Polish gh-8501

config/src/main/java/org/springframework/security/config/oauth2/client/CommonOAuth2Provider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,8 +41,8 @@ public Builder getBuilder(String registrationId) {
 			builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
 			builder.tokenUri("https://www.googleapis.com/oauth2/v4/token");
 			builder.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs");
-			builder.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
 			builder.issuerUri("https://accounts.google.com");
+			builder.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
 			builder.userNameAttributeName(IdTokenClaimNames.SUB);
 			builder.clientName("Google");
 			return builder;

config/src/test/java/org/springframework/security/config/oauth2/client/CommonOAuth2ProviderTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -47,6 +47,8 @@ public void getBuilderWhenGoogleShouldHaveGoogleSettings() {
 			.isEqualTo(IdTokenClaimNames.SUB);
 		assertThat(providerDetails.getJwkSetUri())
 			.isEqualTo("https://www.googleapis.com/oauth2/v3/certs");
+		assertThat(providerDetails.getIssuerUri())
+				.isEqualTo("https://accounts.google.com");
 		assertThat(registration.getClientAuthenticationMethod())
 			.isEqualTo(ClientAuthenticationMethod.BASIC);
 		assertThat(registration.getAuthorizationGrantType())

docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc

@@ -166,12 +166,13 @@ public final class ClientRegistration {
 		private String tokenUri;	<10>
 		private UserInfoEndpoint userInfoEndpoint;
 		private String jwkSetUri;	<11>
-        private Map<String, Object> configurationMetadata;  <12>
+		private String issuerUri;	<12>
+        private Map<String, Object> configurationMetadata;  <13>
 
 		public class UserInfoEndpoint {
-			private String uri;	<13>
-            private AuthenticationMethod authenticationMethod;  <14>
-			private String userNameAttributeName;	<15>
+			private String uri;	<14>
+            private AuthenticationMethod authenticationMethod;  <15>
+			private String userNameAttributeName;	<16>
 
 		}
 	}
@@ -193,12 +194,13 @@ The name may be used in certain scenarios, such as when displaying the name of t
 <10> `tokenUri`: The Token Endpoint URI for the Authorization Server.
 <11> `jwkSetUri`: The URI used to retrieve the https://tools.ietf.org/html/rfc7517[JSON Web Key (JWK)] Set from the Authorization Server,
  which contains the cryptographic key(s) used to verify the https://tools.ietf.org/html/rfc7515[JSON Web Signature (JWS)] of the ID Token and optionally the UserInfo Response.
-<12> `configurationMetadata`: The https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[OpenID Provider Configuration Information].
+<12> `issuerUri`: Returns the issuer identifier uri for the OpenID Connect 1.0 provider or the OAuth 2.0 Authorization Server.
+<13> `configurationMetadata`: The https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[OpenID Provider Configuration Information].
  This information will only be available if the Spring Boot 2.x property `spring.security.oauth2.client.provider.[providerId].issuerUri` is configured.
-<13> `(userInfoEndpoint)uri`: The UserInfo Endpoint URI used to access the claims/attributes of the authenticated end-user.
-<14> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
+<14> `(userInfoEndpoint)uri`: The UserInfo Endpoint URI used to access the claims/attributes of the authenticated end-user.
+<15> `(userInfoEndpoint)authenticationMethod`: The authentication method used when sending the access token to the UserInfo Endpoint.
 The supported values are *header*, *form* and *query*.
-<15> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
+<16> `userNameAttributeName`: The name of the attribute returned in the UserInfo Response that references the Name or Identifier of the end-user.
 
