Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove use of deprecated ClientAuthenticationMethod's #350

Closed
wants to merge 1 commit into from
Closed

Remove use of deprecated ClientAuthenticationMethod's #350

wants to merge 1 commit into from

Conversation

bibibiu2017
Copy link
Contributor

@bibibiu2017 bibibiu2017 commented Jul 14, 2021
edited by jgrandja
Loading

Fixes gh-346

@pivotal-cla
Copy link

@bibibiu2017 Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-cla
Copy link

@bibibiu2017 Thank you for signing the Contributor License Agreement!

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jul 14, 2021
@sjohnr
Copy link
Member

sjohnr commented Jul 15, 2021

Hi @bibibiu2017, thanks for your interest in the project!

Unfortunately, this change has broken quite a lot of tests. Any chance you can take a look at those? Looking at the tests may highlight whether this alone is the correct change to make or not. I'm still catching up on the issue myself.

Also, please refer to contributing guidelines when submitting pull requests. In particular, you will want to update the header of files updated with the year "2021" in the copyright, squash your commits, and include "Fixes gh-346" on a separate line in your commit comment.

@sjohnr sjohnr self-assigned this Jul 15, 2021
@bibibiu2017 bibibiu2017 changed the title fixed: fixed basic authorization not working Fixes Basic and Post Client Credentials not Working gh-346 Jul 16, 2021
@bibibiu2017
Copy link
Contributor Author

I have taken a look at the tests, the configured test registered clients, and some assertions are using the deprecated POST and BASIC Client authentication methods.

@sjohnr
Copy link
Member

sjohnr commented Jul 16, 2021

Thanks for looking at the tests, @bibibiu2017! I've tested on your branch, and while the immediate issue is resolved with this change, the sample project no longer works. This is because we've flipped the problem so now the deprecated client authentication methods are not allowed.

This is a difficult issue to solve for without too many changes, due to the fact that the AuthenticationConverters being used aren't aware of the RegisteredClient which requests what method(s) should be supported, as that later runs into a conflict in OAuth2ClientAuthenticationProvider.java#L103.

Of the available options, I think we can either:

  1. Automatically add CLIENT_SECRET_BASIC or CLIENT_SECRET_POST when a client is registered with BASIC or POST respectively, or
  2. Automatically upgrade BASIC or POST to CLIENT_SECRET_BASIC or CLIENT_SECRET_POST respectively when a client is registered.

Both options could have an impact. Would you be able to attempt option 2? One approach could be limiting changes to RegisteredClient.Builder#clientAuthenticationMethod, RegisteredClient.Builder#clientAuthenticationMethods and tests.

@bibibiu2017 bibibiu2017 force-pushed the main branch 2 times, most recently from ff63483 to b143215 Compare July 16, 2021 20:00
@bibibiu2017
Copy link
Contributor Author

I have attempted option 2. Though I could not localize impact to the recommended test files due to assertions that check equality with deprecated BASIC and POST. One recommendation would be to change overridden equals() method of ClientAuthenticationMethod making BASIC or POST equivalent to CLIENT_SECRET_BASIC or CLIENT_SECRET_POST respectively.

sjohnr
sjohnr reviewed Jul 16, 2021
View reviewed changes
Copy link
Member

@sjohnr sjohnr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bibibiu2017, sorry I should have been more clear, I meant "limiting additional changes outside of tests" and I think you have done that! I was just thinking of a slightly different approach than yours, but they work out to the same thing. So this seems like a great option!

See inline feedback below. Just a note I'm not going to merge this right away, as I'd like to have a discussion with our community maintainer first, but if we can get it ready for merge, then we'll be in really good shape.

...n/java/org/springframework/security/oauth2/server/authorization/client/RegisteredClient.java Outdated Show resolved Hide resolved
...n/java/org/springframework/security/oauth2/server/authorization/client/RegisteredClient.java Outdated Show resolved Hide resolved
...a/org/springframework/security/oauth2/server/authorization/client/RegisteredClientTests.java Show resolved Hide resolved
...a/org/springframework/security/oauth2/server/authorization/client/RegisteredClientTests.java Show resolved Hide resolved
@sjohnr
Copy link
Member

sjohnr commented Jul 16, 2021

Also, I forgot to mention, make sure your commit message contains on a separate line:

"Closes gh-346"

@sjohnr sjohnr added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 16, 2021
@bibibiu2017
Copy link
Contributor Author

@sjohnr thanks for the feedback will be working on this shortly.

@bibibiu2017 bibibiu2017 force-pushed the main branch 3 times, most recently from 01e58d8 to dadbf48 Compare July 17, 2021 05:01
@jgrandja jgrandja changed the title Fixes Basic and Post Client Credentials not Working gh-346 Remove use of deprecated ClientAuthenticationMethod's Jul 20, 2021
@jgrandja jgrandja self-requested a review July 20, 2021 10:40
@jgrandja jgrandja assigned jgrandja and unassigned sjohnr Jul 20, 2021
@jgrandja jgrandja added this to the 0.2.0 milestone Jul 20, 2021
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Jul 20, 2021
jgrandja added a commit that referenced this pull request Jul 20, 2021
@jgrandja
Polish gh-350
75d6495
@jgrandja
Copy link
Collaborator

Thanks for all the updates @bibibiu2017 ! This is now in main.

I also added a polish commit that ensures all usages of ClientAuthenticationMethod.BASIC and ClientAuthenticationMethod.POST are no longer used.

@jgrandja jgrandja closed this Jul 20, 2021
doba16 pushed a commit to doba16/spring-authorization-server that referenced this pull request Apr 21, 2023
@jgrandja
Polish spring-projectsgh-350
d41899b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjohnr sjohnr sjohnr left review comments

@jgrandja jgrandja Awaiting requested review from jgrandja

Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
0.2.0
Development

Successfully merging this pull request may close these issues.

Cannot request access token for client with CLIENT_SECRET_BASIC
5 participants
@bibibiu2017 @pivotal-cla @sjohnr @jgrandja @spring-projects-issues