Fix extracting standard scope claim in OAuth2 JWT

fixes ePages-de#217 This fixes does not break current implementation of treating scope claim as List<String>
Kieun · Jan 3, 2023 · d5225ab · d5225ab
1 parent ab1de69
commit d5225ab
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/restdocs-api-spec/src/main/kotlin/com/epages/restdocs/apispec/JwtSecurityHandler.kt b/restdocs-api-spec/src/main/kotlin/com/epages/restdocs/apispec/JwtSecurityHandler.kt
@@ -62,9 +62,13 @@ internal class JwtSecurityHandler : SecurityRequirementsExtractor {
             try {
                 val jwtMap = ObjectMapper().readValue<Map<String, Any>>(decodedPayload)
                 val scope = jwtMap["scope"]
+                // some of oauth2 authorization servers might return scope claims as a set of string
                 if (scope is List<*>) {
                     return scope as List<String>
                 }
+                if (scope is String) { // standard way of expressing scope claim
+                    return scope.trim().split("\\s+".toRegex())
+                }
             } catch (e: IOException) {
                 // probably not JWT
             }

diff --git a/restdocs-api-spec/src/test/kotlin/com/epages/restdocs/apispec/JwtSecurityHandlerTest.kt b/restdocs-api-spec/src/test/kotlin/com/epages/restdocs/apispec/JwtSecurityHandlerTest.kt
@@ -23,6 +23,16 @@ class JwtSecurityHandlerTest {
         then((securityRequirement as Oauth2).requiredScopes).containsExactly("scope1", "scope2")
     }
 
+    @Test
+    fun `should add scope list when standard oauth2 jwt is found in Authorization header`() {
+        givenRequestWithStandardOAuth2JwtInAuthorizationHeader()
+
+        whenSecurityRequirementsExtracted(operation)
+
+        then(securityRequirement).isNotNull
+        then((securityRequirement as Oauth2).requiredScopes).containsExactly("scope1", "scope2")
+    }
+
     @Test
     fun `should return SecurityType of JWTBearer when non oauth2 jwt is found in Authorization header`() {
         givenRequestWithNonOAuth2JwtInAuthorizationHeader()
@@ -72,6 +82,15 @@ class JwtSecurityHandlerTest {
             .build()
     }
 
+    private fun givenRequestWithStandardOAuth2JwtInAuthorizationHeader() {
+        operation = OperationBuilder().request("/some")
+            .header(
+                AUTHORIZATION,
+                "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzY29wZSI6InNjb3BlMSBzY29wZTIiLCJleHAiOjE1MDc3NTg0OTgsImlhdCI6MTUwNzcxNTI5OCwianRpIjoiNDJhMGE5MWEtZDZlZC00MGNjLWIxMDYtZTkwY2RhZTQzZDZkIn0.yLPUhfQ5IIWaTwLO1qcGzAjXtqXnx-FRiF_yGQkiO2M"
+            )
+            .build()
+    }
+
     private fun givenRequestWithNonOAuth2JwtInAuthorizationHeader() {
         operation = OperationBuilder().request("/some")
             .header(