Cwikius-Spring/Spring-Security-Samples
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add kotlin-oauth2-authorization-server project

Browse Source
This commit is contained in:
Jongho Jeon 2022-04-20 16:54:07 +09:00
parent 2b7ce67ff5
commit ab860b4732
12 changed files with 804 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
servlet/spring-boot/kotlin/oauth2/authorization-server/README.adoc Normal file
View File

@ -0,0 +1,121 @@
= OAuth 2.0 Authorization Server Sample
This sample demonstrates Authorization Server with the `authorization_code` and `client_credentials` grant types, as well as OpenID Connect 1.0. This authorization server is configured to generate JWT tokens signed with the `RS256` algorithm.
* <<running-the-tests, Running the tests>>
* <<running-the-app, Running the app>>
* <<testing-with-a-resource-server, Testing with a resource server>>
[[running-the-tests]]
== Running the tests
To run the tests, do:
```bash
./gradlew integrationTest
```
Or import the project into your IDE and run `OAuth2AuthorizationServerApplicationTests` from there.
=== What is it doing?
The tests are making requests to the token endpoint with the `client_credentials` grant type using the `client_secret_basic` authentication method, and subsequently verifying the access token from the response using the token introspection endpoint.
The introspection endpoint response is used to verify the token (decode the JWT in this case), returning the payload including the requested scope.
NOTE: Spring Security does not require the token introspection endpoint when configured to use the Bearer scheme with JWTs, this is simply used for demonstration purposes.
[[running-the-app]]
== Running the app
To run as a stand-alone application, do:
```bash
./gradlew bootRun
```
Or import the project into your IDE and run `OAuth2AuthorizationServerApplication` from there.
Once it is up and running, you can issue the following request:
```bash
curl -X POST messaging-client:secret@localhost:9000/oauth2/token -d "grant_type=client_credentials" -d "scope=message:read"
```
This returns something like the following:
```json
{
"access_token": "eyJraWQiOiI4YWY4Zjc2Zi0zMTdkLTQxZmYtYWY5Yi1hZjg5NDg4ODM5YzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJtZXNzYWdpbmctY2xpZW50IiwiYXVkIjoibWVzc2FnaW5nLWNsaWVudCIsIm5iZiI6MTYyNzMzNDQ1MCwic2NvcGUiOlsibWVzc2FnZTpyZWFkIl0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo5MDAwIiwiZXhwIjoxNjI3MzM0NzUwLCJpYXQiOjE2MjczMzQ0NTAsImp0aSI6IjBiYjYwZjhkLWIzNjItNDk0MC05MGRmLWZhZDg4N2Q1Yzg1ZSJ9.O8dI67B_feRjOn6pJi5ctPJmUJCNpV77SC4OiWqmpa5UHvf4Ud6L6EFe9LKuPIRrEWi8rMdCdMBOPKQMXvxLoI3LMUPf7Yj973uvZN0E988MsKwhGwxyaa_Wam8wFlk8aQlN8SbW3cKdeH-nKloNMdwjfspovefX521mxouaMjmyXdIFrM5WZ15GZK69NIniACSatE-pc9TAjKYBDbC65jVt_zHEvDQbEkZulF2bjrGOZC8C3IbJWnlKgkcshrY44TtrGPyCp2gIS0TSUUsG00iSBBC8E8zPU-YdfaP8gB9_FwUwK9zfy_hU2Ykf2aU3eulpGDVLn2rCwFeK86Rw1w",
"expires_in": 299,
"scope": "message:read",
"token_type": "Bearer"
}
```
In order to make the same token introspection request as the tests, export the access token from the response:
```bash
export TOKEN=...
```
Then issue the following request:
```bash
curl -X POST messaging-client:secret@localhost:9000/oauth2/introspect -d "token=$TOKEN"
```
Which will return something like the following:
```json
{
"active": true,
"aud": [
"messaging-client"
],
"client_id": "messaging-client",
"exp": 1627334750,
"iat": 1627334450,
"iss": "http://localhost:9000",
"jti": "0bb60f8d-b362-4940-90df-fad887d5c85e",
"nbf": 1627334450,
"scope": "message:read",
"sub": "messaging-client",
"token_type": "Bearer"
}
```
[[testing-with-a-resource-server]]
== Testing with a resource server
This sample can be used in conjunction with a resource server, such as the https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/hello-security[resource-server sample] in this project which is pre-configured to work with this authorization server sample out of the box.
You can run that app similarly to the authorization server:
```bash
./gradlew bootRun
```
Once it is up and running, you can issue the following request:
```bash
curl -X POST messaging-client:secret@localhost:9000/oauth2/token -d "grant_type=client_credentials" -d "scope=message:read"
```
Then, export the access token from the response:
```bash
export TOKEN=...
```
Then issue the following request:
```bash
curl -H "Authorization: Bearer $TOKEN" localhost:8080
```
Which will respond with the phrase:
```
Hello, messaging-client!
```

