From 0396157543639c82df0dc6ef6757c119ad5f189e Mon Sep 17 00:00:00 2001
From: Justin Richer <jricher@mit.edu>
Date: Wed, 12 Nov 2014 16:03:06 -1000
Subject: [PATCH] added ROLE_CLIENT to assertion client authentication, cleaned
 up roles on client secret authentication, closes #728, closes #401

---
 .../impl/DefaultClientUserDetailsService.java      | 14 +++++---------
 .../assertion/JwtBearerAuthenticationProvider.java | 13 ++++++++++++-
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
index 8b469bad7..7cbf5586b 100644
--- a/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
+++ b/openid-connect-common/src/main/java/org/mitre/oauth2/service/impl/DefaultClientUserDetailsService.java
@@ -18,8 +18,8 @@ package org.mitre.oauth2.service.impl;
 
 import java.math.BigInteger;
 import java.security.SecureRandom;
-import java.util.ArrayList;
 import java.util.Collection;
+import java.util.HashSet;
 
 import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.mitre.oauth2.model.ClientDetailsEntity.AuthMethod;
@@ -44,6 +44,8 @@ import com.google.common.base.Strings;
 @Service("clientUserDetailsService")
 public class DefaultClientUserDetailsService implements UserDetailsService {
 
+	private static GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
+	
 	@Autowired
 	private ClientDetailsEntityService clientDetailsService;
 
@@ -70,14 +72,8 @@ public class DefaultClientUserDetailsService implements UserDetailsService {
 			boolean accountNonExpired = true;
 			boolean credentialsNonExpired = true;
 			boolean accountNonLocked = true;
-			Collection<GrantedAuthority> authorities = client.getAuthorities();
-			if (authorities == null || authorities.isEmpty()) {
-				// automatically inject ROLE_CLIENT if none exists ...
-				// TODO: this should probably happen on the client service side instead to keep it in the real data model
-				authorities = new ArrayList<GrantedAuthority>();
-				GrantedAuthority roleClient = new SimpleGrantedAuthority("ROLE_CLIENT");
-				authorities.add(roleClient);
-			}
+			Collection<GrantedAuthority> authorities = new HashSet<GrantedAuthority>(client.getAuthorities());
+			authorities.add(ROLE_CLIENT);
 
 			return new User(clientId, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
 		} else {
diff --git a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
index 86150d0e7..4513ebb1c 100644
--- a/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
+++ b/openid-connect-server/src/main/java/org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.java
@@ -21,6 +21,8 @@ package org.mitre.openid.connect.assertion;
 
 import java.text.ParseException;
 import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
 import org.mitre.jwt.signer.service.impl.JWKSetCacheService;
@@ -36,6 +38,8 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 
@@ -52,6 +56,8 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
 
 	private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class);
 
+	private static final GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");
+	
 	// map of verifiers, load keys for clients
 	@Autowired
 	private JWKSetCacheService validators;
@@ -182,7 +188,12 @@ public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
 			}
 
 			// IFF we managed to get all the way down here, the token is valid
-			return new JwtBearerAssertionAuthenticationToken(client.getClientId(), jwt, client.getAuthorities());
+			
+			// add in the ROLE_CLIENT authority
+			Set<GrantedAuthority> authorities = new HashSet<>(client.getAuthorities());
+			authorities.add(ROLE_CLIENT);
+			
+			return new JwtBearerAssertionAuthenticationToken(client.getClientId(), jwt, authorities);
 
 		} catch (InvalidClientException e) {
 			throw new UsernameNotFoundException("Could not find client: " + jwtAuth.getClientId());