework.security.oauth2.client.web.AuthorizationRequestUriBuilder;
@@ -63,7 +63,7 @@ public class AuthorizationCodeGrantConfigurer<B extends HttpSecurityBuilder<B>>
 	AbstractHttpConfigurer<AuthorizationCodeGrantConfigurer<B>, B> {
 
 	// ***** Authorization Request members
-	private AuthorizationCodeRequestRedirectFilter authorizationRequestFilter;
+	private AuthorizationRequestRedirectFilter authorizationRequestFilter;
 	private String authorizationRequestBaseUri;
 	private AuthorizationRequestUriBuilder authorizationRequestBuilder;
 	private AuthorizationRequestRepository authorizationRequestRepository;
@@ -180,8 +180,8 @@ public final void init(B http) throws Exception {
 		// *************************
 		// ***** Initialize Filter's
 		//
-		// 	-> AuthorizationCodeRequestRedirectFilter
-		this.authorizationRequestFilter = new AuthorizationCodeRequestRedirectFilter(
+		// 	-> AuthorizationRequestRedirectFilter
+		this.authorizationRequestFilter = new AuthorizationRequestRedirectFilter(
 			this.getAuthorizationRequestBaseUri(), this.getClientRegistrationRepository());
 		if (this.authorizationRequestBuilder != null) {
 			this.authorizationRequestFilter.setAuthorizationUriBuilder(this.authorizationRequestBuilder);
@@ -210,14 +210,14 @@ public void configure(B http) throws Exception {
 		http.addFilter(this.postProcess(this.authorizationResponseFilter));
 	}
 
-	AuthorizationCodeRequestRedirectFilter getAuthorizationRequestFilter() {
+	AuthorizationRequestRedirectFilter getAuthorizationRequestFilter() {
 		return this.authorizationRequestFilter;
 	}
 
 	String getAuthorizationRequestBaseUri() {
 		return this.authorizationRequestBaseUri != null ?
 			this.authorizationRequestBaseUri :
-			AuthorizationCodeRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
+			AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
 	}
 
 	String getAuthorizationResponseBaseUri() {

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java

@@ -0,0 +1,84 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.config.annotation.web.configurers.oauth2.client;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.AuthorizationRequestUriBuilder;
+import org.springframework.util.Assert;
+
+/**
+ * A security configurer for the Implicit Grant type.
+ *
+ * @author Joe Grandja
+ * @since 5.0
+ */
+public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> extends
+	AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> {
+
+	private String authorizationRequestBaseUri;
+	private AuthorizationRequestUriBuilder authorizationRequestBuilder;
+
+	public ImplicitGrantConfigurer<B> authorizationRequestBaseUri(String authorizationRequestBaseUri) {
+		Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
+		this.authorizationRequestBaseUri = authorizationRequestBaseUri;
+		return this;
+	}
+
+	public ImplicitGrantConfigurer<B> authorizationRequestBuilder(AuthorizationRequestUriBuilder authorizationRequestBuilder) {
+		Assert.notNull(authorizationRequestBuilder, "authorizationRequestBuilder cannot be null");
+		this.authorizationRequestBuilder = authorizationRequestBuilder;
+		return this;
+	}
+
+	public ImplicitGrantConfigurer<B> clientRegistrationRepository(ClientRegistrationRepository clientRegistrationRepository) {
+		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
+		this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);
+		return this;
+	}
+
+	@Override
+	public void configure(B http) throws Exception {
+		AuthorizationRequestRedirectFilter authorizationRequestFilter = new AuthorizationRequestRedirectFilter(
+			this.getAuthorizationRequestBaseUri(), this.getClientRegistrationRepository());
+		if (this.authorizationRequestBuilder != null) {
+			authorizationRequestFilter.setAuthorizationUriBuilder(this.authorizationRequestBuilder);
+		}
+		http.addFilter(this.postProcess(authorizationRequestFilter));
+	}
+
+	private String getAuthorizationRequestBaseUri() {
+		return this.authorizationRequestBaseUri != null ?
+			this.authorizationRequestBaseUri :
+			AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
+	}
+
+	private ClientRegistrationRepository getClientRegistrationRepository() {
+		ClientRegistrationRepository clientRegistrationRepository = this.getBuilder().getSharedObject(ClientRegistrationRepository.class);
+		if (clientRegistrationRepository == null) {
+			clientRegistrationRepository = this.getClientRegistrationRepositoryBean();
+			this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);
+		}
+		return clientRegistrationRepository;
+	}
+
+	private ClientRegistrationRepository getClientRegistrationRepositoryBean() {
+		return this.getBuilder().getSharedObject(ApplicationContext.class).getBean(ClientRegistrationRepository.class);
+	}
+}