37
servlet/spring-boot/kotlin/oauth2/authorization-server/build.gradle.kts Normal file
View File

@ -0,0 +1,37 @@
import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
plugins {
id("org.springframework.boot") version "2.6.4"
id("io.spring.dependency-management") version "1.0.11.RELEASE"
id("nebula.integtest") version "8.2.0"
kotlin("jvm") version "1.6.10"
kotlin("plugin.spring") version "1.6.10"
}
repositories {
mavenCentral()
maven { setUrl("https://repo.spring.io/milestone") }
maven { setUrl("https://repo.spring.io/snapshot") }
}
dependencies {
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("org.springframework.security:spring-security-oauth2-authorization-server:0.2.3")
testImplementation("org.springframework.boot:spring-boot-starter-test")
testImplementation("org.springframework.security:spring-security-test")
integTestImplementation("net.sourceforge.htmlunit:htmlunit")
}
tasks {
withType<Test> {
useJUnitPlatform()
outputs.upToDateWhen { false }
}
withType<KotlinCompile> {
kotlinOptions {
freeCompilerArgs = listOf("-Xjsr305=strict")
}
}
}

2
servlet/spring-boot/kotlin/oauth2/authorization-server/gradle.properties Normal file
View File

@ -0,0 +1,2 @@
version=5.7.0-SNAPSHOT
spring-security.version=5.7.0-SNAPSHOT

BIN
servlet/spring-boot/kotlin/oauth2/authorization-server/gradle/wrapper/gradle-wrapper.jar vendored Normal file
View File

Binary file not shown.

5
servlet/spring-boot/kotlin/oauth2/authorization-server/gradle/wrapper/gradle-wrapper.properties vendored Normal file
View File

@ -0,0 +1,5 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.1-bin.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists

185
servlet/spring-boot/kotlin/oauth2/authorization-server/gradlew vendored Executable file
View File

@ -0,0 +1,185 @@
#!/usr/bin/env sh
#
# Copyright 2015 the original author or authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
##############################################################################
##
## Gradle start up script for UN*X
##
##############################################################################
# Attempt to set APP_HOME
# Resolve links: $0 may be a link
PRG="$0"
# Need this for relative symlinks.
while [ -h "$PRG" ] ; do
ls=`ls -ld "$PRG"`
link=`expr "$ls" : '.*-> \(.*\)$'`
if expr "$link" : '/.*' > /dev/null; then
PRG="$link"
else
PRG=`dirname "$PRG"`"/$link"
fi
done
SAVED="`pwd`"
cd "`dirname \"$PRG\"`/" >/dev/null
APP_HOME="`pwd -P`"
cd "$SAVED" >/dev/null
APP_NAME="Gradle"
APP_BASE_NAME=`basename "$0"`
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
# Use the maximum available, or set MAX_FD != -1 to use that value.
MAX_FD="maximum"
warn () {
echo "$*"
}
die () {
echo
echo "$*"
echo
exit 1
}
# OS specific support (must be 'true' or 'false').
cygwin=false
msys=false
darwin=false
nonstop=false
case "`uname`" in
CYGWIN* )
cygwin=true
;;
Darwin* )
darwin=true
;;
MSYS* | MINGW* )
msys=true
;;
NONSTOP* )
nonstop=true
;;
esac
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
# Determine the Java command to use to start the JVM.
if [ -n "$JAVA_HOME" ] ; then
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
# IBM's JDK on AIX uses strange locations for the executables
JAVACMD="$JAVA_HOME/jre/sh/java"
else
JAVACMD="$JAVA_HOME/bin/java"
fi
if [ ! -x "$JAVACMD" ] ; then
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
else
JAVACMD="java"
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
Please set the JAVA_HOME variable in your environment to match the
location of your Java installation."
fi
# Increase the maximum file descriptors if we can.
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
MAX_FD_LIMIT=`ulimit -H -n`
if [ $? -eq 0 ] ; then
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
MAX_FD="$MAX_FD_LIMIT"
fi
ulimit -n $MAX_FD
if [ $? -ne 0 ] ; then
warn "Could not set maximum file descriptor limit: $MAX_FD"
fi
else
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
fi
fi
# For Darwin, add options to specify how the application appears in the dock
if $darwin; then
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
fi
# For Cygwin or MSYS, switch paths to Windows format before running java
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
JAVACMD=`cygpath --unix "$JAVACMD"`
# We build the pattern for arguments to be converted via cygpath
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
SEP=""
for dir in $ROOTDIRSRAW ; do
ROOTDIRS="$ROOTDIRS$SEP$dir"
SEP="|"
done
OURCYGPATTERN="(^($ROOTDIRS))"
# Add a user-defined pattern to the cygpath arguments
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
fi
# Now convert the arguments - kludge to limit ourselves to /bin/sh
i=0
for arg in "$@" ; do
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
else
eval `echo args$i`="\"$arg\""
fi
i=`expr $i + 1`
done
case $i in
0) set -- ;;
1) set -- "$args0" ;;
2) set -- "$args0" "$args1" ;;
3) set -- "$args0" "$args1" "$args2" ;;
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
esac
fi
# Escape application args
save () {
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
echo " "
}
APP_ARGS=`save "$@"`
# Collect all arguments for the java command, following the shell quoting and substitution rules
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
exec "$JAVACMD" "$@"

