Support Pushed Authorize Requests (PAR) (#534)

Author: jimmyjames

src/main/java/com/auth0/client/auth/AuthAPI.java

@@ -14,6 +14,7 @@
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 
 /**
@@ -218,6 +219,56 @@ public AuthorizeUrlBuilder authorizeUrl(String redirectUri) {
         return AuthorizeUrlBuilder.newInstance(baseUrl, clientId, redirectUri);
     }
 
+    /**
+     * Builds an authorization URL for Pushed Authorization Requests (PAR)
+     * @param requestUri the {@code request_uri} parameter from a successful pushed authorization request.
+     * @see AuthAPI#pushedAuthorizationRequest(String, String, Map)
+     * @see <a href="https://www.rfc-editor.org/rfc/rfc9126.html">RFC 9126</a>
+     * @return the {@code request_uri} from a successful pushed authorization request.
+     */
+    public String authorizeUrlWithPAR(String requestUri) {
+        Asserts.assertNotNull(requestUri, "request uri");
+        return baseUrl
+            .newBuilder()
+            .addPathSegment("authorize")
+            .addQueryParameter("client_id", clientId)
+            .addQueryParameter("request_uri", requestUri)
+            .build()
+            .toString();
+    }
+
+    /**
+     * Builds a request to make a Pushed Authorization Request (PAR) to receive a {@code request_uri} to send to the {@code /authorize} endpoint.
+     * @param redirectUri the URL to redirect to after authorization has been granted by the user. Your Auth0 application
+     *                    must have this URL as one of its Allowed Callback URLs. Must be a valid non-encoded URL.
+     * @param responseType the response type to set. Must not be null.
+     * @param params an optional map of key/value pairs representing any additional parameters to send on the request.
+     * @see <a href="https://www.rfc-editor.org/rfc/rfc9126.html">RFC 9126</a>
+     * @return a request to execute.
+     */
+    public Request<PushedAuthorizationResponse> pushedAuthorizationRequest(String redirectUri, String responseType, Map<String, String> params) {
+        Asserts.assertValidUrl(redirectUri, "redirect uri");
+        Asserts.assertNotNull(responseType, "response type");
+
+        String url = baseUrl
+            .newBuilder()
+            .addPathSegments("oauth/par")
+            .build()
+            .toString();
+
+        FormBodyRequest<PushedAuthorizationResponse> request = new FormBodyRequest<>(client, null, url, HttpMethod.POST, new TypeReference<PushedAuthorizationResponse>() {});
+        request.addParameter("client_id", clientId);
+        request.addParameter("redirect_uri", redirectUri);
+        request.addParameter("response_type", responseType);
+        if (Objects.nonNull(this.clientSecret)) {
+            request.addParameter("client_secret", clientSecret);
+        }
+        if (params != null) {
+            params.forEach(request::addParameter);
+        }
+        return request;
+    }
+
     /**
      * Creates an instance of the {@link LogoutUrlBuilder} with the given return-to url.
      * i.e.:

src/main/java/com/auth0/json/auth/PushedAuthorizationResponse.java

@@ -0,0 +1,33 @@
+package com.auth0.json.auth;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Represents the response from a Pushed Authorization Request (PAR).
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class PushedAuthorizationResponse {
+
+    @JsonProperty("request_uri")
+    private String requestURI;
+    @JsonProperty("expires_in")
+    private Integer expiresIn;
+
+    @JsonCreator
+    public PushedAuthorizationResponse(@JsonProperty("request_uri") String requestURI, @JsonProperty("expires_in") Integer expiresIn) {
+        this.requestURI = requestURI;
+        this.expiresIn = expiresIn;
+    }
+
+    public String getRequestURI() {
+        return requestURI;
+    }
+
+    public Integer getExpiresIn() {
+        return expiresIn;
+    }
+}

src/main/java/com/auth0/json/mgmt/client/Client.java

@@ -92,6 +92,8 @@ public class Client {
     private String crossOriginLoc;
     @JsonProperty("client_authentication_methods")
     private ClientAuthenticationMethods clientAuthenticationMethods;
+    @JsonProperty("require_pushed_authorization_requests")
+    private Boolean requiresPushedAuthorizationRequests;
 
