Use OAuth2ParameterNames.REQUEST_URI

Issue gh-1925

Closes gh-1991

Author: jgrandja

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java

@@ -124,22 +124,22 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		OAuth2Authorization pushedAuthorization = null;
 		String requestUri = (String) authorizationCodeRequestAuthentication.getAdditionalParameters()
-			.get("request_uri");
+			.get(OAuth2ParameterNames.REQUEST_URI);
 		if (StringUtils.hasText(requestUri)) {
 			OAuth2PushedAuthorizationRequestUri pushedAuthorizationRequestUri = null;
 			try {
 				pushedAuthorizationRequestUri = OAuth2PushedAuthorizationRequestUri.parse(requestUri);
 			}
 			catch (Exception ex) {
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, "request_uri", authorizationCodeRequestAuthentication,
-						null);
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI,
+						authorizationCodeRequestAuthentication, null);
 			}
 
 			pushedAuthorization = this.authorizationService.findByToken(pushedAuthorizationRequestUri.getState(),
 					STATE_TOKEN_TYPE);
 			if (pushedAuthorization == null) {
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, "request_uri", authorizationCodeRequestAuthentication,
-						null);
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI,
+						authorizationCodeRequestAuthentication, null);
 			}
 
 			if (this.logger.isTraceEnabled()) {
@@ -162,8 +162,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
 						.warn(LogMessage.format("Removed expired pushed authorization request for client id '%s'",
 								authorizationRequest.getClientId()));
 				}
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, "request_uri", authorizationCodeRequestAuthentication,
-						null);
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI,
+						authorizationCodeRequestAuthentication, null);
 			}
 
 			authorizationCodeRequestAuthentication = new OAuth2AuthorizationCodeRequestAuthenticationToken(

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2PushedAuthorizationRequestEndpointFilter.java

@@ -208,7 +208,8 @@ private void sendPushedAuthorizationResponse(HttpServletRequest request, HttpSer
 		OAuth2PushedAuthorizationRequestAuthenticationToken pushedAuthorizationRequestAuthentication = (OAuth2PushedAuthorizationRequestAuthenticationToken) authentication;
 
 		Map<String, Object> pushedAuthorizationResponse = new LinkedHashMap<>();
-		pushedAuthorizationResponse.put("request_uri", pushedAuthorizationRequestAuthentication.getRequestUri());
+		pushedAuthorizationResponse.put(OAuth2ParameterNames.REQUEST_URI,
+				pushedAuthorizationRequestAuthentication.getRequestUri());
 		long expiresIn = ChronoUnit.SECONDS.between(Instant.now(),
 				pushedAuthorizationRequestAuthentication.getRequestUriExpiresAt());
 		pushedAuthorizationResponse.put(OAuth2ParameterNames.EXPIRES_IN, expiresIn);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java

@@ -89,14 +89,14 @@ public Authentication convert(HttpServletRequest request) {
 
 		// request_uri (OPTIONAL) - provided if an authorization request was previously
 		// pushed (RFC 9126 OAuth 2.0 Pushed Authorization Requests)
-		String requestUri = parameters.getFirst("request_uri");
+		String requestUri = parameters.getFirst(OAuth2ParameterNames.REQUEST_URI);
 		if (StringUtils.hasText(requestUri)) {
 			if (pushedAuthorizationRequest) {
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, "request_uri");
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI);
 			}
-			else if (parameters.get("request_uri").size() != 1) {
+			else if (parameters.get(OAuth2ParameterNames.REQUEST_URI).size() != 1) {
 				// Authorization Request
-				throwError(OAuth2ErrorCodes.INVALID_REQUEST, "request_uri");
+				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI);
 			}
 		}
 

