Add authentication validator for dynamic client registration

Signed-off-by: Kelvin Mbogo <addcontent08@gmail.com>

Author: addcontent

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2ClientRegistrationTests.java

@@ -79,6 +79,7 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2ClientRegistration;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientRegistrationAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientRegistrationAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientRegistrationAuthenticationValidator;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository.RegisteredClientParametersMapper;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
@@ -411,6 +412,102 @@ public void requestWhenClientRegistersWithSecretExpirationThenClientRegistration
 			.isCloseTo(expectedSecretExpiryDate, allowedDelta);
 	}
 
+	@Test
+	public void requestWhenProtocolRelativeRedirectUriThenBadRequest() throws Exception {
+		this.spring.register(DefaultValidatorConfiguration.class).autowire();
+		assertThat(requestWhenInvalidClientMetadataThenBadRequest("""
+				{
+				  "client_name": "client-name",
+				  "redirect_uris": ["//client.example.com/path"],
+				  "grant_types": ["authorization_code"]
+				}
+				""")).isEqualTo(HttpStatus.BAD_REQUEST.value());
+	}
+
+	@Test
+	public void requestWhenJavascriptSchemeRedirectUriThenBadRequest() throws Exception {
+		this.spring.register(DefaultValidatorConfiguration.class).autowire();
+		assertThat(requestWhenInvalidClientMetadataThenBadRequest("""
+				{
+				  "client_name": "client-name",
+				  "redirect_uris": ["javascript:alert(document.cookie)"],
+				  "grant_types": ["authorization_code"]
+				}
+				""")).isEqualTo(HttpStatus.BAD_REQUEST.value());
+	}
+
+	@Test
+	public void requestWhenDataSchemeRedirectUriThenBadRequest() throws Exception {
+		this.spring.register(DefaultValidatorConfiguration.class).autowire();
+		assertThat(requestWhenInvalidClientMetadataThenBadRequest("""
+				{
+				  "client_name": "client-name",
+				  "redirect_uris": ["data:text/html,<h1>content</h1>"],
+				  "grant_types": ["authorization_code"]
+				}
+				""")).isEqualTo(HttpStatus.BAD_REQUEST.value());
+	}
+
+	@Test
+	public void requestWhenHttpJwkSetUriThenBadRequest() throws Exception {
+		this.spring.register(DefaultValidatorConfiguration.class).autowire();
+		assertThat(requestWhenInvalidClientMetadataThenBadRequest("""
+				{
+				  "client_name": "client-name",
+				  "redirect_uris": ["https://client.example.com"],
+				  "grant_types": ["authorization_code"],
+				  "jwks_uri": "http://169.254.169.254/keys",
+				  "token_endpoint_auth_method": "private_key_jwt"
+				}
+				""")).isEqualTo(HttpStatus.BAD_REQUEST.value());
+	}
+
+	@Test
+	public void requestWhenArbitraryScopeThenBadRequest() throws Exception {
+		this.spring.register(DefaultValidatorConfiguration.class).autowire();
+		assertThat(requestWhenInvalidClientMetadataThenBadRequest("""
+				{
+				  "client_name": "client-name",
+				  "redirect_uris": ["https://client.example.com"],
+				  "grant_types": ["client_credentials"],
+				  "scope": "read write"
+				}
+				""")).isEqualTo(HttpStatus.BAD_REQUEST.value());
+	}
+
+	private int requestWhenInvalidClientMetadataThenBadRequest(String json) throws Exception {
+		String clientRegistrationScope = "client.create";
+		// @formatter:off
+		RegisteredClient clientRegistrar = RegisteredClient.withId("client-registrar-" + System.nanoTime())
+				.clientId("client-registrar-" + System.nanoTime())
+				.clientSecret("{noop}secret")
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
+				.scope(clientRegistrationScope)
+				.build();
+		// @formatter:on
+		this.registeredClientRepository.save(clientRegistrar);
+
+		MvcResult tokenResult = this.mvc
+			.perform(post(ISSUER.concat(DEFAULT_TOKEN_ENDPOINT_URI))
+				.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
+				.param(OAuth2ParameterNames.SCOPE, clientRegistrationScope)
+				.with(httpBasic(clientRegistrar.getClientId(), "secret")))
+			.andExpect(status().isOk())
+			.andReturn();
+		OAuth2AccessToken accessToken = readAccessTokenResponse(tokenResult.getResponse()).getAccessToken();
+
+		HttpHeaders httpHeaders = new HttpHeaders();
+		httpHeaders.setBearerAuth(accessToken.getTokenValue());
+
+		MvcResult registerResult = this.mvc
+			.perform(post(ISSUER.concat(DEFAULT_OAUTH2_CLIENT_REGISTRATION_ENDPOINT_URI)).headers(httpHeaders)
+				.contentType(MediaType.APPLICATION_JSON)
+				.content(json))
+			.andReturn();
+		return registerResult.getResponse().getStatus();
+	}
+
 	private OAuth2ClientRegistration registerClient(OAuth2ClientRegistration clientRegistration) throws Exception {
 		// ***** (1) Obtain the "initial" access token used for registering the client
 
