diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java index ded933fe..da27b5e4 100644 --- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java +++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java @@ -196,28 +196,26 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe } RegisteredClient registeredClient = this.registeredClientConverter.convert(clientRegistrationAuthentication.getClientRegistration()); - RegisteredClient.Builder registeredClientForDBBuilder = RegisteredClient.from(registeredClient); - RegisteredClient.Builder registeredClientForResponseBuilder = RegisteredClient.from(registeredClient); if (StringUtils.hasText(registeredClient.getClientSecret())) { // Encode the client secret - String encodedClientSecret = this.passwordEncoder.encode(registeredClient.getClientSecret()); - registeredClientForDBBuilder = registeredClientForDBBuilder - .clientSecret(encodedClientSecret); + RegisteredClient updatedRegisteredClient = RegisteredClient.from(registeredClient) + .clientSecret(this.passwordEncoder.encode(registeredClient.getClientSecret())) + .build(); + this.registeredClientRepository.save(updatedRegisteredClient); if (ClientAuthenticationMethod.CLIENT_SECRET_JWT.getValue().equals(clientRegistrationAuthentication.getClientRegistration().getTokenEndpointAuthenticationMethod())) { - registeredClientForResponseBuilder.clientSecret(encodedClientSecret); + // gh-1344 Return the hashed client_secret + registeredClient = updatedRegisteredClient; } + } else { + this.registeredClientRepository.save(registeredClient); } - this.registeredClientRepository.save(registeredClientForDBBuilder.build()); - - RegisteredClient registeredClientForResponse = registeredClientForResponseBuilder.build(); - if (this.logger.isTraceEnabled()) { this.logger.trace("Saved registered client"); } - OAuth2Authorization registeredClientAuthorization = registerAccessToken(registeredClientForResponse); + OAuth2Authorization registeredClientAuthorization = registerAccessToken(registeredClient); // Invalidate the "initial" access token as it can only be used once authorization = OidcAuthenticationProviderUtils.invalidate(authorization, authorization.getAccessToken().getToken()); @@ -230,7 +228,7 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe this.logger.trace("Saved authorization with invalidated initial access token"); } - Map clientRegistrationClaims = this.clientRegistrationConverter.convert(registeredClientForResponse).getClaims(); + Map clientRegistrationClaims = this.clientRegistrationConverter.convert(registeredClient).getClaims(); OidcClientRegistration clientRegistration = OidcClientRegistration.withClaims(clientRegistrationClaims) .registrationAccessToken(registeredClientAuthorization.getAccessToken().getToken().getTokenValue()) .build(); diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationTests.java index f19861cf..0d1f6915 100644 --- a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationTests.java +++ b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OidcClientRegistrationTests.java @@ -402,6 +402,7 @@ public class OidcClientRegistrationTests { .andReturn(); } + // gh-1344 @Test public void requestWhenClientRegistersWithClientSecretJwtThenClientAuthenticationSuccess() throws Exception { this.spring.register(AuthorizationServerConfiguration.class).autowire();