Merge pull request #85 from prime-framework/lyle/add-additional-token-call-params

add additional token call params to BaseJWTRefreshTokenCookiesUserLoginSecurityContext

Author: lyleschemmerling

build.savant

@@ -29,7 +29,7 @@ logbackVersion = "1.4.14"
 slf4jVersion = "2.0.13"
 testngVersion = "7.8.0"
 
-project(group: "org.primeframework", name: "prime-mvc", version: "4.33.1", licenses: ["ApacheV2_0"]) {
+project(group: "org.primeframework", name: "prime-mvc", version: "4.34.0", licenses: ["ApacheV2_0"]) {
   workflow {
     fetch {
       // Dependency resolution order:

pom.xml

@@ -5,7 +5,7 @@
 
   <groupId>org.primeframework</groupId>
   <artifactId>prime-mvc</artifactId>
-  <version>4.33.1</version>
+  <version>4.34.0</version>
   <packaging>jar</packaging>
 
   <name>FusionAuth App</name>

src/main/java/org/primeframework/mvc/security/BaseJWTRefreshTokenCookiesUserLoginSecurityContext.java

@@ -288,6 +288,8 @@ private Tokens refreshJWT(Tokens tokens) {
       body.put("client_secret", List.of(oauthConfiguration.clientSecret));
     }
 
+    body.putAll(oauthConfiguration.additionalParameters);
+
     HttpRequest refreshRequest = requestBuilder.header(Headers.ContentType, ContentTypes.Form)
                                                .POST(new FormBodyPublisher(body))
                                                .build();

src/main/java/org/primeframework/mvc/security/oauth/OAuthConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2021-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,12 +15,18 @@
  */
 package org.primeframework.mvc.security.oauth;
 
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
 import org.primeframework.mvc.util.Buildable;
 
 /**
  * @author Daniel DeGroff
  */
 public class OAuthConfiguration implements Buildable<OAuthConfiguration> {
+  public Map<String, List<String>> additionalParameters = new HashMap<>();
+
   public TokenAuthenticationMethod authenticationMethod = TokenAuthenticationMethod.client_secret_basic;
 
   public String clientId;

src/test/java/org/example/action/oauth/TokenAction.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2024, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2021-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@
 
 import java.time.ZoneOffset;
 import java.time.ZonedDateTime;
+import java.util.HashMap;
+import java.util.Map;
 
 import com.google.inject.Inject;
 import io.fusionauth.http.server.HTTPRequest;
@@ -27,6 +29,7 @@
 import org.primeframework.mvc.action.result.annotation.JSON;
 import org.primeframework.mvc.content.json.annotation.JSONResponse;
 import org.primeframework.mvc.parameter.annotation.FieldName;
+import org.primeframework.mvc.parameter.annotation.UnknownParameters;
 import org.primeframework.mvc.security.MockOAuthUserLoginSecurityContext;
 import org.primeframework.mvc.security.oauth.RefreshResponse;
 import static org.example.action.oauth.LoginAction.Subject;
@@ -36,6 +39,9 @@
 @Action
 @JSON
 public class TokenAction {
+  @UnknownParameters
+  public static Map<String, String[]> UnknownParameters = new HashMap<>();
+
   @FieldName("client_id")
   public String clientId;
 
@@ -64,6 +70,7 @@ public String post() {
       case client_secret_basic -> assertEquals(httpRequest.getHeader("Authorization"), "Basic dGhlIGNsaWVudCBJRDp0aGUgY2xpZW50IHNlY3JldA==");
       case none -> assertTrue(true);
     }
+
     JWT jwt = new JWT();
     jwt.audience = "prime-tests";
     jwt.issuedAt = ZonedDateTime.now(ZoneOffset.UTC);

src/test/java/org/primeframework/mvc/JWTRefreshTokenLoginTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2024, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2021-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,9 @@
  */
 package org.primeframework.mvc;
 
+import java.util.List;
+import java.util.UUID;
+
 import com.codahale.metrics.MetricRegistry;
 import com.google.inject.AbstractModule;
 import com.google.inject.Injector;
@@ -24,6 +27,7 @@
 import io.fusionauth.http.server.HTTPRequest;
 import io.fusionauth.http.server.HTTPResponse;
 import io.fusionauth.http.server.HTTPServerConfiguration;
+import org.example.action.oauth.TokenAction;
 import org.primeframework.mvc.PrimeBaseTest.TestContentModule;
 import org.primeframework.mvc.PrimeBaseTest.TestMVCConfigurationModule;
 import org.primeframework.mvc.cors.CORSConfigurationProvider;
@@ -47,6 +51,8 @@
 import org.testng.annotations.BeforeClass;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.Test;
+import static org.testng.Assert.assertEquals;
+import static org.testng.Assert.assertTrue;
 
 /**
  * @author Brian Pontarelli
@@ -174,7 +180,6 @@ public void refreshTokenEndpointUp_auth_client_secret_basic() {
     MockOAuthUserLoginSecurityContext.clientSecret = "the client secret";
     MockOAuthUserLoginSecurityContext.ValidateJWTOnLogin = false;
     MockOAuthUserLoginSecurityContext.TokenEndpoint = "http://localhost:" + simulator.getPort() + "/oauth/token";
-
     // Setting 'expired: true' on the request just tells the Login action to create an expired JWT and store it in the LoginContext.
     // - So we expect this to succeed, but the login context wil now contain an expired JWT. This means it will be refreshed on first use.
     simulator.test("/oauth/login")
@@ -256,6 +261,36 @@ public void refreshTokenEndpointUp_no_auth() {
              .assertBodyContains("Logged in");
   }
 
