diff --git a/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java index 6378f6a0ce4..308fa95b62b 100644 --- a/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/oauth2/client/ClientRegistrationsBeanDefinitionParserTests.java @@ -152,7 +152,7 @@ public void parseWhenIssuerUriConfiguredThenRequestConfigFromIssuer() throws Exc assertThat(googleRegistration.getClientAuthenticationMethod()).isEqualTo(ClientAuthenticationMethod.BASIC); assertThat(googleRegistration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); assertThat(googleRegistration.getRedirectUri()).isEqualTo("{baseUrl}/{action}/oauth2/code/{registrationId}"); - assertThat(googleRegistration.getScopes()).isEqualTo(StringUtils.commaDelimitedListToSet("openid,profile,email")); + assertThat(googleRegistration.getScopes()).isNull(); assertThat(googleRegistration.getClientName()).isEqualTo(serverUrl); ProviderDetails googleProviderDetails = googleRegistration.getProviderDetails(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java index b8be1d4d428..997b5ab763b 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java @@ -25,7 +25,6 @@ import com.nimbusds.oauth2.sdk.GrantType; import com.nimbusds.oauth2.sdk.ParseException; -import com.nimbusds.oauth2.sdk.Scope; import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata; import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata; import net.minidev.json.JSONObject; @@ -35,7 +34,6 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames; -import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.util.Assert; import org.springframework.web.client.HttpClientErrorException; import org.springframework.web.client.RestTemplate; @@ -236,12 +234,10 @@ private static ClientRegistration.Builder withProviderConfiguration(Authorizatio throw new IllegalArgumentException("Only AuthorizationGrantType.AUTHORIZATION_CODE is supported. The issuer \"" + issuer + "\" returned a configuration of " + grantTypes); } - List scopes = getScopes(metadata); Map configurationMetadata = new LinkedHashMap<>(metadata.toJSONObject()); return ClientRegistration.withRegistrationId(name) .userNameAttributeName(IdTokenClaimNames.SUB) - .scope(scopes) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .clientAuthenticationMethod(method) .redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}") @@ -268,16 +264,6 @@ private static ClientAuthenticationMethod getClientAuthenticationMethod(String i + "ClientAuthenticationMethod.NONE are supported. The issuer \"" + issuer + "\" returned a configuration of " + metadataAuthMethods); } - private static List getScopes(AuthorizationServerMetadata metadata) { - Scope scope = metadata.getScopes(); - if (scope == null) { - // If null, default to "openid" which must be supported - return Collections.singletonList(OidcScopes.OPENID); - } else { - return scope.toStringList(); - } - } - private ClientRegistrations() {} } diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java index 03677717b18..9e52579c8dc 100644 --- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java +++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java @@ -158,7 +158,7 @@ private void assertIssuerMetadata(ClientRegistration registration, assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE); assertThat(registration.getRegistrationId()).isEqualTo(this.server.getHostName()); assertThat(registration.getClientName()).isEqualTo(this.issuer); - assertThat(registration.getScopes()).containsOnly("openid", "email", "profile"); + assertThat(registration.getScopes()).isNull(); assertThat(provider.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth"); assertThat(provider.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token"); assertThat(provider.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs"); @@ -222,41 +222,6 @@ public void issuerWhenOAuth2ContainsTrailingSlashThenSuccess() throws Exception assertThat(this.issuer).endsWith("/"); } - /** - * https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata - * - * RECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that this server supports. The - * server MUST support the openid scope value. - * @throws Exception - */ - @Test - public void issuerWhenScopesNullThenScopesDefaulted() throws Exception { - this.response.remove("scopes_supported"); - - ClientRegistration registration = registration("").build(); - - assertThat(registration.getScopes()).containsOnly("openid"); - } - - @Test - public void issuerWhenOidcFallbackScopesNullThenScopesDefaulted() throws Exception { - this.response.remove("scopes_supported"); - - ClientRegistration registration = registrationOidcFallback("", null).build(); - - assertThat(registration.getScopes()).containsOnly("openid"); - } - - @Test - public void issuerWhenOAuth2ScopesNullThenScopesDefaulted() throws Exception { - this.response.remove("scopes_supported"); - - ClientRegistration registration = registrationOAuth2("", null).build(); - - assertThat(registration.getScopes()).containsOnly("openid"); - } - - @Test public void issuerWhenGrantTypesSupportedNullThenDefaulted() throws Exception { this.response.remove("grant_types_supported");