Add property defaults for Spring Authorization Server

See gh-35460

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java

@@ -97,37 +97,37 @@ public static class Endpoint {
 		/**
 		 * Authorization Server's OAuth 2.0 Authorization Endpoint.
 		 */
-		private String authorizationUri;
+		private String authorizationUri = "/oauth2/authorize";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Device Authorization Endpoint.
 		 */
-		private String deviceAuthorizationUri;
+		private String deviceAuthorizationUri = "/oauth2/device_authorization";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Device Verification Endpoint.
 		 */
-		private String deviceVerificationUri;
+		private String deviceVerificationUri = "/oauth2/device_verification";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Token Endpoint.
 		 */
-		private String tokenUri;
+		private String tokenUri = "/oauth2/token";
 
 		/**
 		 * Authorization Server's JWK Set Endpoint.
 		 */
-		private String jwkSetUri;
+		private String jwkSetUri = "/oauth2/jwks";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Token Revocation Endpoint.
 		 */
-		private String tokenRevocationUri;
+		private String tokenRevocationUri = "/oauth2/revoke";
 
 		/**
 		 * Authorization Server's OAuth 2.0 Token Introspection Endpoint.
 		 */
-		private String tokenIntrospectionUri;
+		private String tokenIntrospectionUri = "/oauth2/introspect";
 
 		/**
 		 * OpenID Connect 1.0 endpoints.
@@ -205,17 +205,17 @@ public static class OidcEndpoint {
 		/**
 		 * Authorization Server's OpenID Connect 1.0 Logout Endpoint.
 		 */
-		private String logoutUri;
+		private String logoutUri = "/connect/logout";
 
 		/**
 		 * Authorization Server's OpenID Connect 1.0 Client Registration Endpoint.
 		 */
-		private String clientRegistrationUri;
+		private String clientRegistrationUri = "/connect/register";
 
 		/**
 		 * Authorization Server's OpenID Connect 1.0 UserInfo Endpoint.
 		 */
-		private String userInfoUri;
+		private String userInfoUri = "/userinfo";
 
 		public String getLogoutUri() {
 			return this.logoutUri;
@@ -258,12 +258,12 @@ public static class Client {
 		 * Whether the client is required to provide a proof key challenge and verifier
 		 * when performing the Authorization Code Grant flow.
 		 */
-		private boolean requireProofKey;
+		private boolean requireProofKey = false;
 
 		/**
 		 * Whether authorization consent is required when the client requests access.
 		 */
-		private boolean requireAuthorizationConsent;
+		private boolean requireAuthorizationConsent = false;
 
 		/**
 		 * URL for the client's JSON Web Key Set.
@@ -444,17 +444,17 @@ public static class Token {
 		/**
 		 * Time-to-live for an authorization code.
 		 */
-		private Duration authorizationCodeTimeToLive;
+		private Duration authorizationCodeTimeToLive = Duration.ofMinutes(5);
 
 		/**
 		 * Time-to-live for an access token.
 		 */
-		private Duration accessTokenTimeToLive;
+		private Duration accessTokenTimeToLive = Duration.ofMinutes(5);
 
 		/**
 		 * Token format for an access token.
 		 */
-		private String accessTokenFormat;
+		private String accessTokenFormat = "self-contained";
 
 		/**
 		 * Time-to-live for a device code.
@@ -465,17 +465,17 @@ public static class Token {
 		 * Whether refresh tokens are reused or a new refresh token is issued when
 		 * returning the access token response.
 		 */
-		private boolean reuseRefreshTokens;
+		private boolean reuseRefreshTokens = true;
 
 		/**
 		 * Time-to-live for a refresh token.
 		 */
-		private Duration refreshTokenTimeToLive;
+		private Duration refreshTokenTimeToLive = Duration.ofMinutes(60);
 
 		/**
 		 * JWS algorithm for signing the ID Token.
 		 */
-		private String idTokenSignatureAlgorithm;
+		private String idTokenSignatureAlgorithm = "RS256";
 
 		public Duration getAuthorizationCodeTimeToLive() {
 			return this.authorizationCodeTimeToLive;

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesTests.java

@@ -18,6 +18,8 @@
 
 import org.junit.jupiter.api.Test;
 
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -73,9 +75,53 @@ void authorizationGrantTypesEmptyThrowsException() {
 	}
 