89
servlet/spring-boot/kotlin/oauth2/authorization-server/gradlew.bat vendored Normal file
View File

@ -0,0 +1,89 @@
@rem
@rem Copyright 2015 the original author or authors.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem https://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.
@rem
@if "%DEBUG%" == "" @echo off
@rem ##########################################################################
@rem
@rem Gradle startup script for Windows
@rem
@rem ##########################################################################
@rem Set local scope for the variables with windows NT shell
if "%OS%"=="Windows_NT" setlocal
set DIRNAME=%~dp0
if "%DIRNAME%" == "" set DIRNAME=.
set APP_BASE_NAME=%~n0
set APP_HOME=%DIRNAME%
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
@rem Find java.exe
if defined JAVA_HOME goto findJavaFromJavaHome
set JAVA_EXE=java.exe
%JAVA_EXE% -version >NUL 2>&1
if "%ERRORLEVEL%" == "0" goto execute
echo.
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:findJavaFromJavaHome
set JAVA_HOME=%JAVA_HOME:"=%
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
if exist "%JAVA_EXE%" goto execute
echo.
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
echo.
echo Please set the JAVA_HOME variable in your environment to match the
echo location of your Java installation.
goto fail
:execute
@rem Setup the command line
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
@rem Execute Gradle
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
:end
@rem End local scope for the variables with windows NT shell
if "%ERRORLEVEL%"=="0" goto mainEnd
:fail
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
rem the _cmd.exe /c_ return code!
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
exit /b 1
:mainEnd
if "%OS%"=="Windows_NT" endlocal
:omega

1
servlet/spring-boot/kotlin/oauth2/authorization-server/settings.gradle Normal file
View File

@ -0,0 +1 @@

181
servlet/spring-boot/kotlin/oauth2/authorization-server/src/integTest/kotlin/example/OAuth2AuthorizationServerApplicationITests.kt Normal file
View File

