Introduce WWWAuthenticateHeaderContext and customizer in BearerTokenAuthenticationEntryPoint

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>

Author: Kehrlann

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPoint.java

@@ -18,6 +18,7 @@
 
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.function.Consumer;
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -31,6 +32,7 @@
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.util.UrlUtils;
+import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.web.util.UriComponentsBuilder;
 
@@ -51,6 +53,9 @@ public final class BearerTokenAuthenticationEntryPoint implements Authentication
 
 	private String realmName;
 
+	private Consumer<WWWAuthenticateHeaderContext> wwwAuthenticateHeaderContextCustomizer = (ctx) -> {
+	};
+
 	/**
 	 * Collect error details from the provided parameters and format according to RFC
 	 * 6750, specifically {@code error}, {@code error_description}, {@code error_uri}, and
@@ -84,6 +89,9 @@ public void commence(HttpServletRequest request, HttpServletResponse response,
 			}
 		}
 		parameters.put("resource_metadata", getResourceMetadataParameter(request));
+		WWWAuthenticateHeaderContext wwwAuthenticateHeaderContext = new WWWAuthenticateHeaderContext(parameters,
+				request, authException);
+		this.wwwAuthenticateHeaderContextCustomizer.accept(wwwAuthenticateHeaderContext);
 		String wwwAuthenticate = computeWWWAuthenticateHeaderValue(parameters);
 		response.addHeader(HttpHeaders.WWW_AUTHENTICATE, wwwAuthenticate);
 		response.setStatus(status.value());
@@ -97,6 +105,16 @@ public void setRealmName(String realmName) {
 		this.realmName = realmName;
 	}
 
+	/**
+	 * Sets the customizer for the {@link WWWAuthenticateHeaderContext}.
+	 * @param wwwAuthenticateHeaderContextCustomizer
+	 */
+	public void setWwwAuthenticateHeaderContextCustomizer(
+			Consumer<WWWAuthenticateHeaderContext> wwwAuthenticateHeaderContextCustomizer) {
+		Assert.notNull(wwwAuthenticateHeaderContextCustomizer, "wwwAuthenticateHeaderContextCustomizer cannot be null");
+		this.wwwAuthenticateHeaderContextCustomizer = wwwAuthenticateHeaderContextCustomizer;
+	}
+
 	private static String getResourceMetadataParameter(HttpServletRequest request) {
 		String path = request.getContextPath()
 				+ OAuth2ProtectedResourceMetadataFilter.DEFAULT_OAUTH2_PROTECTED_RESOURCE_METADATA_ENDPOINT_URI;

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/WWWAuthenticateHeaderContext.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2004-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.web;
+
+import java.util.Map;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.springframework.security.core.AuthenticationException;
+
+/**
+ * A context that holds information to be set in a {@code WWW-Authenticate} header with a
+ * {@code Bearer} challenge. Only the parameters are mutable.
+ *
+ * @author Daniel Garnier-Moiroux
+ * @since 7.1
+ */
+public class WWWAuthenticateHeaderContext {
+
+	public final Map<String, String> parameters;
+
+	public final HttpServletRequest request;
+
+	public final AuthenticationException authenticationException;
+
+	public WWWAuthenticateHeaderContext(Map<String, String> parameters, HttpServletRequest request,
+			AuthenticationException authenticationException) {
+		this.parameters = parameters;
+		this.request = request;
+		this.authenticationException = authenticationException;
+	}
+
+	/**
+	 * The parameters to be set in the Bearer challenge of the WWW-Authenticate header.
+	 * @return
+	 */
+	public Map<String, String> getParameters() {
+		return this.parameters;
+	}
+
+	/**
+	 * The request which triggered the creation of the WWW-Authenticate header.
+	 * @return
+	 */
+	public HttpServletRequest getRequest() {
+		return this.request;
+	}
+
+	/**
+	 * The specific exception which triggered the creation of the WWW-Authenticate header.
+	 * @return
+	 */
+	public AuthenticationException getAuthenticationException() {
+		return this.authenticationException;
+	}
+
+}

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/BearerTokenAuthenticationEntryPointTests.java

@@ -28,6 +28,7 @@
 import org.springframework.security.oauth2.server.resource.BearerTokenErrorCodes;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
 
 /**
  * Tests for {@link BearerTokenAuthenticationEntryPoint}.
@@ -164,9 +165,33 @@ public void commenceWhenInsufficientScopeAndRealmSetThenStatus403AndHeaderWithEr
 					+ "error_uri=\"https://example.com\", scope=\"test.read test.write\", resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\"");
 	}
 
+	@Test
+	void commenceWhenWwwAuthenticateHeaderCustomizerSetThenHeaderWithCustomization() {
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		request.setAttribute("custom-attribute", "request-attribute");
+		this.authenticationEntryPoint.setWwwAuthenticateHeaderContextCustomizer((context) -> {
+			context.getParameters().put("req", context.getRequest().getAttribute("custom-attribute").toString());
+			context.getParameters().put("ex", context.getAuthenticationException().getMessage());
+		});
+
+		this.authenticationEntryPoint.commence(request, response, new BadCredentialsException("exception-message"));
+
+		assertThat(response.getStatus()).isEqualTo(401);
+		assertThat(response.getHeader("WWW-Authenticate"))
+			.isEqualTo("Bearer resource_metadata=\"http://localhost/.well-known/oauth-protected-resource\", "
+					+ "req=\"request-attribute\", ex=\"exception-message\"");
+	}
+
 	@Test
 	public void setRealmNameWhenNullRealmNameThenNoExceptionThrown() {
 		this.authenticationEntryPoint.setRealmName(null);
 	}
 
+	@Test
+	void setWwwAuthenticateHeaderCustomizerWhenNullThenThrows() {
+		assertThatExceptionOfType(IllegalArgumentException.class)
+			.isThrownBy(() -> this.authenticationEntryPoint.setWwwAuthenticateHeaderContextCustomizer(null));
+	}
+
 }