UserInfoTokenServices should not throw UserRedirectRequiredException

It can just catch all exceptions from the remote /user endpoint because in a resource server it needs to throw `InvalidTokenException` and in an SSO setting it will never be called. Fixes spring-projectsgh-3205
grwoodw · Jun 11, 2015 · 462c5f2 · 462c5f2
1 parent 34e4163
commit 462c5f2
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 10 deletions.
diff --git a/...rg/springframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServices.java b/...rg/springframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServices.java
@@ -16,6 +16,7 @@
 
 package org.springframework.boot.autoconfigure.security.oauth2.resource;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
@@ -109,16 +110,23 @@ public OAuth2AccessToken readAccessToken(String accessToken) {
 	@SuppressWarnings({ "unchecked" })
 	private Map<String, Object> getMap(String path, String accessToken) {
 		this.logger.info("Getting user info from: " + path);
-		OAuth2RestOperations restTemplate = this.restTemplate;
-		if (restTemplate == null) {
-			BaseOAuth2ProtectedResourceDetails resource = new BaseOAuth2ProtectedResourceDetails();
-			resource.setClientId(this.clientId);
-			restTemplate = new OAuth2RestTemplate(resource);
+		try {
+			OAuth2RestOperations restTemplate = this.restTemplate;
+			if (restTemplate == null) {
+				BaseOAuth2ProtectedResourceDetails resource = new BaseOAuth2ProtectedResourceDetails();
+				resource.setClientId(this.clientId);
+				restTemplate = new OAuth2RestTemplate(resource);
+			}
+			DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(accessToken);
+			token.setTokenType(this.tokenType);
+			restTemplate.getOAuth2ClientContext().setAccessToken(token);
+			return restTemplate.getForEntity(path, Map.class).getBody();
+		}
+		catch (Exception e) {
+			this.logger.info("Could not fetch user details: " + e.getClass() + ", "
+					+ e.getMessage());
+			return Collections.<String, Object> singletonMap("error",
+					"Could not fetch user details");
 		}
-		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(accessToken);
-		token.setTokenType(this.tokenType);
-		restTemplate.getOAuth2ClientContext().setAccessToken(token);
-		return restTemplate.getForEntity(path, Map.class).getBody();
 	}
-
 }
diff --git a/...ringframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServicesTests.java b/...ringframework/boot/autoconfigure/security/oauth2/resource/UserInfoTokenServicesTests.java
@@ -15,17 +15,22 @@
  */
 package org.springframework.boot.autoconfigure.security.oauth2.resource;
 
+import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
 import org.junit.Before;
+import org.junit.Rule;
 import org.junit.Test;
+import org.junit.rules.ExpectedException;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.oauth2.client.OAuth2ClientContext;
 import org.springframework.security.oauth2.client.OAuth2RestOperations;
 import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
+import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 
 import static org.junit.Assert.assertEquals;
 import static org.mockito.BDDMockito.given;
@@ -39,6 +44,9 @@
  */
 public class UserInfoTokenServicesTests {
 
+	@Rule
+	public ExpectedException expected = ExpectedException.none();
+
 	private UserInfoTokenServices services = new UserInfoTokenServices(
 			"http://example.com", "foo");
 
@@ -67,6 +75,17 @@ public void sunnyDay() {
 		assertEquals("unknown", this.services.loadAuthentication("FOO").getName());
 	}
 
+	@SuppressWarnings("unchecked")
+	@Test
+	public void badToken() {
+		this.services.setRestTemplate(this.template);
+		given(this.template.getForEntity(any(String.class), any(Class.class))).willThrow(
+				new UserRedirectRequiredException("foo:bar", Collections
+						.<String, String> emptyMap()));
+		this.expected.expect(InvalidTokenException.class);
+		assertEquals("unknown", this.services.loadAuthentication("FOO").getName());
+	}
+
 	@Test
 	public void userId() {
 		this.map.put("userid", "spencer");