Fix the client_auth_method check (#3243)

* Test to ensure client credentials auth check

* Fix the client_auth_method check

Ensure for client_credentials that either secret or private_key_jwt is used
If value from claim client_auth_method is none or empty we have to reject token requests

* Fix test

Wanted is bad request

(cherry picked from commit e7a9334)

Author: strehle

model/src/main/java/org/cloudfoundry/identity/uaa/oauth/token/TokenConstants.java

@@ -66,6 +66,7 @@ static public List<String> getStringValues() {
 
     public static final String CLIENT_AUTH_NONE = ClientAuthentication.NONE;
     public static final String CLIENT_AUTH_EMPTY = "empty";
+    public static final String CLIENT_AUTH_SECRET = "secret";
     public static final String CLIENT_AUTH_PRIVATE_KEY_JWT = ClientAuthentication.PRIVATE_KEY_JWT;
 
     public static final String ID_TOKEN_HINT_PROMPT = "prompt";

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/provider/client/ClientCredentialsTokenGranter.java

@@ -8,6 +8,10 @@
 import org.cloudfoundry.identity.uaa.oauth.provider.token.AuthorizationServerTokenServices;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetailsService;
 
+import java.util.List;
+
+import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.CLIENT_AUTH_PRIVATE_KEY_JWT;
+import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.CLIENT_AUTH_SECRET;
 import static org.cloudfoundry.identity.uaa.oauth.token.TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS;
 
 /**
@@ -20,6 +24,8 @@
  */
 public class ClientCredentialsTokenGranter extends AbstractTokenGranter {
 
+    private static final List<String> ALLOWED_AUTH_METHODS = List.of(CLIENT_AUTH_SECRET, CLIENT_AUTH_PRIVATE_KEY_JWT);
+
 	public ClientCredentialsTokenGranter(AuthorizationServerTokenServices tokenServices,
 			ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
 		this(tokenServices, clientDetailsService, requestFactory, GRANT_TYPE_CLIENT_CREDENTIALS);
@@ -33,7 +39,7 @@ protected ClientCredentialsTokenGranter(AuthorizationServerTokenServices tokenSe
 	@Override
 	public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
 		OAuth2AccessToken token = super.grant(grantType, tokenRequest);
-		if (token != null) {
+        if (token != null && isValidClientAuthentication(ALLOWED_AUTH_METHODS)) {
 			DefaultOAuth2AccessToken norefresh = new DefaultOAuth2AccessToken(token);
 			// The spec says that client credentials should not be allowed to get a refresh token
 			norefresh.setRefreshToken(null);

server/src/main/java/org/cloudfoundry/identity/uaa/oauth/provider/token/AbstractTokenGranter.java

@@ -2,7 +2,9 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
 import org.cloudfoundry.identity.uaa.oauth.common.OAuth2AccessToken;
+import org.cloudfoundry.identity.uaa.oauth.common.exceptions.InvalidRequestException;
 import org.cloudfoundry.identity.uaa.oauth.provider.OAuth2Authentication;
 import org.cloudfoundry.identity.uaa.oauth.provider.OAuth2Request;
 import org.cloudfoundry.identity.uaa.oauth.provider.OAuth2RequestFactory;
@@ -11,8 +13,16 @@
 import org.cloudfoundry.identity.uaa.oauth.common.exceptions.InvalidClientException;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetails;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetailsService;
+import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
+import org.cloudfoundry.identity.uaa.util.UaaSecurityContextUtils;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.Collection;
+import java.util.List;
+import java.util.Optional;
 
 /**
  * Moved class AbstractTokenGranter implementation of from spring-security-oauth2 into UAA
@@ -76,6 +86,26 @@ protected void validateGrantType(String grantType, ClientDetails clientDetails)
 		}
 	}
 
+    protected boolean isValidClientAuthentication(List<String> allowedMethods) {
+        SecurityContext context = SecurityContextHolder.getContext();
+        if (allowedMethods.contains(Optional.ofNullable(getUaaClientAuthenticationMethod(context.getAuthentication()))
+                        .orElse(TokenConstants.CLIENT_AUTH_SECRET))) {
+            // internal null for client authentication means secret based (authorization header or post body)
+            return true;
+        } else {
+            throw new InvalidRequestException("Client credentials required");
+        }
+    }
+
+    protected String getUaaClientAuthenticationMethod(Authentication authentication) {
+        if (authentication instanceof UsernamePasswordAuthenticationToken && authentication.isAuthenticated() &&
+                authentication.getDetails() instanceof UaaAuthenticationDetails) {
+            return ((UaaAuthenticationDetails) authentication.getDetails()).getAuthenticationMethod();
+        } else {
+            return UaaSecurityContextUtils.getClientAuthenticationMethod(authentication);
+        }
+    }
+
 	protected AuthorizationServerTokenServices getTokenServices() {
 		return tokenServices;
 	}

server/src/test/java/org/cloudfoundry/identity/uaa/oauth/provider/client/ClientCredentialsTokenGranterTests.java