+  @Test
+  public void refreshTokenEndpoint_additionalParameters() {
+    // The token action should get called with the additional parameters we configure on the security context.
+    var tenantId = new UUID(5, 0).toString();
+    MockOAuthUserLoginSecurityContext.additionalParameters.put("tenantId", List.of(tenantId));
+    MockOAuthUserLoginSecurityContext.TokenEndpoint = "http://localhost:" + simulator.getPort() + "/oauth/token";
+    MockOAuthUserLoginSecurityContext.ValidateJWTOnLogin = false;
+
+    // Setting 'expired: true' on the request just tells the Login action to create an expired JWT and store it in the LoginContext.
+    // - So we expect this to succeed, but the login context wil now contain an expired JWT. This means it will be refreshed on first use.
+    //
+    // The refresh action is what will call the token endpoint with the additional parameters.
+    simulator.test("/oauth/login")
+             .withParameter("expired", "true")
+             .post()
+             .assertStatusCode(200);
+
+    // The JWT in the security context was found to be expired on first use even though login succeeded.
+    // - This will have caused us to refresh the token, so this action should succeed.
+    simulator.test("/oauth/protected-resource")
+             .get()
+             .assertStatusCode(200)
+             .assertBodyContains("Logged in");
+
+    // Ensure that the tenantId was added to the request and caught in unknown parameters
+    // if additional parameters were sent, validate them
+    assertTrue(TokenAction.UnknownParameters.containsKey("tenantId"), "Missing tenantId in unknown parameters");
+    assertEquals(TokenAction.UnknownParameters.get("tenantId"), new String[]{tenantId}, "Mismatched tenantId in unknown parameters");
+  }
+
   public static class TestScopeModule extends AbstractModule {
     @Override
     protected void configure() {

src/test/java/org/primeframework/mvc/PrimeBaseTest.java

@@ -53,6 +53,7 @@
 import io.fusionauth.http.server.HTTPResponse;
 import io.fusionauth.http.server.HTTPServerConfiguration;
 import org.example.action.SecureAction;
+import org.example.action.oauth.TokenAction;
 import org.example.action.user.EditAction;
 import org.primeframework.mvc.action.ActionInvocation;
 import org.primeframework.mvc.action.ExecuteMethodConfiguration;
@@ -79,6 +80,7 @@
 import org.primeframework.mvc.security.CBCCipherProvider;
 import org.primeframework.mvc.security.CipherProvider;
 import org.primeframework.mvc.security.GCMCipherProvider;
+import org.primeframework.mvc.security.MockOAuthUserLoginSecurityContext;
 import org.primeframework.mvc.security.MockStaticClasspathResourceFilter;
 import org.primeframework.mvc.security.MockStaticResourceFilter;
 import org.primeframework.mvc.security.MockUserLoginSecurityContext;
@@ -200,6 +202,9 @@ public void beforeMethod() {
     MockUserLoginSecurityContext.roles.clear();
     MockUserLoginSecurityContext.currentUser = null;
 
+    // clear any additional params set in the MockOAuthUserLoginSecurityContext
+    MockOAuthUserLoginSecurityContext.additionalParameters.clear();
+
     // Reset CSRF configuration
     configuration.csrfEnabled = false;
 
@@ -219,6 +224,7 @@ public void beforeMethod() {
     // Reset
     EditAction.getCalled = false;
     SecureAction.UnknownParameters.clear();
+    TokenAction.UnknownParameters.clear();
 
     TestUnhandledExceptionHandler.reset();
 

src/test/java/org/primeframework/mvc/security/MockOAuthUserLoginSecurityContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2023, Inversoft Inc., All Rights Reserved
+ * Copyright (c) 2016-2025, Inversoft Inc., All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,8 +15,12 @@
  */
 package org.primeframework.mvc.security;
 
+import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
 import java.util.Set;
+import java.util.UUID;
 
 import com.google.inject.Inject;
 import io.fusionauth.http.server.HTTPRequest;
@@ -37,6 +41,8 @@ public class MockOAuthUserLoginSecurityContext extends BaseJWTRefreshTokenCookie
 
   public static boolean ValidateJWTOnLogin = true;
 
+  public static Map<String, List<String>> additionalParameters = new HashMap<>();
+
   public static String clientId;
 
   public static String clientSecret;
@@ -95,7 +101,8 @@ protected OAuthConfiguration oauthConfiguration() {
     return new OAuthConfiguration().with(c -> c.authenticationMethod = tokenAuthenticationMethod)
                                    .with(c -> c.clientId = clientId)
                                    .with(c -> c.clientSecret = clientSecret)
-                                   .with(c -> c.tokenEndpoint = TokenEndpoint);
+                                   .with(c -> c.tokenEndpoint = TokenEndpoint)
+                                   .with(c -> c.additionalParameters.putAll(additionalParameters));
   }
 
   @Override