PAR using requested scopes on consent

PAR was missing the scopes when giving consent. Making consent authentications distinguish between requested and already authorized scopes.

Fixes gh-2175

Signed-off-by: Willem van Dreumel <[email protected]>

Author: willemvd

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java

@@ -283,7 +283,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					? currentAuthorizationConsent.getScopes() : null;
 
 			return new OAuth2AuthorizationConsentAuthenticationToken(authorizationRequest.getAuthorizationUri(),
-					registeredClient.getClientId(), principal, state, currentAuthorizedScopes, null);
+					registeredClient.getClientId(), principal, state, authorizationRequest.getScopes(),
+					currentAuthorizedScopes, null);
 		}
 
 		OAuth2TokenContext tokenContext = createAuthorizationCodeTokenContext(authorizationCodeRequestAuthentication,

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationConsentAuthenticationProvider.java

@@ -142,7 +142,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		OAuth2AuthorizationRequest authorizationRequest = authorization
 			.getAttribute(OAuth2AuthorizationRequest.class.getName());
 		Set<String> requestedScopes = authorizationRequest.getScopes();
-		Set<String> authorizedScopes = new HashSet<>(authorizationConsentAuthentication.getScopes());
+		Set<String> authorizedScopes = new HashSet<>(authorizationConsentAuthentication.getRequestedScopes());
 		if (!requestedScopes.containsAll(authorizedScopes)) {
 			throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE, authorizationConsentAuthentication,
 					registeredClient, authorizationRequest);
@@ -354,7 +354,7 @@ private static void throwError(OAuth2Error error, String parameterName,
 		String state = (authorizationRequest != null) ? authorizationRequest.getState()
 				: authorizationConsentAuthentication.getState();
 		Set<String> requestedScopes = (authorizationRequest != null) ? authorizationRequest.getScopes()
-				: authorizationConsentAuthentication.getScopes();
+				: authorizationConsentAuthentication.getRequestedScopes();
 
 		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthenticationResult = new OAuth2AuthorizationCodeRequestAuthenticationToken(
 				authorizationConsentAuthentication.getAuthorizationUri(),

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationConsentAuthenticationToken.java

@@ -49,7 +49,9 @@ public class OAuth2AuthorizationConsentAuthenticationToken extends AbstractAuthe
 
 	private final String state;
 
-	private final Set<String> scopes;
+	private final Set<String> authorizedScopes;
+
+	private final Set<String> requestedScopes;
 
 	private final Map<String, Object> additionalParameters;
 
@@ -60,12 +62,29 @@ public class OAuth2AuthorizationConsentAuthenticationToken extends AbstractAuthe
 	 * @param clientId the client identifier
 	 * @param principal the {@code Principal} (Resource Owner)
 	 * @param state the state
-	 * @param scopes the requested (or authorized) scope(s)
+	 * @param requestedScopes the requested scope(s)
 	 * @param additionalParameters the additional parameters
 	 */
 	public OAuth2AuthorizationConsentAuthenticationToken(String authorizationUri, String clientId,
-			Authentication principal, String state, @Nullable Set<String> scopes,
+			Authentication principal, String state, @Nullable Set<String> requestedScopes,
 			@Nullable Map<String, Object> additionalParameters) {
+		this(authorizationUri, clientId, principal, state, requestedScopes, null, additionalParameters);
+	}
+
+	/**
+	 * Constructs an {@code OAuth2AuthorizationConsentAuthenticationToken} using the
+	 * provided parameters.
+	 * @param authorizationUri the authorization URI
+	 * @param clientId the client identifier
+	 * @param principal the {@code Principal} (Resource Owner)
+	 * @param state the state
+	 * @param requestedScopes the requested scope(s)
+	 * @param authorizedScopes the authorized scope(s)
+	 * @param additionalParameters the additional parameters
+	 */
+	public OAuth2AuthorizationConsentAuthenticationToken(String authorizationUri, String clientId,
+			Authentication principal, String state, @Nullable Set<String> requestedScopes,
+			@Nullable Set<String> authorizedScopes, @Nullable Map<String, Object> additionalParameters) {
 		super(Collections.emptyList());
 		Assert.hasText(authorizationUri, "authorizationUri cannot be empty");
 		Assert.hasText(clientId, "clientId cannot be empty");
@@ -75,7 +94,10 @@ public OAuth2AuthorizationConsentAuthenticationToken(String authorizationUri, St
 		this.clientId = clientId;
 		this.principal = principal;
 		this.state = state;
-		this.scopes = Collections.unmodifiableSet((scopes != null) ? new HashSet<>(scopes) : Collections.emptySet());
+		this.requestedScopes = Collections
+			.unmodifiableSet((requestedScopes != null) ? new HashSet<>(requestedScopes) : Collections.emptySet());
+		this.authorizedScopes = Collections
+			.unmodifiableSet((authorizedScopes != null) ? new HashSet<>(authorizedScopes) : Collections.emptySet());
 		this.additionalParameters = Collections.unmodifiableMap(
 				(additionalParameters != null) ? new HashMap<>(additionalParameters) : Collections.emptyMap());
 		setAuthenticated(true);
@@ -116,12 +138,19 @@ public String getState() {
 	}
 