 A `ClientRegistration` can be initially configured using discovery of an OpenID Connect Provider's https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Configuration endpoint] or an Authorization Server's https://tools.ietf.org/html/rfc8414#section-3[Metadata endpoint].
 

docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc

@@ -131,6 +131,9 @@ The following table outlines the mapping of the Spring Boot 2.x OAuth Client pro
 |`spring.security.oauth2.client.provider._[providerId]_.jwk-set-uri`
 |`providerDetails.jwkSetUri`
 
+|`spring.security.oauth2.client.provider._[providerId]_.issuer-uri`
+|`providerDetails.issuerUri`
+
 |`spring.security.oauth2.client.provider._[providerId]_.user-info-uri`
 |`providerDetails.userInfoEndpoint.uri`
 
@@ -139,9 +142,6 @@ The following table outlines the mapping of the Spring Boot 2.x OAuth Client pro
 
 |`spring.security.oauth2.client.provider._[providerId]_.user-name-attribute`
 |`providerDetails.userInfoEndpoint.userNameAttributeName`
-
-|`spring.security.oauth2.client.provider._[providerId]_.issuer-uri`
-|`providerDetails.issuerUri`
 |===
 
 [TIP]

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/ClientRegistrationDeserializer.java

@@ -78,6 +78,7 @@ public ClientRegistration deserialize(JsonParser parser, DeserializationContext
 								findObjectNode(userInfoEndpointNode, "authenticationMethod")))
 				.userNameAttributeName(findStringValue(userInfoEndpointNode, "userNameAttributeName"))
 				.jwkSetUri(findStringValue(providerDetailsNode, "jwkSetUri"))
+				.issuerUri(findStringValue(providerDetailsNode, "issuerUri"))
 				.providerConfigurationMetadata(findValue(providerDetailsNode, "configurationMetadata", MAP_TYPE_REFERENCE, mapper))
 				.build();
 	}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -206,10 +206,11 @@ public String getJwkSetUri() {
 		}
 
 		/**
-		 * Returns the uri for the OpenID Provider Issuer.
+		 * Returns the issuer identifier uri for the OpenID Connect 1.0 provider
+		 * or the OAuth 2.0 Authorization Server.
 		 *
 		 * @since 5.4
-		 * @return the uri for the OpenID Provider Issuer
+		 * @return the issuer identifier uri for the OpenID Connect 1.0 provider or the OAuth 2.0 Authorization Server
 		 */
 		public String getIssuerUri() {
 			return this.issuerUri;
@@ -500,9 +501,11 @@ public Builder jwkSetUri(String jwkSetUri) {
 		}
 
 		/**
-		 * Sets the uri for the OpenID Provider Issuer.
+		 * Sets the issuer identifier uri for the OpenID Connect 1.0 provider
+		 * or the OAuth 2.0 Authorization Server.
 		 *
-		 * @param issuerUri the uri for the OpenID Provider Issuer
+		 * @since 5.4
+		 * @param issuerUri the issuer identifier uri for the OpenID Connect 1.0 provider or the OAuth 2.0 Authorization Server
 		 * @return the {@link Builder}
 		 */
 		public Builder issuerUri(String issuerUri) {

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizedClientMixinTests.java

@@ -86,6 +86,7 @@ public void serializeWhenRequiredAttributesOnlyThenSerializes() throws Exception
 						.userInfoUri(null)
 						.userNameAttributeName(null)
 						.jwkSetUri(null)
+						.issuerUri(null)
 						.build();
 		OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
 				clientRegistration, this.principalName, TestOAuth2AccessTokens.noScopes());
@@ -176,6 +177,7 @@ public void deserializeWhenRequiredAttributesOnlyThenDeserializes() throws Excep
 						.userInfoUri(null)
 						.userNameAttributeName(null)
 						.jwkSetUri(null)
+						.issuerUri(null)
 						.build();
 		OAuth2AccessToken expectedAccessToken = TestOAuth2AccessTokens.noScopes();
 		OAuth2AuthorizedClient expectedAuthorizedClient = new OAuth2AuthorizedClient(

