Skip to content

Extract Validation/Authentication Logic in AuthorizationCodeAuthenticationProcessingFilter #4590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Sep 29, 2017 · 0 comments
Closed

Extract Validation/Authentication Logic in AuthorizationCodeAuthenticationProcessingFilter #4590

rwinch opened this issue Sep 29, 2017 · 0 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
5.0.0.RC1

Comments

@rwinch
Copy link
Member

rwinch commented Sep 29, 2017

Summary

There is quite a bit of logic in the AuthorizationCodeAuthenticationProcessingFilter which is considered validation or authentication. For example:

ErrorResponseAttributes authorizationError = this.errorResponseConverter.apply(request);
if (authorizationError != null) {
    OAuth2Error oauth2Error = new OAuth2Error(authorizationError.getErrorCode(),
    authorizationError.getDescription(), authorizationError.getUri());
    this.getAuthorizationRequestRepository().removeAuthorizationRequest(request);
    throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
if (!authorizationRequest.getState().equals(state)) {
    OAuth2Error oauth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
    throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}

if (!request.getRequestURL().toString().equals(authorizationRequest.getRedirectUri())) {
     OAuth2Error oauth2Error = new OAuth2Error(INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE);
     throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}

We should try to provide a richer Authentication object to the AuthenticationManager and allow it to validate the response entirely.
@rwinch rwinch added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) Refactoring labels Sep 29, 2017
@rwinch rwinch added this to the 5.0.0.RC1 milestone Sep 29, 2017
@jgrandja jgrandja mentioned this issue Sep 29, 2017
Closed
28 tasks
@jgrandja jgrandja self-assigned this Oct 6, 2017
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@jgrandja @thomasdarimont
Extract authentication logic from AuthorizationCodeAuthenticationFilter
45172a6 
Fixes spring-projectsgh-4590
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
5.0.0.RC1
Development

No branches or pull requests
2 participants
@rwinch @jgrandja