     /**
      * Getter for the name of the tenant this client belongs to.
@@ -803,5 +805,20 @@ public void setClientAuthenticationMethods(ClientAuthenticationMethods clientAut
     public ClientAuthenticationMethods getClientAuthenticationMethods() {
         return clientAuthenticationMethods;
     }
+
+    /**
+     * @return whether this client requires pushed authorization requests or not.
+     */
+    public Boolean getRequiresPushedAuthorizationRequests() {
+        return requiresPushedAuthorizationRequests;
+    }
+
+    /**
+     * Sets whether the client requires pushed authorization requests or not.
+     * @param requiresPushedAuthorizationRequests true if the client should require pushed authorization requests, false if not.
+     */
+    public void setRequiresPushedAuthorizationRequests(Boolean requiresPushedAuthorizationRequests) {
+        this.requiresPushedAuthorizationRequests = requiresPushedAuthorizationRequests;
+    }
 }
 

src/main/java/com/auth0/net/BaseRequest.java

@@ -118,6 +118,9 @@ protected T readResponseBody(Auth0HttpResponse response) throws IOException {
         return mapper.readValue(payload, tType);
     }
 
+    protected Map<String, Object> getParameters() {
+        return this.parameters;
+    }
     /**
      * Executes this request.
      *

src/main/java/com/auth0/net/FormBodyRequest.java

@@ -0,0 +1,40 @@
+package com.auth0.net;
+
+import com.auth0.client.mgmt.TokenProvider;
+import com.auth0.json.ObjectMapperProvider;
+import com.auth0.json.auth.PushedAuthorizationResponse;
+import com.auth0.net.client.*;
+import com.auth0.utils.Asserts;
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import okhttp3.FormBody;
+import okhttp3.RequestBody;
+
+import java.io.IOException;
+
+/**
+ * Represents a form request.
+ * @param <T> The type expected to be received as part of the response.
+ */
+public class FormBodyRequest<T> extends BaseRequest<T> {
+
+    private static final String CONTENT_TYPE_FORM_DATA = "application/x-www-form-urlencoded";
+
+    FormBodyRequest(Auth0HttpClient client, TokenProvider tokenProvider, String url, HttpMethod method, ObjectMapper mapper, TypeReference<T> tType) {
+        super(client, tokenProvider, url, method, mapper, tType);
+    }
+
+    public FormBodyRequest(Auth0HttpClient client, TokenProvider tokenProvider, String url, HttpMethod method, TypeReference<T> tType) {
+        this(client, tokenProvider, url, method, ObjectMapperProvider.getMapper(), tType);
+    }
+
+    @Override
+    protected HttpRequestBody createRequestBody() throws IOException {
+        return HttpRequestBody.create(CONTENT_TYPE_FORM_DATA, new Auth0FormRequestBody(super.getParameters()));
+    }
+
+    @Override
+    protected String getContentType() {
+        return CONTENT_TYPE_FORM_DATA;
+    }
+}

src/main/java/com/auth0/net/client/Auth0FormRequestBody.java

@@ -0,0 +1,19 @@
+package com.auth0.net.client;
+
+import java.util.Map;
+
+/**
+ * Represents the body of a application/x-www-form-urlencoded request
+ */
+public class Auth0FormRequestBody {
+
+    private final Map<String, Object> params;
+
+    public Auth0FormRequestBody(Map<String, Object> params) {
+        this.params = params;
+    }
+
+    public Map<String, Object> getParams() {
+        return params;
+    }
+}

src/main/java/com/auth0/net/client/DefaultHttpClient.java

@@ -161,7 +161,16 @@ private RequestBody addBody(Auth0HttpRequest request) {
         HttpRequestBody body = request.getBody();
         RequestBody okBody;
 
-        if (Objects.nonNull(body.getMultipartRequestBody())) {
+        if (Objects.nonNull(body.getFormRequestBody())) {
+            Auth0FormRequestBody formData = body.getFormRequestBody();
+            FormBody.Builder builder = new FormBody.Builder();
+            for (Map.Entry<String, Object> entry : formData.getParams().entrySet()) {
+                Object val = entry.getValue();
+                builder.add(entry.getKey(), val instanceof String ? (String) val : val.toString());
+            }
+            okBody = builder.build();
+        }
+        else if (Objects.nonNull(body.getMultipartRequestBody())) {
             Auth0MultipartRequestBody multipartRequestBody = body.getMultipartRequestBody();
             MultipartBody.Builder bodyBuilder = new MultipartBody.Builder()
                 .setType(MultipartBody.FORM);

src/main/java/com/auth0/net/client/HttpRequestBody.java

@@ -5,6 +5,7 @@ public class HttpRequestBody {
     private byte[] content;
     private String contentType;
     private Auth0MultipartRequestBody multipartRequestBody;
+    private Auth0FormRequestBody formRequestBody;
 
     public static HttpRequestBody create(String contentType, byte[] content) {
         return new HttpRequestBody(contentType, content);
@@ -14,6 +15,10 @@ public static HttpRequestBody create(String contentType, Auth0MultipartRequestBo
         return new HttpRequestBody(contentType, multipartRequestBody);
     }
 