 	/**
-	 * Returns the requested (or authorized) scope(s).
-	 * @return the requested (or authorized) scope(s), or an empty {@code Set} if not
-	 * available
+	 * Returns the requested scope(s).
+	 * @return the requested scope(s), or an empty {@code Set} if not available
+	 */
+	public Set<String> getRequestedScopes() {
+		return this.requestedScopes;
+	}
+
+	/**
+	 * Returns the authorized scope(s).
+	 * @return the authorized scope(s), or an empty {@code Set} if not available
 	 */
-	public Set<String> getScopes() {
-		return this.scopes;
+	public Set<String> getAuthorizedScopes() {
+		return this.authorizedScopes;
 	}
 
 	/**

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationProvider.java

@@ -122,7 +122,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		}
 
 		Set<String> requestedScopes = authorization.getAttribute(OAuth2ParameterNames.SCOPE);
-		Set<String> authorizedScopes = new HashSet<>(deviceAuthorizationConsentAuthentication.getScopes());
+		Set<String> authorizedScopes = new HashSet<>(deviceAuthorizationConsentAuthentication.getRequestedScopes());
 		if (!requestedScopes.containsAll(authorizedScopes)) {
 			throwError(OAuth2ErrorCodes.INVALID_SCOPE, OAuth2ParameterNames.SCOPE);
 		}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationConsentAuthenticationToken.java

@@ -16,8 +16,6 @@
 package org.springframework.security.oauth2.server.authorization.authentication;
 
 import java.io.Serial;
-import java.util.Collections;
-import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 
@@ -42,8 +40,6 @@ public class OAuth2DeviceAuthorizationConsentAuthenticationToken extends OAuth2A
 
 	private final String userCode;
 
-	private final Set<String> requestedScopes;
-
 	/**
 	 * Constructs an {@code OAuth2DeviceAuthorizationConsentAuthenticationToken} using the
 	 * provided parameters.
@@ -52,16 +48,15 @@ public class OAuth2DeviceAuthorizationConsentAuthenticationToken extends OAuth2A
 	 * @param principal the {@code Principal} (Resource Owner)
 	 * @param userCode the user code associated with the device authorization response
 	 * @param state the state
-	 * @param authorizedScopes the authorized scope(s)
+	 * @param requestedScopes the requested scope(s)
 	 * @param additionalParameters the additional parameters
 	 */
 	public OAuth2DeviceAuthorizationConsentAuthenticationToken(String authorizationUri, String clientId,
-			Authentication principal, String userCode, String state, @Nullable Set<String> authorizedScopes,
+			Authentication principal, String userCode, String state, @Nullable Set<String> requestedScopes,
 			@Nullable Map<String, Object> additionalParameters) {
-		super(authorizationUri, clientId, principal, state, authorizedScopes, additionalParameters);
+		super(authorizationUri, clientId, principal, state, requestedScopes, null, additionalParameters);
 		Assert.hasText(userCode, "userCode cannot be empty");
 		this.userCode = userCode;
-		this.requestedScopes = null;
 		setAuthenticated(false);
 	}
 
@@ -79,11 +74,9 @@ public OAuth2DeviceAuthorizationConsentAuthenticationToken(String authorizationU
 	public OAuth2DeviceAuthorizationConsentAuthenticationToken(String authorizationUri, String clientId,
 			Authentication principal, String userCode, String state, @Nullable Set<String> requestedScopes,
 			@Nullable Set<String> authorizedScopes) {
-		super(authorizationUri, clientId, principal, state, authorizedScopes, null);
+		super(authorizationUri, clientId, principal, state, requestedScopes, authorizedScopes, null);
 		Assert.hasText(userCode, "userCode cannot be empty");
 		this.userCode = userCode;
-		this.requestedScopes = Collections
-			.unmodifiableSet((requestedScopes != null) ? new HashSet<>(requestedScopes) : Collections.emptySet());
 		setAuthenticated(true);
 	}
 
