Fix authorization code expired check

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

@@ -41,13 +41,13 @@
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
 import org.springframework.security.oauth2.jwt.JwtEncoder;
+import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
-import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
-import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
-import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -135,7 +135,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_GRANT));
 }
 
-if (authorizationCode.isInvalidated()) {
+if (!authorizationCode.isActive()) {
 throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_GRANT));
 }
 

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProviderTests.java

@@ -19,6 +19,7 @@
 import java.time.Duration;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
@@ -45,14 +46,14 @@
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
 import org.springframework.security.oauth2.jwt.JwtEncoder;
+import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 import org.springframework.security.oauth2.server.authorization.TestOAuth2Authorizations;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.TestRegisteredClients;
-import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
-import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
-import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -222,6 +223,62 @@ public void authenticateWhenInvalidatedCodeThenThrowOAuth2AuthenticationExceptio
 .isEqualTo(OAuth2ErrorCodes.INVALID_GRANT);
 }
 
+// gh-290
+@Test
+public void authenticateWhenExpiredCodeThenThrowOAuth2AuthenticationException() throws InterruptedException {
+RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
+Instant now = Instant.now();
+OAuth2AuthorizationCode authorizationCode = new OAuth2AuthorizationCode(
+AUTHORIZATION_CODE, now, now.plusNanos(1));
+OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient)
+.token(authorizationCode)
+.build();
+when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE)))
+.thenReturn(authorization);
+
+OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
+OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
+OAuth2AuthorizationRequest.class.getName());
+OAuth2AuthorizationCodeAuthenticationToken authentication =
+new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
+
+// Busy wait a brief moment for token to expire. TODO: Add a way to mock the underlying java.time.Clock?
+while (!Instant.now().isAfter(authorizationCode.getExpiresAt())) {
+Thread.sleep(0, 1);
+}
+
+assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
+.isInstanceOf(OAuth2AuthenticationException.class)
+.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
+.extracting("errorCode")
+.isEqualTo(OAuth2ErrorCodes.INVALID_GRANT);
+}
+
+// gh-290
+@Test
+public void authenticateWhenCodeIsBeforeUseThenThrowOAuth2AuthenticationException() throws InterruptedException {
+RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
+OAuth2AuthorizationCode authorizationCode = new OAuth2AuthorizationCode(
+AUTHORIZATION_CODE, Instant.now(), Instant.now().plusSeconds(240));
+OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient)
+.token(authorizationCode, (metadata) -> metadata.put(OAuth2Authorization.Token.CLAIMS_METADATA_NAME, Collections.singletonMap("nbf", Instant.now().plusSeconds(120))))
+.build();
+when(this.authorizationService.findByToken(eq(AUTHORIZATION_CODE), eq(AUTHORIZATION_CODE_TOKEN_TYPE)))
+.thenReturn(authorization);
+
+OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient);
+OAuth2AuthorizationRequest authorizationRequest = authorization.getAttribute(
+OAuth2AuthorizationRequest.class.getName());
+OAuth2AuthorizationCodeAuthenticationToken authentication =
+new OAuth2AuthorizationCodeAuthenticationToken(AUTHORIZATION_CODE, clientPrincipal, authorizationRequest.getRedirectUri(), null);
+
+assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
+.isInstanceOf(OAuth2AuthenticationException.class)
+.extracting(ex -> ((OAuth2AuthenticationException) ex).getError())
+.extracting("errorCode")
+.isEqualTo(OAuth2ErrorCodes.INVALID_GRANT);
+}
+
 @Test
 public void authenticateWhenValidCodeThenReturnAccessToken() {
 RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();