JdbcRegisteredClientRepository hashes client secret on save

Closes gh-378

Author: ovidiupopa07

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/client/JdbcRegisteredClientRepository.java

@@ -36,6 +36,8 @@
 import org.springframework.jdbc.core.PreparedStatementSetter;
 import org.springframework.jdbc.core.RowMapper;
 import org.springframework.jdbc.core.SqlParameterValue;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.jackson2.SecurityJackson2Modules;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
@@ -291,6 +293,7 @@ private static ClientAuthenticationMethod resolveClientAuthenticationMethod(Stri
  */
 public static class RegisteredClientParametersMapper implements Function<RegisteredClient, List<SqlParameterValue>> {
 private ObjectMapper objectMapper = new ObjectMapper();
+private PasswordEncoder passwordEncoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
 
 public RegisteredClientParametersMapper() {
 ClassLoader classLoader = JdbcRegisteredClientRepository.class.getClassLoader();
@@ -319,7 +322,7 @@ public List<SqlParameterValue> apply(RegisteredClient registeredClient) {
 new SqlParameterValue(Types.VARCHAR, registeredClient.getId()),
 new SqlParameterValue(Types.VARCHAR, registeredClient.getClientId()),
 new SqlParameterValue(Types.TIMESTAMP, clientIdIssuedAt),
-new SqlParameterValue(Types.VARCHAR, registeredClient.getClientSecret()),
+new SqlParameterValue(Types.VARCHAR, encode(registeredClient.getClientSecret())),
 new SqlParameterValue(Types.TIMESTAMP, clientSecretExpiresAt),
 new SqlParameterValue(Types.VARCHAR, registeredClient.getClientName()),
 new SqlParameterValue(Types.VARCHAR, StringUtils.collectionToCommaDelimitedString(clientAuthenticationMethods)),
@@ -335,6 +338,12 @@ public final void setObjectMapper(ObjectMapper objectMapper) {
 this.objectMapper = objectMapper;
 }
 
+
+public final void setPasswordEncoder(PasswordEncoder passwordEncoder) {
+Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
+this.passwordEncoder = passwordEncoder;
+}
+
 protected final ObjectMapper getObjectMapper() {
 return this.objectMapper;
 }
@@ -347,6 +356,13 @@ private String writeMap(Map<String, Object> data) {
 }
 }
 
+private String encode(String value) {
+if (value != null) {
+return this.passwordEncoder.encode(value);
+}
+return null;
+}
+
 }
 
 }

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java

@@ -83,6 +83,7 @@
 import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -582,8 +583,12 @@ OAuth2AuthorizationConsentService authorizationConsentService(JdbcOperations jdb
 }
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
-return new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
+JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
+jdbcRegisteredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
+return jdbcRegisteredClientRepository;
 }
 
 @Bean

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientCredentialsGrantTests.java

@@ -68,6 +68,7 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -282,8 +283,12 @@ OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations, R
 }
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
-return new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
+JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
+jdbcRegisteredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
+return jdbcRegisteredClientRepository;
 }
 
 @Bean

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java

@@ -68,6 +68,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -207,8 +208,12 @@ OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations, R
 }
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
-return new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
+JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
+jdbcRegisteredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
+return jdbcRegisteredClientRepository;
 }
 
 @Bean

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenIntrospectionTests.java

@@ -62,6 +62,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -244,8 +245,12 @@ OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations, R
 }
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
-return new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
+JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
+jdbcRegisteredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
+return jdbcRegisteredClientRepository;
 }
 
 @Bean

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2TokenRevocationTests.java

@@ -54,6 +54,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -207,8 +208,12 @@ OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations, R
 }
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
-return new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
+JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
+jdbcRegisteredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
+return jdbcRegisteredClientRepository;
 }
 
 @Bean

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcClientRegistrationTests.java

@@ -60,6 +60,7 @@
 import org.springframework.security.oauth2.jose.TestJwks;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -226,9 +227,12 @@ private static OidcClientRegistration readClientRegistrationResponse(MockHttpSer
 static class AuthorizationServerConfiguration {
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
 RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
 JdbcRegisteredClientRepository registeredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+registeredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
 registeredClientRepository.save(registeredClient);
 return registeredClientRepository;
 }

oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java

@@ -73,6 +73,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
@@ -275,8 +276,12 @@ OAuth2AuthorizationService authorizationService(JdbcOperations jdbcOperations, R
 }
 
 @Bean
-RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
-return new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations, PasswordEncoder passwordEncoder) {
+JdbcRegisteredClientRepository jdbcRegisteredClientRepository = new JdbcRegisteredClientRepository(jdbcOperations);
+RegisteredClientParametersMapper registeredClientParametersMapper = new RegisteredClientParametersMapper();
+registeredClientParametersMapper.setPasswordEncoder(passwordEncoder);
+jdbcRegisteredClientRepository.setRegisteredClientParametersMapper(registeredClientParametersMapper);
+return jdbcRegisteredClientRepository;
 }
 
 @Bean