Add full /oauth/token support for SAML2 bearer grant#3846
Add full /oauth/token support for SAML2 bearer grant#3846
Conversation
strehle
changed the title
Both /oauth/token and /oauth/token/alias/<entityid> are supported. On /oauth/token the IdP is resolved from the assertion's Issuer element.
There was a problem hiding this comment.
Pull request overview
This PR extends SAML2 Bearer Grant support so clients can post assertions to the standard /oauth/token endpoint (in addition to the existing /oauth/token/alias/<entityid> path), resolving the IdP from the assertion <Issuer> when using /oauth/token.
Changes:
- Updated SAML assertion recipient validation to accept both
/oauth/tokenand/oauth/token/alias/<entityid>recipients for the SAML2 bearer flow. - Expanded MockMvc coverage to exercise both token endpoints via a parameterized test and adjusted test IdP metadata to be subdomain-specific.
- Updated Slate documentation to describe both supported endpoints and the issuer-based IdP resolution behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java | Parameterizes the existing bearer-grant token test to cover both /oauth/token and /oauth/token/alias/..., and fixes test metadata to use the current subdomain. |
| uaa/slateCustomizations/source/index.html.md.erb | Documents that bearer assertions may be posted to either endpoint, and explains how IdP resolution works for /oauth/token. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java | Broadens SAML bearer recipient validation to allow both token endpoint variants. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
cf-foundation-community-automation
bot
moved this to Inbox
in Foundational Infrastructure Working Group
There was a problem hiding this comment.
Pull request overview
Adds support for exchanging SAML2 bearer assertions at the standard /oauth/token endpoint (in addition to the existing /oauth/token/alias/... flow) by validating assertions against both possible recipient URLs and documenting/testing the new behavior.
Changes:
- Parameterizes the SAML2 bearer MockMvc test to cover both
/oauth/tokenand/oauth/token/alias/...exchanges. - Updates SAML2 bearer grant docs to describe
/oauth/tokensupport and issuer-based IdP resolution. - Expands SAML recipient validation to accept both
/oauth/tokenand/oauth/token/alias/...recipients for SAML2 bearer assertions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java | Adds test coverage for both token endpoints via parameterization and updates metadata to be subdomain-aware. |
| uaa/slateCustomizations/source/index.html.md.erb | Documents that SAML2 bearer assertions can be sent to /oauth/token and how IdP resolution works there. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java | Allows SAML2 bearer validation to accept both /oauth/token and /oauth/token/alias/... recipients. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds support for using the SAML2 bearer grant on the standard /oauth/token endpoint in addition to the existing /oauth/token/alias/<entityid> endpoint, resolving the IdP from the SAML assertion Issuer when hitting the standard endpoint.
Changes:
- Update SAML assertion recipient validation to accept both
/oauth/token/alias/<...>and/oauth/tokenrecipients for SAML2 bearer assertions. - Extend MockMvc integration test to cover both the alias and standard token endpoints.
- Update Slate docs to mention both token endpoints and Issuer-based IdP resolution for
/oauth/token.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java | Parameterizes the SAML2 bearer grant test to exercise both /oauth/token and /oauth/token/alias/<...>. |
| uaa/slateCustomizations/source/index.html.md.erb | Documents using SAML2 bearer grant against /oauth/token as well as the alias endpoint. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java | Broadens allowed Recipient values for SAML2 bearer assertions to include /oauth/token. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Extends the SAML2 bearer grant token exchange to work on the standard /oauth/token endpoint (in addition to the existing alias endpoint), and updates validation/tests/docs accordingly.
Changes:
- Update SAML assertion recipient validation to accept both
/oauth/token/alias/...and/oauth/tokenrecipients for the bearer grant. - Expand MockMvc test coverage to exercise both the standard and alias token endpoints.