@ -0,0 +1,181 @@
/*
* Copyright 2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package example
import com.fasterxml.jackson.core.type.TypeReference
import com.fasterxml.jackson.databind.ObjectMapper
import org.junit.jupiter.api.Test
import org.springframework.beans.factory.annotation.Autowired
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc
import org.springframework.boot.test.context.SpringBootTest
import org.springframework.http.HttpHeaders
import org.springframework.mock.web.MockHttpServletRequest
import org.springframework.test.context.ActiveProfiles
import org.springframework.test.web.servlet.MockMvc
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders
import org.springframework.test.web.servlet.request.RequestPostProcessor
import org.springframework.test.web.servlet.result.MockMvcResultMatchers
/**
* Integration tests for [OAuth2AuthorizationServerApplication].
*
* @author Steve Riesenberg
*/
@SpringBootTest
@AutoConfigureMockMvc
@ActiveProfiles("test")
class OAuth2AuthorizationServerApplicationITests {
private val objectMapper = ObjectMapper()
@Autowired
private val mockMvc: MockMvc? = null
@Test
fun performTokenRequestWhenValidClientCredentialsThenOk() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
.param("grant_type", "client_credentials")
.param("scope", "message:read")
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
.andExpect(MockMvcResultMatchers.status().isOk)
.andExpect(MockMvcResultMatchers.jsonPath("$.access_token").isString)
.andExpect(MockMvcResultMatchers.jsonPath("$.expires_in").isNumber)
.andExpect(MockMvcResultMatchers.jsonPath("$.scope").value("message:read"))
.andExpect(MockMvcResultMatchers.jsonPath("$.token_type").value("Bearer"))
// @formatter:on
}
@Test
fun performTokenRequestWhenMissingScopeThenOk() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
.param("grant_type", "client_credentials")
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
.andExpect(MockMvcResultMatchers.status().isOk)
.andExpect(MockMvcResultMatchers.jsonPath("$.access_token").isString)
.andExpect(MockMvcResultMatchers.jsonPath("$.expires_in").isNumber)
.andExpect(MockMvcResultMatchers.jsonPath("$.scope").value("message:read message:write"))
.andExpect(MockMvcResultMatchers.jsonPath("$.token_type").value("Bearer"))
// @formatter:on
}
@Test
fun performTokenRequestWhenInvalidClientCredentialsThenUnauthorized() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
.param("grant_type", "client_credentials")
.param("scope", "message:read")
.with(basicAuth("bad", "password")))
.andExpect(MockMvcResultMatchers.status().isUnauthorized)
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("invalid_client"))
// @formatter:on
}
@Test
fun performTokenRequestWhenMissingGrantTypeThenUnauthorized() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
.with(basicAuth("bad", "password")))
.andExpect(MockMvcResultMatchers.status().isUnauthorized)
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("invalid_client"))
// @formatter:on
}
@Test
fun performTokenRequestWhenGrantTypeNotRegisteredThenBadRequest() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
.param("grant_type", "client_credentials")
.with(basicAuth("login-client", "openid-connect")))
.andExpect(MockMvcResultMatchers.status().isBadRequest)
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("unauthorized_client"))
// @formatter:on
}
@Test
fun performIntrospectionRequestWhenValidTokenThenOk() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/introspect")
.param("token", accessToken)
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
.andExpect(MockMvcResultMatchers.status().isOk)
.andExpect(MockMvcResultMatchers.jsonPath("$.active").value("true"))
.andExpect(MockMvcResultMatchers.jsonPath("$.aud[0]").value(CLIENT_ID))
.andExpect(MockMvcResultMatchers.jsonPath("$.client_id").value(CLIENT_ID))
.andExpect(MockMvcResultMatchers.jsonPath("$.exp").isNumber)
.andExpect(MockMvcResultMatchers.jsonPath("$.iat").isNumber)
.andExpect(MockMvcResultMatchers.jsonPath("$.iss").value("http://localhost:9000"))
.andExpect(MockMvcResultMatchers.jsonPath("$.nbf").isNumber)
.andExpect(MockMvcResultMatchers.jsonPath("$.scope").value("message:read"))
.andExpect(MockMvcResultMatchers.jsonPath("$.sub").value(CLIENT_ID))
.andExpect(MockMvcResultMatchers.jsonPath("$.token_type").value("Bearer"))
// @formatter:on
}
@Test
fun performIntrospectionRequestWhenInvalidCredentialsThenUnauthorized() {
// @formatter:off
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/introspect")
.param("token", accessToken)
.with(basicAuth("bad", "password")))
.andExpect(MockMvcResultMatchers.status().isUnauthorized)
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("invalid_client"))
// @formatter:on
}
// @formatter:off
private val accessToken:
// @formatter:on
String
get() {
// @formatter:off
val mvcResult = mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
.param("grant_type", "client_credentials")
.param("scope", "message:read")
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
.andExpect(MockMvcResultMatchers.status().isOk)
.andExpect(MockMvcResultMatchers.jsonPath("$.access_token").exists())
.andReturn()
// @formatter:on
val tokenResponseJson = mvcResult.response.contentAsString
val tokenResponse: Map<String, Any> =
objectMapper.readValue(tokenResponseJson, object : TypeReference<Map<String, Any>>() {})
return tokenResponse["access_token"].toString()
}
private class BasicAuthenticationRequestPostProcessor constructor(
private val username: String,
private val password: String,
) :
RequestPostProcessor {
override fun postProcessRequest(request: MockHttpServletRequest): MockHttpServletRequest {
val headers = HttpHeaders()
headers.setBasicAuth(username, password)
request.addHeader("Authorization", headers.getFirst("Authorization")!!)
return request
}
}
companion object {
private const val CLIENT_ID = "messaging-client"
private const val CLIENT_SECRET = "secret"
private fun basicAuth(username: String, password: String): BasicAuthenticationRequestPostProcessor {
return BasicAuthenticationRequestPostProcessor(username, password)
}
}
}

27
servlet/spring-boot/kotlin/oauth2/authorization-server/src/main/kotlin/example/OAuth2AuthorizationServerApplication.kt Normal file
View File