 	@Test
-	void defaultDeviceCodeTimeToLiveMatchesBuilderDefault() {
-		assertThat(new OAuth2AuthorizationServerProperties.Client().getToken().getDeviceCodeTimeToLive())
-			.isEqualTo(TokenSettings.builder().build().getDeviceCodeTimeToLive());
+	void defaultEndpointPropertiesMatchBuilderDefaults() {
+		OAuth2AuthorizationServerProperties.Endpoint endpoint = new OAuth2AuthorizationServerProperties.Endpoint();
+		AuthorizationServerSettings authorizationServerSettings = AuthorizationServerSettings.builder().build();
+		assertThat(endpoint.getAuthorizationUri()).isEqualTo(authorizationServerSettings.getAuthorizationEndpoint());
+		assertThat(endpoint.getDeviceAuthorizationUri())
+			.isEqualTo(authorizationServerSettings.getDeviceAuthorizationEndpoint());
+		assertThat(endpoint.getDeviceVerificationUri())
+			.isEqualTo(authorizationServerSettings.getDeviceVerificationEndpoint());
+		assertThat(endpoint.getTokenUri()).isEqualTo(authorizationServerSettings.getTokenEndpoint());
+		assertThat(endpoint.getJwkSetUri()).isEqualTo(authorizationServerSettings.getJwkSetEndpoint());
+		assertThat(endpoint.getTokenRevocationUri())
+			.isEqualTo(authorizationServerSettings.getTokenRevocationEndpoint());
+		assertThat(endpoint.getTokenIntrospectionUri())
+			.isEqualTo(authorizationServerSettings.getTokenIntrospectionEndpoint());
+
+		OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc();
+		assertThat(oidc.getLogoutUri()).isEqualTo(authorizationServerSettings.getOidcLogoutEndpoint());
+		assertThat(oidc.getClientRegistrationUri())
+			.isEqualTo(authorizationServerSettings.getOidcClientRegistrationEndpoint());
+		assertThat(oidc.getUserInfoUri()).isEqualTo(authorizationServerSettings.getOidcUserInfoEndpoint());
+	}
+
+	@Test
+	void defaultClientPropertiesMatchBuilderDefaults() {
+		OAuth2AuthorizationServerProperties.Client client = new OAuth2AuthorizationServerProperties.Client();
+		ClientSettings clientSettings = ClientSettings.builder().build();
+		assertThat(client.isRequireProofKey()).isEqualTo(clientSettings.isRequireProofKey());
+		assertThat(client.isRequireAuthorizationConsent()).isEqualTo(clientSettings.isRequireAuthorizationConsent());
+		assertThat(client.getJwkSetUri()).isEqualTo(clientSettings.getJwkSetUrl());
+		if (clientSettings.getTokenEndpointAuthenticationSigningAlgorithm() != null) {
+			assertThat(client.getTokenEndpointAuthenticationSigningAlgorithm())
+				.isEqualTo(clientSettings.getTokenEndpointAuthenticationSigningAlgorithm().getName());
+		}
+	}
+
+	@Test
+	void defaultTokenPropertiesMatchBuilderDefaults() {
+		OAuth2AuthorizationServerProperties.Token token = new OAuth2AuthorizationServerProperties.Token();
+		TokenSettings tokenSettings = TokenSettings.builder().build();
+		assertThat(token.getAuthorizationCodeTimeToLive()).isEqualTo(tokenSettings.getAuthorizationCodeTimeToLive());
+		assertThat(token.getAccessTokenTimeToLive()).isEqualTo(tokenSettings.getAccessTokenTimeToLive());
+		assertThat(token.getAccessTokenFormat()).isEqualTo(tokenSettings.getAccessTokenFormat().getValue());
+		assertThat(token.getDeviceCodeTimeToLive()).isEqualTo(tokenSettings.getDeviceCodeTimeToLive());
+		assertThat(token.isReuseRefreshTokens()).isEqualTo(tokenSettings.isReuseRefreshTokens());
+		assertThat(token.getRefreshTokenTimeToLive()).isEqualTo(tokenSettings.getRefreshTokenTimeToLive());
+		assertThat(token.getIdTokenSignatureAlgorithm())
+			.isEqualTo(tokenSettings.getIdTokenSignatureAlgorithm().getName());
 	}
 
 }