org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest Java Examples

private User createUserMapping(OidcUser oidcUser, OidcUserRequest userRequest) {
  User user =
      dataService
          .query(UserMetadata.USER, User.class)
          .eq(UserMetadata.EMAIL, oidcUser.getEmail())
          .findOne();
  if (user == null) {
    user = createUser(oidcUser);
  }

  OidcClient oidcClient = getOidcClient(userRequest);

  OidcUserMapping oidcUserMapping = oidcUserMappingFactory.create();
  oidcUserMapping.setLabel(
      userRequest.getClientRegistration().getRegistrationId() + ':' + oidcUser.getSubject());
  oidcUserMapping.setOidcClient(oidcClient);
  oidcUserMapping.setOidcUsername(oidcUser.getSubject());
  oidcUserMapping.setUser(user);
  dataService.add(OIDC_USER_MAPPING, oidcUserMapping);

  return user;
}
 

@Override
public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
  // Delegate to the default implementation for loading a user
  OidcUser oidcUser = delegate.loadUser(userRequest);

  // Fetch the authority information from the protected resource using idToken
  Collection<GrantedAuthority> mappedAuthorities =
      extractAuthorities(userRequest, extractOnlyOpendevstackRoles);
  mappedAuthorities.addAll(oidcUser.getAuthorities());

  // Create a copy of oidcUser but use the mappedAuthorities instead
  DefaultOidcUser oidcUserWithAuthorities =
      new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
  return oidcUserWithAuthorities;
}
 

private Collection<GrantedAuthority> extractAuthorities(
    OidcUserRequest userRequest, boolean keepOnlyOpendevstackRoles) {
  JsonNode token = objectMapper.convertValue(userRequest.getIdToken(), JsonNode.class);
  LOG.debug("Begin extractRoles at path '{}' from idToken jwt = {}", userRolesExpression, token);

  try {
    List<String> roles = extractRoles(token, userRolesExpression, convertRolesToLowerCase);

    roles =
        keepOnlyOpendevstackRoles
            ? extractOnlyOpendevstackRoles(roles, opendevstackRoles)
            : roles;

    LOG.debug("Roles extracted from jwt = {}", roles);

    if (roles.isEmpty()) {
      LOG.warn(
          "Role extraction with expression '{}' was not successful. It returned an empty list!",
          userRolesExpression);
    }

    return AuthorityUtils.createAuthorityList(roles.toArray(new String[0]));
  } catch (IllegalArgumentException e) {
    LOG.warn("Cannot extract roles from id token:", e);
    return Collections.emptyList();
  }
}
 

/**
 * @return the oauth2 user details service to load a user from oidc user
 *         manager
 */
@Bean
@ConditionalOnMissingBean
public OAuth2UserService<OidcUserRequest, OidcUser> oidcUserDetailsService(
        final JwtAuthoritiesExtractor extractor) {
    return new JwtAuthoritiesOidcUserService(extractor);
}
 

@Transactional
@Override
public User toUser(OidcUser oidcUser, OidcUserRequest userRequest) {
  verifyOidcUser(oidcUser);
  return runAsSystem(
      () ->
          getUser(oidcUser, userRequest)
              .orElseGet(() -> createUserMapping(oidcUser, userRequest)));
}
 

private Optional<User> getUser(OidcUser oidcUser, OidcUserRequest userRequest) {
  OidcUserMapping oidcUserMapping =
      dataService
          .query(OIDC_USER_MAPPING, OidcUserMapping.class)
          .eq(OIDC_CLIENT, userRequest.getClientRegistration().getRegistrationId())
          .and()
          .eq(OIDC_USERNAME, oidcUser.getSubject())
          .findOne();
  return oidcUserMapping != null ? Optional.of(oidcUserMapping.getUser()) : Optional.empty();
}
 

private OidcClient getOidcClient(OidcUserRequest userRequest) {
  String registrationId = userRequest.getClientRegistration().getRegistrationId();
  OidcClient oidcClient =
      dataService.findOneById(OidcClientMetadata.OIDC_CLIENT, registrationId, OidcClient.class);
  if (oidcClient == null) {
    throw new UnknownEntityException(OidcClientMetadata.OIDC_CLIENT, registrationId);
  }
  return oidcClient;
}
 

private MappedOidcUser createOidcUser(OidcUser oidcUser, OidcUserRequest userRequest) {
  User user = oidcUserMapper.toUser(oidcUser, userRequest);
  String userNameAttributeName = getUserNameAttributeName(userRequest);
  Set<GrantedAuthority> authorities = new HashSet<>(userDetailsServiceImpl.getAuthorities(user));
  return new MappedOidcUser(
      authorities,
      oidcUser.getIdToken(),
      oidcUser.getUserInfo(),
      userNameAttributeName,
      user.getUsername());
}
 