+    public static HttpRequestBody create(String contentType, Auth0FormRequestBody formRequestBody) {
+        return new HttpRequestBody(contentType, formRequestBody);
+    }
+
     public byte[] getContent() {
         return this.content;
     }
@@ -22,6 +27,10 @@ public Auth0MultipartRequestBody getMultipartRequestBody() {
         return this.multipartRequestBody;
     }
 
+    public Auth0FormRequestBody getFormRequestBody() {
+        return this.formRequestBody;
+    }
+
     public String getContentType() {
         return this.contentType;
     }
@@ -35,4 +44,9 @@ private HttpRequestBody(String contentType, Auth0MultipartRequestBody multipartR
         this.contentType = contentType;
         this.multipartRequestBody = multipartRequestBody;
     }
+
+    private HttpRequestBody(String contentType, Auth0FormRequestBody formRequestBody) {
+        this.contentType = contentType;
+        this.formRequestBody = formRequestBody;
+    }
 }

src/test/java/com/auth0/client/MockServer.java

@@ -108,6 +108,7 @@ public class MockServer {
     public static final String MULTIPART_SAMPLE = "src/test/resources/mgmt/multipart_sample.json";
     public static final String PASSWORDLESS_EMAIL_RESPONSE = "src/test/resources/auth/passwordless_email.json";
     public static final String PASSWORDLESS_SMS_RESPONSE = "src/test/resources/auth/passwordless_sms.json";
+    public static final String PUSHED_AUTHORIZATION_RESPONSE = "src/test/resources/auth/pushed_authorization_response.json";
     public static final String AUTHENTICATOR_METHOD_BY_ID = "src/test/resources/mgmt/authenticator_method_by_id.json";
     public static final String AUTHENTICATOR_METHOD_CREATE = "src/test/resources/mgmt/authenticator_method_create.json";
     public static final String AUTHENTICATOR_METHOD_LIST = "src/test/resources/mgmt/authenticator_method_list.json";

src/test/java/com/auth0/client/auth/AuthAPITest.java

@@ -1580,6 +1580,113 @@ public void shouldNotAddAnyParamsIfNoSecretOrAssertion() throws Exception {
         assertThat(response.getExpiresIn(), is(notNullValue()));
     }
 