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProviderTests.java

@@ -617,7 +617,7 @@ public void authenticateWhenAuthorizationCodeRequestWithRequestUriThenReturnAuth
 		OAuth2PushedAuthorizationRequestUri pushedAuthorizationRequestUri = OAuth2PushedAuthorizationRequestUri
 			.create();
 		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put("request_uri", pushedAuthorizationRequestUri.getRequestUri());
+		additionalParameters.put(OAuth2ParameterNames.REQUEST_URI, pushedAuthorizationRequestUri.getRequestUri());
 		OAuth2Authorization authorization = TestOAuth2Authorizations
 			.authorization(registeredClient, additionalParameters)
 			.build();
@@ -643,7 +643,7 @@ public void authenticateWhenAuthorizationCodeRequestWithInvalidRequestUriThenThr
 		OAuth2PushedAuthorizationRequestUri pushedAuthorizationRequestUri = OAuth2PushedAuthorizationRequestUri
 			.create();
 		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put("request_uri", pushedAuthorizationRequestUri.getRequestUri());
+		additionalParameters.put(OAuth2ParameterNames.REQUEST_URI, pushedAuthorizationRequestUri.getRequestUri());
 		OAuth2Authorization authorization = TestOAuth2Authorizations
 			.authorization(registeredClient, additionalParameters)
 			.build();
@@ -652,12 +652,12 @@ public void authenticateWhenAuthorizationCodeRequestWithInvalidRequestUriThenThr
 
 		OAuth2AuthorizationCodeRequestAuthenticationToken authentication = new OAuth2AuthorizationCodeRequestAuthenticationToken(
 				AUTHORIZATION_URI, registeredClient.getClientId(), this.principal, null, null, null,
-				Collections.singletonMap("request_uri", "invalid_request_uri"));
+				Collections.singletonMap(OAuth2ParameterNames.REQUEST_URI, "invalid_request_uri"));
 
 		assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
 			.isInstanceOf(OAuth2AuthorizationCodeRequestAuthenticationException.class)
 			.satisfies((ex) -> assertAuthenticationException((OAuth2AuthorizationCodeRequestAuthenticationException) ex,
-					OAuth2ErrorCodes.INVALID_REQUEST, "request_uri", null));
+					OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI, null));
 	}
 
 	@Test
@@ -668,7 +668,7 @@ public void authenticateWhenAuthorizationCodeRequestWithRequestUriIssuedToAnothe
 		OAuth2PushedAuthorizationRequestUri pushedAuthorizationRequestUri = OAuth2PushedAuthorizationRequestUri
 			.create();
 		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put("request_uri", pushedAuthorizationRequestUri.getRequestUri());
+		additionalParameters.put(OAuth2ParameterNames.REQUEST_URI, pushedAuthorizationRequestUri.getRequestUri());
 		OAuth2Authorization authorization = TestOAuth2Authorizations
 			.authorization(registeredClient, additionalParameters)
 			.build();
@@ -692,7 +692,7 @@ public void authenticateWhenAuthorizationCodeRequestWithExpiredRequestUriThenThr
 		OAuth2PushedAuthorizationRequestUri pushedAuthorizationRequestUri = OAuth2PushedAuthorizationRequestUri
 			.create(Instant.now().minusSeconds(5));
 		Map<String, Object> additionalParameters = new HashMap<>();
-		additionalParameters.put("request_uri", pushedAuthorizationRequestUri.getRequestUri());
+		additionalParameters.put(OAuth2ParameterNames.REQUEST_URI, pushedAuthorizationRequestUri.getRequestUri());
 		OAuth2Authorization authorization = TestOAuth2Authorizations
 			.authorization(registeredClient, additionalParameters)
 			.build();
@@ -706,7 +706,7 @@ public void authenticateWhenAuthorizationCodeRequestWithExpiredRequestUriThenThr
 		assertThatThrownBy(() -> this.authenticationProvider.authenticate(authentication))
 			.isInstanceOf(OAuth2AuthorizationCodeRequestAuthenticationException.class)
 			.satisfies((ex) -> assertAuthenticationException((OAuth2AuthorizationCodeRequestAuthenticationException) ex,
-					OAuth2ErrorCodes.INVALID_REQUEST, "request_uri", null));
+					OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.REQUEST_URI, null));
 		verify(this.authorizationService).remove(eq(authorization));
 	}
 
