gravitee-io · leleueri · Jan 30, 2025
@@ -53,10 +53,12 @@
 import io.reactivex.rxjava3.core.Completable;
 import io.reactivex.rxjava3.core.Maybe;
 import io.reactivex.rxjava3.core.Single;
+import lombok.Setter;
 import net.minidev.json.JSONArray;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 
 import java.time.Instant;
 import java.util.Date;
@@ -108,6 +110,10 @@ public class TokenServiceImpl implements TokenService {
     @Autowired
     private AuditService auditService;
 
+    @Setter
+    @Value("${handlers.oauth2.response.strict:false}")
+    private boolean strictResponse = false;
+
     @Override
     public Maybe<Token> getAccessToken(String token, Client client) {
         return jwtService.decodeAndVerify(token, client, ACCESS_TOKEN)
@@ -290,8 +296,7 @@ private Token convert(JWT accessToken, String encodedAccessToken, String encoded
         token.setExpiresIn(Instant.ofEpochSecond(accessToken.getExp()).minusMillis(System.currentTimeMillis()).getEpochSecond());
         token.setScope(accessToken.getScope());
         // set additional information
-
-        if (oAuth2Request.getAdditionalParameters() != null && !oAuth2Request.getAdditionalParameters().isEmpty()) {
+        if (!strictResponse && oAuth2Request.getAdditionalParameters() != null && !oAuth2Request.getAdditionalParameters().isEmpty()) {
             oAuth2Request.getAdditionalParameters().toSingleValueMap().entrySet().stream()
                     .filter(e -> !Token.getStandardParameters().contains(e.getKey()) && !e.getKey().equals(ID_TOKEN))
                     .forEach(e -> token.getAdditionalInformation().put(e.getKey(), e.getValue()));

@@ -85,7 +85,7 @@
 public class TokenServiceTest {
 
     @InjectMocks
-    private TokenService tokenService = new TokenServiceImpl();
+    private TokenServiceImpl tokenService = new TokenServiceImpl();
 
     @Mock
     private AccessTokenRepository accessTokenRepository;
@@ -122,20 +122,52 @@ public void after() {
     @Test
     public void shouldCreate() {
         OAuth2Request oAuth2Request = new OAuth2Request();
+        MultiValueMap<String, String> additionalParameters = new LinkedMultiValueMap<>();
+        additionalParameters.add("key", "value");
+        oAuth2Request.setAdditionalParameters(additionalParameters);
 
         Client client = new Client();
         client.setClientId("my-client-id");
 
         ExecutionContext executionContext = mock(ExecutionContext.class);
 
         when(jwtService.encode(any(), any(Client.class))).thenReturn(Single.just(""));
-        when(tokenEnhancer.enhance(any(), any(), any(), any(), any())).thenReturn(Single.just(new AccessToken("token-id")));
+        when(tokenEnhancer.enhance(any(), any(), any(), any(), any())).thenAnswer(ans -> Single.just(ans.getArgument(0)));
+        when(executionContextFactory.create(any())).thenReturn(executionContext);
+        doReturn(Completable.complete()).when(tokenManager).storeAccessToken(any());
+        TestObserver<Token> testObserver = tokenService.create(oAuth2Request, client, null).test();
+        testObserver.assertComplete();
+        testObserver.assertNoErrors();
+        testObserver.assertValue(token -> token.getAdditionalInformation().containsKey("key"));
+
+        verify(tokenManager, times(1)).storeAccessToken(any());
+        verify(accessTokenRepository, never()).delete(anyString());
+        verify(refreshTokenRepository, never()).delete(anyString());
+    }
+
+    @Test
+    public void shouldCreateWithoutAdditionalParameters() {
+        tokenService.setStrictResponse(true);
+        OAuth2Request oAuth2Request = new OAuth2Request();
+        MultiValueMap<String, String> additionalParameters = new LinkedMultiValueMap<>();
+        additionalParameters.add("key", "value");
+        oAuth2Request.setAdditionalParameters(additionalParameters);
+
+        Client client = new Client();
+        client.setClientId("my-client-id");
+
+        ExecutionContext executionContext = mock(ExecutionContext.class);
+
+        when(jwtService.encode(any(), any(Client.class))).thenReturn(Single.just(""));
+        when(tokenEnhancer.enhance(any(), any(), any(), any(), any())).thenAnswer(ans -> Single.just(ans.getArgument(0)));
         when(executionContextFactory.create(any())).thenReturn(executionContext);
         doReturn(Completable.complete()).when(tokenManager).storeAccessToken(any());
         TestObserver<Token> testObserver = tokenService.create(oAuth2Request, client, null).test();
         testObserver.assertComplete();
         testObserver.assertNoErrors();
 
+        testObserver.assertValue(token -> token.getAdditionalInformation().isEmpty());
+
         verify(tokenManager, times(1)).storeAccessToken(any());
         verify(accessTokenRepository, never()).delete(anyString());
         verify(refreshTokenRepository, never()).delete(anyString());
@@ -228,6 +260,7 @@ public void shouldCreateAccessTokenWithRefreshToken() {
         verify(refreshTokenRepository, never()).delete(anyString());
     }
 
+    @Test
     public void shouldCreate_withAudArray() {
         OAuth2Request oAuth2Request = new OAuth2Request();
         oAuth2Request.setClientId("my-client-id");
@@ -248,6 +281,12 @@ public void shouldCreate_withAudArray() {
 
         when(jwtService.encode(any(), any(Client.class))).thenReturn(Single.just(""));
         when(tokenEnhancer.enhance(any(), any(), any(), any(), any())).thenReturn(Single.just(new AccessToken("token-id")));
+        when(executionContextFactory.create(any())).thenReturn(executionContext);
+        doReturn(Completable.complete()).when(tokenManager).storeAccessToken(any());
+
+        TestObserver<Token> testObserver = tokenService.create(oAuth2Request, client, null).test();
+        testObserver.assertComplete();
+        testObserver.assertNoErrors();
 
         verify(jwtService).encode(argThat(jwt -> jwt.get(Claims.aud) instanceof List
                 && jwt.getAud().equals(((List)jwt.get(Claims.aud)).get(0))