- Update Slate documentation to describe both supported endpoints and how IdP selection works for
/oauth/token.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java |
Parameterizes the bearer-grant test to cover both /oauth/token and /oauth/token/alias/... flows and adjusts test metadata generation. |
uaa/slateCustomizations/source/index.html.md.erb |
Documents that bearer assertions may be posted to /oauth/token or /oauth/token/alias/<entityid>, and clarifies IdP resolution via <Issuer> for /oauth/token. |
server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java |
Allows bearer assertion recipient validation against both the alias token endpoint and the standard token endpoint. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
github-project-automation
bot
moved this from Inbox
to Pending Merge | Prioritized
in Foundational Infrastructure Working Group
# Conflicts: # uaa/slateCustomizations/source/index.html.md.erb # uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java
Both /oauth/token and /oauth/token/alias/<entityid> are supported. On /oauth/token the IdP is resolved from the assertion's Issuer element.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
# Conflicts: # uaa/slateCustomizations/source/index.html.md.erb
do not replaceAll but only the path
There was a problem hiding this comment.
Pull request overview
Adds first-class support for exchanging SAML2 bearer assertions on the standard /oauth/token endpoint (in addition to the existing /oauth/token/alias/{registrationId} path), with IdP resolution on /oauth/token driven by the assertion <Issuer>.
Changes:
- Extend SAML bearer recipient validation to allow both the alias recipient URI and the corresponding
/oauth/tokenrecipient URI. - Consolidate MockMvc coverage to exercise both token endpoint paths via a parameterized test.
- Update Slate docs to describe the two supported token endpoint URLs and issuer-based IdP resolution on
/oauth/token.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java |
Refactors tests into a boolean-parameterized case covering /oauth/token and /oauth/token/alias/.... |
uaa/slateCustomizations/source/index.html.md.erb |
Updates documentation text to describe endpoint options and recipient expectations. |
server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java |
Allows multiple valid SAML Recipient URIs for bearer validation (alias + standard token). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Adds full SAML2 bearer grant support on the standard OAuth token endpoint (/oauth/token) in addition to the existing alias endpoint (/oauth/token/alias/<registrationId>), aligning behavior with how the IdP can be resolved from the assertion Issuer.
Changes:
- Consolidates SAML2 bearer grant MockMvc coverage into a parameterized test to exercise both token endpoint paths.
- Updates SAML assertion Recipient validation to accept both
/oauth/tokenand/oauth/token/alias/...recipients for the SAML2 bearer grant. - Updates Slate documentation to describe how to use
/oauth/tokenvs/oauth/token/alias/<registrationId>for SAML2 bearer.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java | Refactors test to parameterize standard vs alias token endpoint usage. |
| uaa/slateCustomizations/source/index.html.md.erb | Updates docs to explain endpoint choice and Recipient expectations. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java | Broadens allowed Recipient URIs for SAML2 bearer assertion validation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
This PR extends SAML2 bearer grant token issuance to support the standard /oauth/token endpoint in addition to the existing alias form, aligning recipient validation and documentation with the expanded behavior.
Changes:
- Update SAML2 bearer grant MockMvc test to cover both
/oauth/tokenand/oauth/token/alias/{registrationId}via parameterization. - Relax SAML bearer assertion recipient validation to accept both alias-recipient and standard token-recipient URIs.
- Update Slate docs to describe endpoint selection and IdP resolution behavior for
/oauth/tokenvs alias token paths.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| uaa/src/test/java/org/cloudfoundry/identity/uaa/mock/token/Saml2BearerGrantMockMvcTests.java | Parameterizes the bearer-grant token test to run against both token endpoint paths. |
| uaa/slateCustomizations/source/index.html.md.erb | Updates SAML2 bearer grant documentation to describe /oauth/token and alias behavior. |
| server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/OpenSaml4AuthenticationProvider.java | Expands valid SAML assertion recipients for bearer assertions to include both alias and standard token URIs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Both /oauth/token and /oauth/token/alias/ are supported. On /oauth/token the IdP is resolved from the assertion's Issuer element.