/** package-private for testability */
private String getUserNameAttributeName(OidcUserRequest userRequest) {
  return userRequest
      .getClientRegistration()
      .getProviderDetails()
      .getUserInfoEndpoint()
      .getUserNameAttributeName();
}
 

@Test
void testToUserExistingUserMapping() {
  String email = "[email protected]";
  String username = "username";

  OidcUser oidcUser = mock(OidcUser.class);
  when(oidcUser.getEmail()).thenReturn(email);
  when(oidcUser.getEmailVerified()).thenReturn(true);
  when(oidcUser.getSubject()).thenReturn(username);

  String registrationId = "google";
  ClientRegistration clientRegistration =
      CommonOAuth2Provider.GOOGLE
          .getBuilder(registrationId)
          .clientId("clientId")
          .clientSecret("clientSecret")
          .build();

  OidcUserRequest oidcUserRequest = mock(OidcUserRequest.class);
  when(oidcUserRequest.getClientRegistration()).thenReturn(clientRegistration);

  User user = mock(User.class);

  OidcUserMapping oidcUserMapping = mock(OidcUserMapping.class);
  when(oidcUserMapping.getUser()).thenReturn(user);

  @SuppressWarnings("unchecked")
  Query<OidcUserMapping> query = mock(Query.class, RETURNS_SELF);
  when(dataService.query(OIDC_USER_MAPPING, OidcUserMapping.class)).thenReturn(query);
  when(query.eq(OIDC_CLIENT, registrationId).and().eq(OIDC_USERNAME, username).findOne())
      .thenReturn(oidcUserMapping);

  assertEquals(user, oidcUserMapperImpl.toUser(oidcUser, oidcUserRequest));
}
 

@Test
void testToUserEmailMissing() {
  OidcUser oidcUser = mock(OidcUser.class);
  OidcUserRequest oidcUserRequest = mock(OidcUserRequest.class);
  assertThrows(
      OidcUserMissingEmailException.class,
      () -> oidcUserMapperImpl.toUser(oidcUser, oidcUserRequest));
}
 

@Test
void testToUserEmailNotVerified() {
  OidcUser oidcUser = mock(OidcUser.class);
  when(oidcUser.getEmail()).thenReturn("[email protected]");
  when(oidcUser.getEmailVerified()).thenReturn(false);
  OidcUserRequest oidcUserRequest = mock(OidcUserRequest.class);
  assertThrows(
      OidcUserEmailVerificationException.class,
      () -> oidcUserMapperImpl.toUser(oidcUser, oidcUserRequest));
}
 

@Override
public MappedOidcUser loadUser(OidcUserRequest userRequest) {
  // load user first to guarantee successful authentication
  OidcUser oidcUser = super.loadUser(userRequest);
  return createOidcUser(oidcUser, userRequest);
}
 

/** Get {@link User} or create one is none exist. */
User toUser(OidcUser oidcUser, OidcUserRequest userRequest);
 

@Test
void testToUserMissingUserMappingExistingUser() {
  String email = "[email protected]";
  String username = "username";

  OidcUser oidcUser = mock(OidcUser.class);
  when(oidcUser.getEmail()).thenReturn(email);
  when(oidcUser.getEmailVerified()).thenReturn(true);
  when(oidcUser.getSubject()).thenReturn(username);

  String registrationId = "google";
  ClientRegistration clientRegistration =
      CommonOAuth2Provider.GOOGLE
          .getBuilder(registrationId)
          .clientId("clientId")
          .clientSecret("clientSecret")
          .build();

  OidcUserRequest oidcUserRequest = mock(OidcUserRequest.class);
  when(oidcUserRequest.getClientRegistration()).thenReturn(clientRegistration);

  OidcClient oidcClient = mock(OidcClient.class);
  when(dataService.findOneById(OidcClientMetadata.OIDC_CLIENT, registrationId, OidcClient.class))
      .thenReturn(oidcClient);