@ -0,0 +1,27 @@
/*
* Copyright 2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package example
import org.springframework.boot.autoconfigure.SpringBootApplication
import org.springframework.boot.runApplication
@SpringBootApplication
class OAuth2AuthorizationServerApplication
fun main(args: Array<String>) {
runApplication<OAuth2AuthorizationServerApplication>(*args)
}

154
servlet/spring-boot/kotlin/oauth2/authorization-server/src/main/kotlin/example/OAuth2AuthorizationServerSecurityConfiguration.kt Normal file
View File

@ -0,0 +1,154 @@
/*
* Copyright 2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package example
import com.nimbusds.jose.jwk.JWKSet
import com.nimbusds.jose.jwk.RSAKey
import com.nimbusds.jose.jwk.source.ImmutableJWKSet
import com.nimbusds.jose.jwk.source.JWKSource
import com.nimbusds.jose.proc.SecurityContext
import org.springframework.beans.factory.config.BeanDefinition
import org.springframework.context.annotation.Bean
import org.springframework.context.annotation.Configuration
import org.springframework.context.annotation.Role
import org.springframework.core.annotation.Order
import org.springframework.security.config.Customizer
import org.springframework.security.config.annotation.web.builders.HttpSecurity
import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration
import org.springframework.security.core.userdetails.User
import org.springframework.security.core.userdetails.UserDetailsService
import org.springframework.security.oauth2.core.AuthorizationGrantType
import org.springframework.security.oauth2.core.ClientAuthenticationMethod
import org.springframework.security.oauth2.core.oidc.OidcScopes
import org.springframework.security.oauth2.jwt.JwtDecoder
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder
import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository
import org.springframework.security.oauth2.server.authorization.config.ClientSettings
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings
import org.springframework.security.provisioning.InMemoryUserDetailsManager
import org.springframework.security.web.SecurityFilterChain
import java.security.KeyPair
import java.security.KeyPairGenerator
import java.security.interfaces.RSAPrivateKey
import java.security.interfaces.RSAPublicKey
import java.util.UUID
/**
* OAuth Authorization Server Configuration.
*
* @author Steve Riesenberg
*/
@Configuration
class OAuth2AuthorizationServerSecurityConfiguration {
@Bean
@Order(1)
fun authorizationServerSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http)
return http.formLogin(Customizer.withDefaults()).build()
}
@Bean
@Order(2)
fun standardSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
// @formatter:off
http
.authorizeHttpRequests { authorize ->
authorize.anyRequest().authenticated()
}
.formLogin(Customizer.withDefaults())
// @formatter:on
return http.build()
}
@Bean
fun registeredClientRepository(): RegisteredClientRepository {
// @formatter:off
val loginClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("login-client")
.clientSecret("{noop}openid-connect")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("http://127.0.0.1:8080/login/oauth2/code/login-client")
.redirectUri("http://127.0.0.1:8080/authorized")
.scope(OidcScopes.OPENID)
.scope(OidcScopes.PROFILE)
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build()
val registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("messaging-client")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("message:read")
.scope("message:write")
.build()
// @formatter:on
return InMemoryRegisteredClientRepository(loginClient, registeredClient)
}
@Bean
fun jwkSource(keyPair: KeyPair): JWKSource<SecurityContext> {
val publicKey = keyPair.public as RSAPublicKey
val privateKey = keyPair.private as RSAPrivateKey
// @formatter:off
val rsaKey = RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build()
// @formatter:on
val jwkSet = JWKSet(rsaKey)
return ImmutableJWKSet(jwkSet)
}
@Bean
fun jwtDecoder(keyPair: KeyPair): JwtDecoder {
return NimbusJwtDecoder.withPublicKey(keyPair.public as RSAPublicKey).build()
}
@Bean
fun providerSettings(): ProviderSettings {
return ProviderSettings.builder().issuer("http://localhost:9000").build()
}
@Bean
fun userDetailsService(): UserDetailsService {
// @formatter:off
val userDetails = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build()
// @formatter:on
return InMemoryUserDetailsManager(userDetails)
}
@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
fun generateRsaKey(): KeyPair {
try {
val keyPairGenerator = KeyPairGenerator.getInstance("RSA")
keyPairGenerator.initialize(2048)
return keyPairGenerator.generateKeyPair()
} catch (ex: Exception) {
throw IllegalStateException(ex)
}
}
}

2
servlet/spring-boot/kotlin/oauth2/authorization-server/src/main/resources/application.yml Normal file
View File

@ -0,0 +1,2 @@
server:
port: 9000