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidatorTests.java

@@ -51,7 +51,7 @@ public class OidcIdTokenValidatorTests {
 	@Before
 	public void setup() {
 		this.headers.put("alg", JwsAlgorithms.RS256);
-		this.claims.put(IdTokenClaimNames.ISS, "https://issuer.example.com");
+		this.claims.put(IdTokenClaimNames.ISS, "https://example.com");
 		this.claims.put(IdTokenClaimNames.SUB, "rob");
 		this.claims.put(IdTokenClaimNames.AUD, Collections.singletonList("client-id"));
 	}
@@ -98,7 +98,7 @@ public void validateWhenMetadataIssuerMismatchThenHasErrors() {
 		 * When the issuer is set in the provider metadata, and it does not match the issuer in the ID Token,
 		 * the validation must fail
 		 */
-		this.registration = this.registration.issuerUri("https://issuer.somethingelse.com");
+		this.registration = this.registration.issuerUri("https://somethingelse.com");
 
 		assertThat(this.validateIdToken())
 				.hasSize(1)
@@ -112,7 +112,7 @@ public void validateWhenMetadataIssuerMatchThenNoErrors() {
 		 * When the issuer is set in the provider metadata, and it does match the issuer in the ID Token,
 		 * the validation must succeed
 		 */
-		this.registration = this.registration.issuerUri("https://issuer.example.com");
+		this.registration = this.registration.issuerUri("https://example.com");
 
 		assertThat(this.validateIdToken()).isEmpty();
 	}

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -48,6 +48,7 @@ public class ClientRegistrationTests {
 	private static final String AUTHORIZATION_URI = "https://provider.com/oauth2/authorization";
 	private static final String TOKEN_URI = "https://provider.com/oauth2/token";
 	private static final String JWK_SET_URI = "https://provider.com/oauth2/keys";
+	private static final String ISSUER_URI = "https://provider.com";
 	private static final String CLIENT_NAME = "Client 1";
 	private static final Map<String, Object> PROVIDER_CONFIGURATION_METADATA =
 			Collections.unmodifiableMap(createProviderConfigurationMetadata());
@@ -89,6 +90,7 @@ public void buildWhenAuthorizationCodeGrantAllAttributesProvidedThenAllAttribute
 			.tokenUri(TOKEN_URI)
 			.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
 			.jwkSetUri(JWK_SET_URI)
+			.issuerUri(ISSUER_URI)
 			.providerConfigurationMetadata(PROVIDER_CONFIGURATION_METADATA)
 			.clientName(CLIENT_NAME)
 			.build();
@@ -104,6 +106,7 @@ public void buildWhenAuthorizationCodeGrantAllAttributesProvidedThenAllAttribute
 		assertThat(registration.getProviderDetails().getTokenUri()).isEqualTo(TOKEN_URI);
 		assertThat(registration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod()).isEqualTo(AuthenticationMethod.FORM);
 		assertThat(registration.getProviderDetails().getJwkSetUri()).isEqualTo(JWK_SET_URI);
+		assertThat(registration.getProviderDetails().getIssuerUri()).isEqualTo(ISSUER_URI);
 		assertThat(registration.getProviderDetails().getConfigurationMetadata()).isEqualTo(PROVIDER_CONFIGURATION_METADATA);
 		assertThat(registration.getClientName()).isEqualTo(CLIENT_NAME);
 	}
@@ -743,6 +746,7 @@ public void buildWhenClientRegistrationProvidedThenEachPropertyMatches() {
 				.isEqualTo(updatedUserInfoEndpoint.getUserNameAttributeName());
 
 		assertThat(providerDetails.getJwkSetUri()).isEqualTo(updatedProviderDetails.getJwkSetUri());
+		assertThat(providerDetails.getIssuerUri()).isEqualTo(updatedProviderDetails.getIssuerUri());
 		assertThat(providerDetails.getConfigurationMetadata())
 				.isEqualTo(updatedProviderDetails.getConfigurationMetadata());
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/TestClientRegistrations.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -33,6 +33,7 @@ public static ClientRegistration.Builder clientRegistration() {
 			.authorizationUri("https://example.com/login/oauth/authorize")
 			.tokenUri("https://example.com/login/oauth/access_token")
 			.jwkSetUri("https://example.com/oauth2/jwk")
+			.issuerUri("https://example.com")
 			.userInfoUri("https://api.example.com/user")
 			.userNameAttributeName("id")
 			.clientName("Client Name")