@@ -496,6 +593,17 @@ private static OAuth2ClientRegistration readClientRegistrationResponse(MockHttpS
 		return clientRegistrationHttpMessageConverter.read(OAuth2ClientRegistration.class, httpResponse);
 	}
 
+	private static Consumer<List<AuthenticationProvider>> scopePermissiveValidatorCustomizer() {
+		return (authenticationProviders) -> authenticationProviders.forEach((authenticationProvider) -> {
+			if (authenticationProvider instanceof OAuth2ClientRegistrationAuthenticationProvider provider) {
+				provider.setAuthenticationValidator(
+						OAuth2ClientRegistrationAuthenticationValidator.DEFAULT_REDIRECT_URI_VALIDATOR
+							.andThen(OAuth2ClientRegistrationAuthenticationValidator.DEFAULT_JWK_SET_URI_VALIDATOR)
+							.andThen(OAuth2ClientRegistrationAuthenticationValidator.SIMPLE_SCOPE_VALIDATOR));
+			}
+		});
+	}
+
 	@EnableWebSecurity
 	@Configuration(proxyBeanMethods = false)
 	static class CustomClientRegistrationConfiguration extends AuthorizationServerConfiguration {
@@ -512,7 +620,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 													.clientRegistrationRequestConverter(authenticationConverter)
 													.clientRegistrationRequestConverters(authenticationConvertersConsumer)
 													.authenticationProvider(authenticationProvider)
-													.authenticationProviders(authenticationProvidersConsumer)
+													.authenticationProviders(scopePermissiveValidatorCustomizer().andThen(authenticationProvidersConsumer))
 													.clientRegistrationResponseHandler(authenticationSuccessHandler)
 													.errorResponseHandler(authenticationFailureHandler)
 									)
@@ -539,7 +647,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 							authorizationServer
 									.clientRegistrationEndpoint((clientRegistration) ->
 											clientRegistration
-													.authenticationProviders(configureClientRegistrationConverters())
+													.authenticationProviders(scopePermissiveValidatorCustomizer().andThen(configureClientRegistrationConverters()))
 									)
 					)
 					.authorizeHttpRequests((authorize) ->
@@ -577,7 +685,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 							authorizationServer
 									.clientRegistrationEndpoint((clientRegistration) ->
 											clientRegistration
-													.authenticationProviders(configureClientRegistrationConverters())
+													.authenticationProviders(scopePermissiveValidatorCustomizer().andThen(configureClientRegistrationConverters()))
 									)
 					)
 					.authorizeHttpRequests((authorize) ->
@@ -614,6 +722,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 									.clientRegistrationEndpoint((clientRegistration) ->
 											clientRegistration
 													.openRegistrationAllowed(true)
+													.authenticationProviders(scopePermissiveValidatorCustomizer())
 									)
 					)
 					.authorizeHttpRequests((authorize) ->
@@ -629,10 +738,13 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 
 	@EnableWebSecurity
 	@Configuration(proxyBeanMethods = false)
-	static class AuthorizationServerConfiguration {
+	static class DefaultValidatorConfiguration extends AuthorizationServerConfiguration {
 
+		// Override with Customizer.withDefaults() so the default (strict)
+		// OAuth2ClientRegistrationAuthenticationValidator is in effect.
 		// @formatter:off
 		@Bean
+		@Override
 		SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
 			http
 					.oauth2AuthorizationServer((authorizationServer) ->
@@ -646,6 +758,30 @@ SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) th
 		}
 		// @formatter:on
 
+	}
+
+	@EnableWebSecurity
+	@Configuration(proxyBeanMethods = false)
+	static class AuthorizationServerConfiguration {
+
+		// @formatter:off
+		@Bean
+		SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+			http
+					.oauth2AuthorizationServer((authorizationServer) ->
+							authorizationServer
+									.clientRegistrationEndpoint((clientRegistration) ->
+											clientRegistration
+													.authenticationProviders(scopePermissiveValidatorCustomizer())
+									)
+					)
+					.authorizeHttpRequests((authorize) ->
+							authorize.anyRequest().authenticated()
+					);
+			return http.build();
+		}
+		// @formatter:on
+
 		@Bean
 		RegisteredClientRepository registeredClientRepository(JdbcOperations jdbcOperations) {
 			RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();