+    @Test
+    public void authorizeUrlWithPARShouldThrowWhenRequestUriNull() {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("'request uri' cannot be null!");
+        api.authorizeUrlWithPAR(null);
+    }
+
+    @Test
+    public void shouldBuildAuthorizeUrlWithPAR() {
+        AuthAPI api = AuthAPI.newBuilder("domain.auth0.com", CLIENT_ID, CLIENT_SECRET).build();
+        String url = api.authorizeUrlWithPAR("urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2");
+        assertThat(url, is(notNullValue()));
+        assertThat(url, isUrl("https", "domain.auth0.com", "/authorize"));
+
+        assertThat(url, hasQueryParameter("request_uri", "urn:example:bwc4JK-ESC0w8acc191e-Y1LTC2"));
+        assertThat(url, hasQueryParameter("client_id", CLIENT_ID));
+    }
+
+    @Test
+    public void pushedAuthorizationRequestShouldThrowWhenRedirectUriIsNull() {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("'redirect uri' must be a valid URL!");
+        api.pushedAuthorizationRequest(null, "code", Collections.emptyMap());
+    }
+
+    @Test
+    public void pushedAuthorizationRequestShouldThrowWhenResponseTypeIsNull() {
+        exception.expect(IllegalArgumentException.class);
+        exception.expectMessage("'response type' cannot be null!");
+        api.pushedAuthorizationRequest("https://domain.com/callback", null, Collections.emptyMap());
+    }
+
+    @Test
+    public void shouldCreatePushedAuthorizationRequestWithNullAdditionalParams() throws Exception {
+        Request<PushedAuthorizationResponse> request = api.pushedAuthorizationRequest("https://domain.com/callback", "code", null);
+        assertThat(request, is(notNullValue()));
+
+        server.jsonResponse(PUSHED_AUTHORIZATION_RESPONSE, 200);
+        PushedAuthorizationResponse response = request.execute().getBody();
+        RecordedRequest recordedRequest = server.takeRequest();
+
+        assertThat(recordedRequest, hasMethodAndPath(HttpMethod.POST, "/oauth/par"));
+        assertThat(recordedRequest, hasHeader("Content-Type", "application/x-www-form-urlencoded"));
+
+        String body = readFromRequest(recordedRequest);
+        assertThat(body, containsString("client_id=" + CLIENT_ID));
+        assertThat(body, containsString("redirect_uri=" + "https%3A%2F%2Fdomain.com%2Fcallback"));
+        assertThat(body, containsString("response_type=" + "code"));
+        assertThat(body, containsString("client_secret=" + CLIENT_SECRET));
+
+        assertThat(response, is(notNullValue()));
+        assertThat(response.getRequestURI(), not(emptyOrNullString()));
+        assertThat(response.getExpiresIn(), notNullValue());
+    }
+
+    @Test
+    public void shouldCreatePushedAuthorizationRequestWithAdditionalParams() throws Exception {
+        Map<String, String> additionalParams = new HashMap<>();
+        additionalParams.put("audience", "aud");
+        additionalParams.put("connection", "conn");
+        Request<PushedAuthorizationResponse> request = api.pushedAuthorizationRequest("https://domain.com/callback", "code", additionalParams);
+        assertThat(request, is(notNullValue()));
+
+        server.jsonResponse(PUSHED_AUTHORIZATION_RESPONSE, 200);
+        PushedAuthorizationResponse response = request.execute().getBody();
+        RecordedRequest recordedRequest = server.takeRequest();
+
+        assertThat(recordedRequest, hasMethodAndPath(HttpMethod.POST, "/oauth/par"));
+        assertThat(recordedRequest, hasHeader("Content-Type", "application/x-www-form-urlencoded"));
+
+        String body = readFromRequest(recordedRequest);
+        assertThat(body, containsString("client_id=" + CLIENT_ID));
+        assertThat(body, containsString("redirect_uri=" + "https%3A%2F%2Fdomain.com%2Fcallback"));
+        assertThat(body, containsString("response_type=" + "code"));
+        assertThat(body, containsString("client_secret=" + CLIENT_SECRET));
+        assertThat(body, containsString("audience=" + "aud"));
+        assertThat(body, containsString("connection=" + "conn"));
+
+        assertThat(response, is(notNullValue()));
+        assertThat(response.getRequestURI(), not(emptyOrNullString()));
+        assertThat(response.getExpiresIn(), notNullValue());
+    }
+
+    @Test
+    public void shouldCreatePushedAuthorizationRequestWithoutSecret() throws Exception {
+        AuthAPI api = AuthAPI.newBuilder(server.getBaseUrl(), CLIENT_ID).build();
+        Request<PushedAuthorizationResponse> request = api.pushedAuthorizationRequest("https://domain.com/callback", "code", null);
+        assertThat(request, is(notNullValue()));
+
+        server.jsonResponse(PUSHED_AUTHORIZATION_RESPONSE, 200);
+        PushedAuthorizationResponse response = request.execute().getBody();
+        RecordedRequest recordedRequest = server.takeRequest();
+
+        assertThat(recordedRequest, hasMethodAndPath(HttpMethod.POST, "/oauth/par"));
+        assertThat(recordedRequest, hasHeader("Content-Type", "application/x-www-form-urlencoded"));
+
+        String body = readFromRequest(recordedRequest);
+        assertThat(body, containsString("client_id=" + CLIENT_ID));
+        assertThat(body, containsString("redirect_uri=" + "https%3A%2F%2Fdomain.com%2Fcallback"));
+        assertThat(body, containsString("response_type=" + "code"));
+        assertThat(body, not(containsString("client_secret")));
+
+        assertThat(response, is(notNullValue()));
+        assertThat(response.getRequestURI(), not(emptyOrNullString()));
+        assertThat(response.getExpiresIn(), notNullValue());
+    }
+
     static class TestAssertionSigner implements ClientAssertionSigner {
 
         private final String token;