Ability to modify OIDC provider configuration

Closes gh-616

Author: ovidiupopa07

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java

@@ -26,6 +26,7 @@
 
 import org.springframework.http.HttpMethod;
 import org.springframework.http.MediaType;
+import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.server.ServletServerHttpResponse;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
@@ -59,7 +60,7 @@ public final class OidcProviderConfigurationEndpointFilter extends OncePerReques
 
 private final ProviderSettings providerSettings;
 private final RequestMatcher requestMatcher;
-private final OidcProviderConfigurationHttpMessageConverter providerConfigurationHttpMessageConverter =
+private HttpMessageConverter<OidcProviderConfiguration> providerConfigurationHttpMessageConverter =
 new OidcProviderConfigurationHttpMessageConverter();
 
 public OidcProviderConfigurationEndpointFilter(ProviderSettings providerSettings) {
@@ -103,6 +104,20 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
 providerConfiguration, MediaType.APPLICATION_JSON, httpResponse);
 }
 
+/**
+ * Sets the {@link HttpMessageConverter} used for converting the {@link OidcProviderConfiguration}
+ * from and to HTTP requests and responses
+ *
+ * @param providerConfigurationHttpMessageConverter the {@link HttpMessageConverter} used for converting a
+ * representation of the OpenID Provider Configuration from and to HTTP requests and responses
+ *
+ * @since 0.2.3
+ */
+public void setProviderConfigurationHttpMessageConverter(HttpMessageConverter<OidcProviderConfiguration> providerConfigurationHttpMessageConverter) {
+Assert.notNull(providerConfigurationHttpMessageConverter, "providerConfigurationHttpMessageConverter cannot be null");
+this.providerConfigurationHttpMessageConverter = providerConfigurationHttpMessageConverter;
+}
+
 private static Consumer<List<String>> clientAuthenticationMethods() {
 return (authenticationMethods) -> {
 authenticationMethods.add(ClientAuthenticationMethod.CLIENT_SECRET_BASIC.getValue());

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilterTests.java

@@ -15,6 +15,10 @@
  */
 package org.springframework.security.oauth2.server.authorization.oidc.web;
 
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+
 import javax.servlet.FilterChain;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -25,6 +29,7 @@
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.oauth2.core.oidc.http.converter.OidcProviderConfigurationHttpMessageConverter;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.security.oauth2.server.authorization.context.ProviderContext;
 import org.springframework.security.oauth2.server.authorization.context.ProviderContextHolder;
@@ -56,6 +61,15 @@ public void constructorWhenProviderSettingsNullThenThrowIllegalArgumentException
 .withMessage("providerSettings cannot be null");
 }
 
+@Test
+public void setProviderConfigurationHttpMessageConverterWhenNullThenThrowIllegalArgumentException() {
+OidcProviderConfigurationEndpointFilter filter =
+new OidcProviderConfigurationEndpointFilter(ProviderSettings.builder().build());
+assertThatIllegalArgumentException()
+.isThrownBy(() -> filter.setProviderConfigurationHttpMessageConverter(null))
+.withMessage("providerConfigurationHttpMessageConverter cannot be null");
+}
+
 @Test
 public void doFilterWhenNotConfigurationRequestThenNotProcessed() throws Exception {
 OidcProviderConfigurationEndpointFilter filter =
@@ -71,6 +85,55 @@ public void doFilterWhenNotConfigurationRequestThenNotProcessed() throws Excepti
 
 verify(filterChain).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
 }
+@Test
+public void providerConfigurationHttpMessageConverterWhenCustomThenAbleToOverride() throws Exception{
+String issuer = "https://example.com/issuer1";
+String authorizationEndpoint = "/oauth2/v1/authorize";
+String tokenEndpoint = "/oauth2/v1/token";
+String jwkSetEndpoint = "/oauth2/v1/jwks";
+String userInfoEndpoint = "/userinfo";
+
+ProviderSettings providerSettings = ProviderSettings.builder()
+.issuer(issuer)
+.authorizationEndpoint(authorizationEndpoint)
+.tokenEndpoint(tokenEndpoint)
+.jwkSetEndpoint(jwkSetEndpoint)
+.oidcUserInfoEndpoint(userInfoEndpoint)
+.build();
+ProviderContextHolder.setProviderContext(new ProviderContext(providerSettings, null));
+OidcProviderConfigurationEndpointFilter filter =
+new OidcProviderConfigurationEndpointFilter(providerSettings);
+
+OidcProviderConfigurationHttpMessageConverter httpMessageConverter = new OidcProviderConfigurationHttpMessageConverter();
+httpMessageConverter.setProviderConfigurationParametersConverter(oidcProviderConfiguration -> {
+Map<String, Object> claims = new HashMap<>(oidcProviderConfiguration.getClaims());
+claims.put("scopes_supported", Arrays.asList("openid", "value1"));
+return claims;
+});
+filter.setProviderConfigurationHttpMessageConverter(httpMessageConverter);
+String requestUri = DEFAULT_OIDC_PROVIDER_CONFIGURATION_ENDPOINT_URI;
+MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
+request.setServletPath(requestUri);
+MockHttpServletResponse response = new MockHttpServletResponse();
+FilterChain filterChain = mock(FilterChain.class);
+filter.doFilter(request, response, filterChain);
+
+verifyNoInteractions(filterChain);
+assertThat(response.getContentType()).isEqualTo(MediaType.APPLICATION_JSON_VALUE);
+String providerConfigurationResponse = response.getContentAsString();
+assertThat(providerConfigurationResponse).contains("\"issuer\":\"https://example.com/issuer1\"");
+assertThat(providerConfigurationResponse).contains("\"authorization_endpoint\":\"https://example.com/issuer1/oauth2/v1/authorize\"");
+assertThat(providerConfigurationResponse).contains("\"token_endpoint\":\"https://example.com/issuer1/oauth2/v1/token\"");
+assertThat(providerConfigurationResponse).contains("\"jwks_uri\":\"https://example.com/issuer1/oauth2/v1/jwks\"");
+assertThat(providerConfigurationResponse).contains("\"scopes_supported\":[\"openid\",\"value1\"]");
+assertThat(providerConfigurationResponse).contains("\"response_types_supported\":[\"code\"]");
+assertThat(providerConfigurationResponse).contains("\"grant_types_supported\":[\"authorization_code\",\"client_credentials\",\"refresh_token\"]");
+assertThat(providerConfigurationResponse).contains("\"subject_types_supported\":[\"public\"]");
+assertThat(providerConfigurationResponse).contains("\"id_token_signing_alg_values_supported\":[\"RS256\"]");
+assertThat(providerConfigurationResponse).contains("\"userinfo_endpoint\":\"https://example.com/issuer1/userinfo\"");
+assertThat(providerConfigurationResponse).contains("\"token_endpoint_auth_methods_supported\":[\"client_secret_basic\",\"client_secret_post\",\"client_secret_jwt\",\"private_key_jwt\"]");
+}
+
 
 @Test
 public void doFilterWhenConfigurationRequestPostThenNotProcessed() throws Exception {