config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java

@@ -109,15 +109,16 @@ public void getBuilderWhenOktaShouldHaveOktaSettings() throws Exception {
 		ClientRegistration registration = builder(CommonOAuth2Provider.OKTA)
 			.authorizationUri("http://example.com/auth")
 			.tokenUri("http://example.com/token")
-			.userInfoUri("http://example.com/info").build();
+			.userInfoUri("http://example.com/info")
+			.jwkSetUri("http://example.com/jwkset").build();
 		ProviderDetails providerDetails = registration.getProviderDetails();
 		assertThat(providerDetails.getAuthorizationUri())
 			.isEqualTo("http://example.com/auth");
 		assertThat(providerDetails.getTokenUri()).isEqualTo("http://example.com/token");
 		assertThat(providerDetails.getUserInfoEndpoint().getUri()).isEqualTo("http://example.com/info");
 		assertThat(providerDetails.getUserInfoEndpoint().getUserNameAttributeName())
 			.isEqualTo(IdTokenClaim.SUB);
-		assertThat(providerDetails.getJwkSetUri()).isNull();
+		assertThat(providerDetails.getJwkSetUri()).isEqualTo("http://example.com/jwkset");
 		assertThat(registration.getClientAuthenticationMethod())
 			.isEqualTo(ClientAuthenticationMethod.BASIC);
 		assertThat(registration.getAuthorizationGrantType())

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java

@@ -304,13 +304,18 @@ public Builder clientName(String clientName) {
 		}
 
 		public ClientRegistration build() {
-			this.validateClientWithAuthorizationCodeGrantType();
-			ClientRegistration clientRegistration = new ClientRegistration();
-			this.setProperties(clientRegistration);
-			return clientRegistration;
+			Assert.notNull(this.authorizationGrantType, "authorizationGrantType cannot be null");
+			if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) {
+				this.validateImplicitGrantType();
+			} else {
+				this.validateAuthorizationCodeGrantType();
+			}
+			return this.create();
 		}
 
-		protected void setProperties(ClientRegistration clientRegistration) {
+		protected ClientRegistration create() {
+			ClientRegistration clientRegistration = new ClientRegistration();
+
 			clientRegistration.setRegistrationId(this.registrationId);
 			clientRegistration.setClientId(this.clientId);
 			clientRegistration.setClientSecret(this.clientSecret);
@@ -328,9 +333,11 @@ protected void setProperties(ClientRegistration clientRegistration) {
 			clientRegistration.setProviderDetails(providerDetails);
 
 			clientRegistration.setClientName(this.clientName);
+
+			return clientRegistration;
 		}
 
-		protected void validateClientWithAuthorizationCodeGrantType() {
+		protected void validateAuthorizationCodeGrantType() {
 			Assert.isTrue(AuthorizationGrantType.AUTHORIZATION_CODE.equals(this.authorizationGrantType),
 				"authorizationGrantType must be " + AuthorizationGrantType.AUTHORIZATION_CODE.getValue());
 			Assert.hasText(this.registrationId, "registrationId cannot be empty");
@@ -341,12 +348,22 @@ protected void validateClientWithAuthorizationCodeGrantType() {
 			Assert.notEmpty(this.scope, "scope cannot be empty");
 			Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
 			Assert.hasText(this.tokenUri, "tokenUri cannot be empty");
-			if (!this.scope.contains(OidcScope.OPENID)) {
-				// userInfoUri is optional for OIDC Clients
-				Assert.hasText(this.userInfoUri, "userInfoUri cannot be empty");
+			if (this.scope.contains(OidcScope.OPENID)) {
+				// OIDC Clients need to verify/validate the ID Token
+				Assert.hasText(this.jwkSetUri, "jwkSetUri cannot be empty");
 			}
 			Assert.hasText(this.clientName, "clientName cannot be empty");
+		}
+
+		protected void validateImplicitGrantType() {
+			Assert.isTrue(AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType),
+				"authorizationGrantType must be " + AuthorizationGrantType.IMPLICIT.getValue());
 			Assert.hasText(this.registrationId, "registrationId cannot be empty");
+			Assert.hasText(this.clientId, "clientId cannot be empty");
+			Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
+			Assert.notEmpty(this.scope, "scope cannot be empty");
+			Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
+			Assert.hasText(this.clientName, "clientName cannot be empty");
 		}
 	}
 }

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/AuthorizationCodeAuthenticationFilter.java

@@ -72,11 +72,11 @@
  * @see AbstractAuthenticationProcessingFilter
  * @see AuthorizationCodeAuthenticationToken
  * @see AuthorizationCodeAuthenticationProvider
- * @see AuthorizationCodeRequestRedirectFilter
+ * @see AuthorizationRequestRedirectFilter
  * @see AuthorizationRequest
  * @see AuthorizationRequestRepository
  * @see ClientRegistrationRepository
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant Flow</a>
+ * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1">Section 4.1 Authorization Code Grant</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.1.2">Section 4.1.2 Authorization Response</a>
  */
 public class AuthorizationCodeAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
@@ -121,7 +121,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
 		// The clientRegistration.redirectUri may contain Uri template variables, whether it's configured by
 		// the user or configured by default. In these cases, the redirectUri will be expanded and ultimately changed
-		// (by AuthorizationCodeRequestRedirectFilter) before setting it in the authorization request.
+		// (by AuthorizationRequestRedirectFilter) before setting it in the authorization request.
 		// The resulting redirectUri used for the authorization request and saved within the AuthorizationRequestRepository
 		// MUST BE the same one used to complete the authorization code flow.
 		// Therefore, we'll create a copy of the clientRegistration and override the redirectUri