@@ -1,6 +1,9 @@
 package org.cloudfoundry.identity.uaa.oauth.provider.client;
 
+import org.cloudfoundry.identity.uaa.authentication.UaaAuthenticationDetails;
+import org.cloudfoundry.identity.uaa.oauth.common.DefaultOAuth2AccessToken;
 import org.cloudfoundry.identity.uaa.oauth.common.OAuth2AccessToken;
+import org.cloudfoundry.identity.uaa.oauth.common.exceptions.InvalidRequestException;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetails;
 import org.cloudfoundry.identity.uaa.oauth.provider.ClientDetailsService;
 import org.cloudfoundry.identity.uaa.oauth.provider.OAuth2Request;
@@ -10,9 +13,13 @@
 import org.cloudfoundry.identity.uaa.oauth.token.TokenConstants;
 import org.junit.Before;
 import org.junit.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
 
 import java.util.Collections;
 
+import static org.assertj.core.api.AssertionsForClassTypes.assertThatThrownBy;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.mockito.ArgumentMatchers.any;
@@ -36,6 +43,11 @@ public void setUp() throws Exception {
     clientCredentialsTokenGranter = new ClientCredentialsTokenGranter(tokenServices, clientDetailsService, requestFactory);
   }
 
+    @AfterEach
+    void cleanUp() {
+        SecurityContextHolder.clearContext();
+    }
+
   @Test
   public void grant() {
     OAuth2Request oAuth2Request = mock(OAuth2Request.class);
@@ -55,4 +67,22 @@ public void grantNoToken() {
     when(oAuth2Request.getAuthorities()).thenReturn(Collections.EMPTY_LIST);
     assertNull(clientCredentialsTokenGranter.grant(TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS, tokenRequest));
   }
+
+    @Test
+    public void grantNoSecretFails() {
+        UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken("username", null, null);
+        SecurityContextHolder.getContext().setAuthentication(authentication);
+        OAuth2Request oAuth2Request = mock(OAuth2Request.class);
+        UaaAuthenticationDetails uaaAuthenticationDetails = mock(UaaAuthenticationDetails.class);
+        authentication.setDetails(uaaAuthenticationDetails);
+        when(clientDetailsService.loadClientByClientId(any())).thenReturn(mock(ClientDetails.class));
+        when(requestFactory.createOAuth2Request(any(), any())).thenReturn(oAuth2Request);
+        when(tokenServices.createAccessToken(any())).thenReturn(new DefaultOAuth2AccessToken("eyJx"));
+        when(oAuth2Request.getAuthorities()).thenReturn(Collections.emptyList());
+        when(uaaAuthenticationDetails.getAuthenticationMethod()).thenReturn("none");
+        assertThatThrownBy(() -> clientCredentialsTokenGranter
+                .grant(TokenConstants.GRANT_TYPE_CLIENT_CREDENTIALS, tokenRequest))
+                .isInstanceOf(InvalidRequestException.class)
+                .hasMessage("Client credentials required");
+    }
 }

uaa/src/test/java/org/cloudfoundry/identity/uaa/security/UaaUsingDelegatingPasswordEncoderMockMvcTest.java

@@ -56,14 +56,14 @@ void getClientCredentialsTokenWithValidPassword(String clientId) throws Exceptio
     @ValueSource(strings = {
             "client_id_with_empty_password"
     })
-    void tryToGetTokenWithEmtpyPasswordSucceeds(String clientId) throws Exception {
+    void tryToGetTokenWithEmtpyPasswordMustFail(String clientId) throws Exception {
         mockMvc.perform(post("/oauth/token")
                 .contentType(MediaType.APPLICATION_FORM_URLENCODED)
                 .accept(MediaType.APPLICATION_JSON)
                 .param("client_id", clientId)
                 .param("client_secret", "")
                 .param("grant_type", "client_credentials"))
-                .andExpect(status().isOk());
+                .andExpect(status().isBadRequest());
     }
 
     @ParameterizedTest