@@ -95,12 +88,4 @@ public String getUserCode() {
 		return this.userCode;
 	}
 
-	/**
-	 * Returns the requested scopes.
-	 * @return the requested scopes
-	 */
-	public Set<String> getRequestedScopes() {
-		return this.requestedScopes;
-	}
-
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

@@ -191,9 +191,7 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 				if (this.logger.isTraceEnabled()) {
 					this.logger.trace("Authorization consent is required");
 				}
-				sendAuthorizationConsent(request, response,
-						(OAuth2AuthorizationCodeRequestAuthenticationToken) authentication,
-						authorizationConsentAuthenticationToken);
+				sendAuthorizationConsent(request, response, authorizationConsentAuthenticationToken);
 				return;
 			}
 
@@ -287,13 +285,12 @@ public void setConsentPage(String consentPage) {
 	}
 
 	private void sendAuthorizationConsent(HttpServletRequest request, HttpServletResponse response,
-			OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication,
 			OAuth2AuthorizationConsentAuthenticationToken authorizationConsentAuthentication) throws IOException {
 
 		String clientId = authorizationConsentAuthentication.getClientId();
 		Authentication principal = (Authentication) authorizationConsentAuthentication.getPrincipal();
-		Set<String> requestedScopes = authorizationCodeRequestAuthentication.getScopes();
-		Set<String> authorizedScopes = authorizationConsentAuthentication.getScopes();
+		Set<String> requestedScopes = authorizationConsentAuthentication.getRequestedScopes();
+		Set<String> authorizedScopes = authorizationConsentAuthentication.getAuthorizedScopes();
 		String state = authorizationConsentAuthentication.getState();
 
 		if (hasConsentUri()) {

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2DeviceVerificationEndpointFilter.java

@@ -256,7 +256,7 @@ private void sendAuthorizationConsent(HttpServletRequest request, HttpServletRes
 		String clientId = authorizationConsentAuthentication.getClientId();
 		Authentication principal = (Authentication) authorizationConsentAuthentication.getPrincipal();
 		Set<String> requestedScopes = authorizationConsentAuthentication.getRequestedScopes();
-		Set<String> authorizedScopes = authorizationConsentAuthentication.getScopes();
+		Set<String> authorizedScopes = authorizationConsentAuthentication.getAuthorizedScopes();
 		String state = authorizationConsentAuthentication.getState();
 		String userCode = authorizationConsentAuthentication.getUserCode();
 

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProviderTests.java

@@ -506,7 +506,9 @@ public void authenticateWhenRequireAuthorizationConsentThenReturnAuthorizationCo
 		assertThat(authenticationResult.getClientId()).isEqualTo(registeredClient.getClientId());
 		assertThat(authenticationResult.getPrincipal()).isEqualTo(this.principal);
 		assertThat(authenticationResult.getAuthorizationUri()).isEqualTo(authorizationRequest.getAuthorizationUri());
-		assertThat(authenticationResult.getScopes()).isEmpty();
+		assertThat(authenticationResult.getAuthorizedScopes()).isEmpty();
+		assertThat(authenticationResult.getRequestedScopes())
+			.contains(registeredClient.getScopes().toArray(new String[0]));
 		assertThat(authenticationResult.getState()).isEqualTo(state);
 		assertThat(authenticationResult.isAuthenticated()).isTrue();
 	}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceVerificationAuthenticationProviderTests.java

@@ -262,7 +262,7 @@ public void authenticateWhenAuthorizationConsentDoesNotExistThenReturnAuthorizat
 		assertThat(authenticationResult.getUserCode()).isEqualTo(USER_CODE);
 		assertThat(authenticationResult.getState()).hasSize(44);
 		assertThat(authenticationResult.getRequestedScopes()).hasSameElementsAs(registeredClient.getScopes());
-		assertThat(authenticationResult.getScopes()).isEmpty();
+		assertThat(authenticationResult.getAuthorizedScopes()).isEmpty();
 
 		ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
 		verify(this.authorizationService).findByToken(USER_CODE,
@@ -365,7 +365,7 @@ public void authenticateWhenAuthorizationConsentExistsAndRequestedScopesDoNotMat
 		assertThat(authenticationResult.getUserCode()).isEqualTo(USER_CODE);
 		assertThat(authenticationResult.getState()).hasSize(44);
 		assertThat(authenticationResult.getRequestedScopes()).hasSameElementsAs(registeredClient.getScopes());
-		assertThat(authenticationResult.getScopes()).containsExactly("previous");
+		assertThat(authenticationResult.getAuthorizedScopes()).containsExactly("previous");
 
 		ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
 		verify(this.authorizationService).findByToken(USER_CODE,