@@ -774,7 +774,7 @@ private void assertAuthorizationCodeRequestWithAuthorizationCodeResult(Registere
 		assertThat(authorizationRequest.getAuthorizationUri()).isEqualTo(authentication.getAuthorizationUri());
 		assertThat(authorizationRequest.getClientId()).isEqualTo(registeredClient.getClientId());
 
-		String requestUri = (String) authentication.getAdditionalParameters().get("request_uri");
+		String requestUri = (String) authentication.getAdditionalParameters().get(OAuth2ParameterNames.REQUEST_URI);
 		if (!StringUtils.hasText(requestUri)) {
 			assertThat(authorizationRequest.getRedirectUri()).isEqualTo(authentication.getRedirectUri());
 			assertThat(authorizationRequest.getScopes()).isEqualTo(authentication.getScopes());

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java

@@ -1037,7 +1037,7 @@ public void requestWhenPushedAuthorizationRequestThenReturnAccessTokenResponse()
 		mvcResult = this.mvc
 			.perform(get(DEFAULT_AUTHORIZATION_ENDPOINT_URI)
 				.queryParam(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
-				.queryParam("request_uri", requestUri)
+				.queryParam(OAuth2ParameterNames.REQUEST_URI, requestUri)
 				.with(user("user")))
 			.andExpect(status().is3xxRedirection())
 			.andReturn();

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilterTests.java

@@ -190,9 +190,9 @@ public void doFilterWhenNotAuthorizationRequestThenNotProcessed() throws Excepti
 	@Test
 	public void doFilterWhenAuthorizationRequestMultipleRequestUriThenInvalidRequestError() throws Exception {
 		doFilterWhenAuthorizationRequestInvalidParameterThenError(TestRegisteredClients.registeredClient().build(),
-				"request_uri", OAuth2ErrorCodes.INVALID_REQUEST, (request) -> {
-					request.addParameter("request_uri", "request_uri");
-					request.addParameter("request_uri", "request_uri_2");
+				OAuth2ParameterNames.REQUEST_URI, OAuth2ErrorCodes.INVALID_REQUEST, (request) -> {
+					request.addParameter(OAuth2ParameterNames.REQUEST_URI, OAuth2ParameterNames.REQUEST_URI);
+					request.addParameter(OAuth2ParameterNames.REQUEST_URI, "request_uri_2");
 					updateQueryString(request);
 				});
 	}

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/web/OAuth2PushedAuthorizationRequestEndpointFilterTests.java

@@ -170,8 +170,9 @@ public void doFilterWhenNotPushedAuthorizationRequestThenNotProcessed() throws E
 	@Test
 	public void doFilterWhenPushedAuthorizationRequestIncludesRequestUriThenInvalidRequestError() throws Exception {
 		doFilterWhenPushedAuthorizationRequestInvalidParameterThenError(
-				TestRegisteredClients.registeredClient().build(), "request_uri", OAuth2ErrorCodes.INVALID_REQUEST,
-				(request) -> request.addParameter("request_uri", "request_uri"));
+				TestRegisteredClients.registeredClient().build(), OAuth2ParameterNames.REQUEST_URI,
+				OAuth2ErrorCodes.INVALID_REQUEST,
+				(request) -> request.addParameter(OAuth2ParameterNames.REQUEST_URI, OAuth2ParameterNames.REQUEST_URI));
 	}
 
 	@Test
@@ -292,9 +293,9 @@ public void doFilterWhenPushedAuthorizationRequestAuthenticationExceptionThenErr
 	public void doFilterWhenCustomAuthenticationConverterThenUsed() throws Exception {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		OAuth2PushedAuthorizationRequestAuthenticationToken pushedAuthorizationRequestAuthenticationResult = new OAuth2PushedAuthorizationRequestAuthenticationToken(
-				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal, "request_uri",
-				Instant.now().plusSeconds(30), registeredClient.getRedirectUris().iterator().next(), STATE,
-				registeredClient.getScopes());
+				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal,
+				OAuth2ParameterNames.REQUEST_URI, Instant.now().plusSeconds(30),
+				registeredClient.getRedirectUris().iterator().next(), STATE, registeredClient.getScopes());
 