  User user = mock(User.class);
  @SuppressWarnings("unchecked")
  Query<User> query = mock(Query.class, RETURNS_SELF);
  doReturn(query).when(dataService).query(UserMetadata.USER, User.class);
  when(query.eq(UserMetadata.EMAIL, email).findOne()).thenReturn(user);

  OidcUserMapping oidcUserMapping = mock(OidcUserMapping.class);

  @SuppressWarnings("unchecked")
  Query<OidcUserMapping> oidcUserMappingQuery = mock(Query.class, RETURNS_SELF);
  doReturn(oidcUserMappingQuery)
      .when(dataService)
      .query(OIDC_USER_MAPPING, OidcUserMapping.class);
  when(oidcUserMappingQuery
          .eq(OIDC_CLIENT, registrationId)
          .and()
          .eq(OIDC_USERNAME, username)
          .findOne())
      .thenReturn(null);

  when(oidcUserMappingFactory.create()).thenReturn(oidcUserMapping);

  assertEquals(user, oidcUserMapperImpl.toUser(oidcUser, oidcUserRequest));
  verify(dataService).add(OidcUserMappingMetadata.OIDC_USER_MAPPING, oidcUserMapping);
  verify(oidcUserMapping).setLabel("google:username");
  verify(oidcUserMapping).setOidcClient(oidcClient);
  verify(oidcUserMapping).setOidcUsername("username");
  verify(oidcUserMapping).setUser(user);
}
 

@Test
void testToUserMissingUserMappingMissingUser() {
  String email = "[email protected]";
  String username = "username";
  String givenName = "MOL";
  String familyName = "GENIS";

  OidcUser oidcUser = mock(OidcUser.class);
  when(oidcUser.getEmail()).thenReturn(email);
  when(oidcUser.getEmailVerified()).thenReturn(true);
  when(oidcUser.getSubject()).thenReturn(username);
  when(oidcUser.getGivenName()).thenReturn(givenName);
  when(oidcUser.getFamilyName()).thenReturn(familyName);
  String registrationId = "google";
  ClientRegistration clientRegistration =
      CommonOAuth2Provider.GOOGLE
          .getBuilder(registrationId)
          .clientId("clientId")
          .clientSecret("clientSecret")
          .build();

  OidcUserRequest oidcUserRequest = mock(OidcUserRequest.class);
  when(oidcUserRequest.getClientRegistration()).thenReturn(clientRegistration);

  OidcClient oidcClient = mock(OidcClient.class);
  when(dataService.findOneById(OidcClientMetadata.OIDC_CLIENT, registrationId, OidcClient.class))
      .thenReturn(oidcClient);

  @SuppressWarnings("unchecked")
  Query<User> userQuery = mock(Query.class, RETURNS_SELF);
  doReturn(userQuery).when(dataService).query(UserMetadata.USER, User.class);
  when(userQuery.eq(UserMetadata.EMAIL, email).findOne()).thenReturn(null);

  OidcUserMapping oidcUserMapping = mock(OidcUserMapping.class);

  @SuppressWarnings("unchecked")
  Query<OidcUserMapping> oidcUserMappingQuery = mock(Query.class, RETURNS_SELF);
  doReturn(oidcUserMappingQuery)
      .when(dataService)
      .query(OIDC_USER_MAPPING, OidcUserMapping.class);
  when(oidcUserMappingQuery
          .eq(OIDC_CLIENT, registrationId)
          .and()
          .eq(OIDC_USERNAME, username)
          .findOne())
      .thenReturn(null);

  when(oidcUserMappingFactory.create()).thenReturn(oidcUserMapping);

  User user = mock(User.class);
  when(userFactory.create()).thenReturn(user);

  assertEquals(user, oidcUserMapperImpl.toUser(oidcUser, oidcUserRequest));
  verify(dataService).add(OidcUserMappingMetadata.OIDC_USER_MAPPING, oidcUserMapping);
  verify(oidcUserMapping).setLabel("google:username");
  verify(oidcUserMapping).setOidcClient(oidcClient);
  verify(oidcUserMapping).setOidcUsername("username");
  verify(oidcUserMapping).setUser(user);

  verify(dataService).add(UserMetadata.USER, user);
  verify(user).setUsername(email); // email, not username
  verify(user).setEmail(email);
  verify(user).setFirstName(givenName);
  verify(user).setLastName(familyName);
}