micronaut-projects · sdelamo · Nov 28, 2020
diff --git a/security-oauth2/src/main/java/io/micronaut/security/oauth2/routes/OauthRouteBuilder.java b/security-oauth2/src/main/java/io/micronaut/security/oauth2/routes/OauthRouteBuilder.java
@@ -29,6 +29,7 @@
 import io.micronaut.security.authentication.Authentication;
 import io.micronaut.security.oauth2.client.OauthClient;
 import io.micronaut.security.oauth2.client.OpenIdClient;
+import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
 import io.micronaut.security.oauth2.configuration.OauthConfiguration;
 import io.micronaut.security.oauth2.url.OauthRouteUrlBuilder;
 import io.micronaut.web.router.DefaultRouteBuilder;
@@ -37,6 +38,7 @@
 
 import javax.inject.Singleton;
 import java.util.List;
+import java.util.Optional;
 import java.util.concurrent.atomic.AtomicBoolean;
 
 /**
@@ -77,9 +79,17 @@ class OauthRouteBuilder extends DefaultRouteBuilder {
         } else {
             AtomicBoolean endSessionRegistered = new AtomicBoolean();
 
-            controllerList.forEach((controller) -> {
+            for (OauthController controller : controllerList) {
                 OauthClient client = controller.getClient();
                 String name = client.getName();
+
+                Optional<OauthClientConfiguration> oauthClientConfiguration = beanContext.findBean(OauthClientConfiguration.class, Qualifiers.byName(name));
+                if (oauthClientConfiguration.isPresent() && oauthClientConfiguration.get().getClientSecret() == null) {
+                    if (LOG.isDebugEnabled()) {
+                        LOG.debug("client {} does not define a client secret. Skipping registration of routes", name);
+                    }
+                    continue;
+                }
                 boolean isDefaultProvider = oauthConfiguration.getDefaultProvider().filter(provider -> provider.equals(name)).isPresent();
 
                 BeanDefinition<OauthController> bd = beanContext.getBeanDefinition(OauthController.class, Qualifiers.byName(name));
@@ -133,7 +143,7 @@ class OauthRouteBuilder extends DefaultRouteBuilder {
                         });
                     }
                 }
-            });
+            }
 
             if (!endSessionRegistered.get() && LOG.isDebugEnabled()) {
                 LOG.debug("Skipped registration of logout route. No openid clients found that support end session");

diff --git a/security-oauth2/src/test/groovy/io/micronaut/security/oauth2/ConfigurationFixture.groovy b/security-oauth2/src/test/groovy/io/micronaut/security/oauth2/ConfigurationFixture.groovy
@@ -28,13 +28,24 @@ trait ConfigurationFixture {
     }
 
     Map<String, Object> getOauth2ClientConfiguration() {
-        Map m = [
-                ("micronaut.security.oauth2.clients.${openIdClientName}.client-id".toString()): 'XXXX',
-                ("micronaut.security.oauth2.clients.${openIdClientName}.client-secret".toString()): 'YYYY',
-        ]
+        Map<String, Object> m = [:]
+        if (clientId) {
+           m["micronaut.security.oauth2.clients.${openIdClientName}.client-id".toString()] = clientId
+        }
+        if (clientSecret) {
+            m["micronaut.security.oauth2.clients.${openIdClientName}.client-secret".toString()] = 'YYYY'
+        }
         if (issuer != null) {
             m[("micronaut.security.oauth2.clients.${openIdClientName}.openid.issuer".toString())] = issuer
         }
         m
     }
+
+    String getClientId() {
+        'XXXX'
+    }
+
+    String getClientSecret() {
+        'YYYY'
+    }
 }
diff --git a/...rc/test/groovy/io/micronaut/security/oauth2/routes/NoClientSecretNoOauthRoutesSpec.groovy b/...rc/test/groovy/io/micronaut/security/oauth2/routes/NoClientSecretNoOauthRoutesSpec.groovy
@@ -0,0 +1,73 @@
+package io.micronaut.security.oauth2.routes
+
+import io.micronaut.security.oauth2.OpenIdMockEmbeddedServerSpecification
+import io.micronaut.web.router.RouteBuilder
+import spock.lang.Narrative
+import spock.lang.Shared
+import spock.lang.Unroll
+
+@Narrative('''
+For a config such as: 
+
+micronaut:
+  security:
+    oauth2:
+      clients:
+        foo:
+          client-id: 'XXX'
+          openid:
+            issuer: 'blababla'
+        bar:   
+          client-id: 'XXX'
+          client-secret: 'YYY'
+          openid:
+            issuer: 'blababla'
+
+Micronaut creates routes ('/oauth/callback/{name}','/oauth/login/{name}',) for OAuth 2.0 applications with a client secret.                      
+''')
+class NoClientSecretNoOauthRoutesSpec extends OpenIdMockEmbeddedServerSpecification {
+
+    @Shared
+    Set<String> paths = applicationContext.getBeansOfType(RouteBuilder).collect { it.uriRoutes }
+            .flatten()
+            .collect { it.uriMatchTemplate.toPathString() } as Set<String>
+
+    @Override
+    String getClientSecret() {
+        null
+    }
+
+    @Override
+    Map<String, Object> getConfiguration() {
+        super.configuration + [
+            "micronaut.security.oauth2.clients.bar.client-id": 'XXXX',
+            "micronaut.security.oauth2.clients.bar.client-secret": 'YYYY',
+            "micronaut.security.oauth2.clients.bar.openid.issuer": issuer
+        ]
+    }
+
+    @Unroll
+    void "#route is not registered because no client secret is specified for OAuth 2.0 application"(String route) {
+        expect:
+        paths.every { it != route }
+
+        where:
+        route << [
+                '/oauth/callback/foo',
+                '/oauth/login/foo',
+                '/oauth/logout']
+    }
+
+    @Unroll
+    void "#route is registered because client id and client secret are specified for OAuth 2.0 application"(String route) {
+        expect:
+        paths.any { it == route }
+
+        where:
+        route << [
+                '/oauth/callback/bar',
+                '/oauth/login/bar']
+    }
+
+
+}