 		AuthenticationConverter authenticationConverter = mock(AuthenticationConverter.class);
 		given(authenticationConverter.convert(any())).willReturn(pushedAuthorizationRequestAuthenticationResult);
@@ -317,9 +318,9 @@ public void doFilterWhenCustomAuthenticationConverterThenUsed() throws Exception
 	public void doFilterWhenCustomAuthenticationSuccessHandlerThenUsed() throws Exception {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		OAuth2PushedAuthorizationRequestAuthenticationToken pushedAuthorizationRequestAuthenticationResult = new OAuth2PushedAuthorizationRequestAuthenticationToken(
-				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal, "request_uri",
-				Instant.now().plusSeconds(30), registeredClient.getRedirectUris().iterator().next(), STATE,
-				registeredClient.getScopes());
+				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal,
+				OAuth2ParameterNames.REQUEST_URI, Instant.now().plusSeconds(30),
+				registeredClient.getRedirectUris().iterator().next(), STATE, registeredClient.getScopes());
 		given(this.authenticationManager.authenticate(any()))
 			.willReturn(pushedAuthorizationRequestAuthenticationResult);
 
@@ -371,9 +372,9 @@ public void doFilterWhenCustomAuthenticationDetailsSourceThenUsed() throws Excep
 		this.filter.setAuthenticationDetailsSource(authenticationDetailsSource);
 
 		OAuth2PushedAuthorizationRequestAuthenticationToken pushedAuthorizationRequestAuthenticationResult = new OAuth2PushedAuthorizationRequestAuthenticationToken(
-				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal, "request_uri",
-				Instant.now().plusSeconds(30), registeredClient.getRedirectUris().iterator().next(), STATE,
-				registeredClient.getScopes());
+				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal,
+				OAuth2ParameterNames.REQUEST_URI, Instant.now().plusSeconds(30),
+				registeredClient.getRedirectUris().iterator().next(), STATE, registeredClient.getScopes());
 
 		given(this.authenticationManager.authenticate(any()))
 			.willReturn(pushedAuthorizationRequestAuthenticationResult);
@@ -390,7 +391,7 @@ public void doFilterWhenCustomAuthenticationDetailsSourceThenUsed() throws Excep
 	@Test
 	public void doFilterWhenPushedAuthorizationRequestAuthenticatedThenPushedAuthorizationResponse() throws Exception {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
-		String requestUri = "request_uri";
+		String requestUri = OAuth2ParameterNames.REQUEST_URI;
 		Instant requestUriExpiresAt = Instant.now().plusSeconds(30);
 		OAuth2PushedAuthorizationRequestAuthenticationToken pushedAuthorizationRequestAuthenticationResult = new OAuth2PushedAuthorizationRequestAuthenticationToken(
 				AUTHORIZATION_URI, registeredClient.getClientId(), this.clientPrincipal, requestUri,
@@ -424,7 +425,7 @@ public void doFilterWhenPushedAuthorizationRequestAuthenticatedThenPushedAuthori
 			.isEqualTo(new String[] { "custom-value-1", "custom-value-2" });
 		assertThat(response.getStatus()).isEqualTo(HttpStatus.CREATED.value());
 		Map<String, Object> responseParameters = readPushedAuthorizationResponse(response);
-		assertThat(responseParameters.get("request_uri")).isEqualTo(requestUri);
+		assertThat(responseParameters.get(OAuth2ParameterNames.REQUEST_URI)).isEqualTo(requestUri);
 		Instant requestUriExpiry = Instant.now()
 			.plusSeconds(Long.parseLong(String.valueOf(responseParameters.get("expires_in"))));
 		assertThat(requestUriExpiry).isBetween(requestUriExpiresAt.minusSeconds(1), requestUriExpiresAt.plusSeconds(1));