Add kotlin-oauth2-authorization-server project
This commit is contained in:
parent
2b7ce67ff5
commit
ab860b4732
@ -0,0 +1,121 @@
|
|||||||
|
= OAuth 2.0 Authorization Server Sample
|
||||||
|
|
||||||
|
This sample demonstrates Authorization Server with the `authorization_code` and `client_credentials` grant types, as well as OpenID Connect 1.0. This authorization server is configured to generate JWT tokens signed with the `RS256` algorithm.
|
||||||
|
|
||||||
|
* <<running-the-tests, Running the tests>>
|
||||||
|
* <<running-the-app, Running the app>>
|
||||||
|
* <<testing-with-a-resource-server, Testing with a resource server>>
|
||||||
|
|
||||||
|
[[running-the-tests]]
|
||||||
|
== Running the tests
|
||||||
|
|
||||||
|
To run the tests, do:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./gradlew integrationTest
|
||||||
|
```
|
||||||
|
|
||||||
|
Or import the project into your IDE and run `OAuth2AuthorizationServerApplicationTests` from there.
|
||||||
|
|
||||||
|
=== What is it doing?
|
||||||
|
|
||||||
|
The tests are making requests to the token endpoint with the `client_credentials` grant type using the `client_secret_basic` authentication method, and subsequently verifying the access token from the response using the token introspection endpoint.
|
||||||
|
|
||||||
|
The introspection endpoint response is used to verify the token (decode the JWT in this case), returning the payload including the requested scope.
|
||||||
|
|
||||||
|
NOTE: Spring Security does not require the token introspection endpoint when configured to use the Bearer scheme with JWTs, this is simply used for demonstration purposes.
|
||||||
|
|
||||||
|
[[running-the-app]]
|
||||||
|
== Running the app
|
||||||
|
|
||||||
|
To run as a stand-alone application, do:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./gradlew bootRun
|
||||||
|
```
|
||||||
|
|
||||||
|
Or import the project into your IDE and run `OAuth2AuthorizationServerApplication` from there.
|
||||||
|
|
||||||
|
Once it is up and running, you can issue the following request:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -X POST messaging-client:secret@localhost:9000/oauth2/token -d "grant_type=client_credentials" -d "scope=message:read"
|
||||||
|
```
|
||||||
|
|
||||||
|
This returns something like the following:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"access_token": "eyJraWQiOiI4YWY4Zjc2Zi0zMTdkLTQxZmYtYWY5Yi1hZjg5NDg4ODM5YzciLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJtZXNzYWdpbmctY2xpZW50IiwiYXVkIjoibWVzc2FnaW5nLWNsaWVudCIsIm5iZiI6MTYyNzMzNDQ1MCwic2NvcGUiOlsibWVzc2FnZTpyZWFkIl0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo5MDAwIiwiZXhwIjoxNjI3MzM0NzUwLCJpYXQiOjE2MjczMzQ0NTAsImp0aSI6IjBiYjYwZjhkLWIzNjItNDk0MC05MGRmLWZhZDg4N2Q1Yzg1ZSJ9.O8dI67B_feRjOn6pJi5ctPJmUJCNpV77SC4OiWqmpa5UHvf4Ud6L6EFe9LKuPIRrEWi8rMdCdMBOPKQMXvxLoI3LMUPf7Yj973uvZN0E988MsKwhGwxyaa_Wam8wFlk8aQlN8SbW3cKdeH-nKloNMdwjfspovefX521mxouaMjmyXdIFrM5WZ15GZK69NIniACSatE-pc9TAjKYBDbC65jVt_zHEvDQbEkZulF2bjrGOZC8C3IbJWnlKgkcshrY44TtrGPyCp2gIS0TSUUsG00iSBBC8E8zPU-YdfaP8gB9_FwUwK9zfy_hU2Ykf2aU3eulpGDVLn2rCwFeK86Rw1w",
|
||||||
|
"expires_in": 299,
|
||||||
|
"scope": "message:read",
|
||||||
|
"token_type": "Bearer"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
In order to make the same token introspection request as the tests, export the access token from the response:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export TOKEN=...
|
||||||
|
```
|
||||||
|
|
||||||
|
Then issue the following request:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -X POST messaging-client:secret@localhost:9000/oauth2/introspect -d "token=$TOKEN"
|
||||||
|
```
|
||||||
|
|
||||||
|
Which will return something like the following:
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"active": true,
|
||||||
|
"aud": [
|
||||||
|
"messaging-client"
|
||||||
|
],
|
||||||
|
"client_id": "messaging-client",
|
||||||
|
"exp": 1627334750,
|
||||||
|
"iat": 1627334450,
|
||||||
|
"iss": "http://localhost:9000",
|
||||||
|
"jti": "0bb60f8d-b362-4940-90df-fad887d5c85e",
|
||||||
|
"nbf": 1627334450,
|
||||||
|
"scope": "message:read",
|
||||||
|
"sub": "messaging-client",
|
||||||
|
"token_type": "Bearer"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
[[testing-with-a-resource-server]]
|
||||||
|
== Testing with a resource server
|
||||||
|
|
||||||
|
This sample can be used in conjunction with a resource server, such as the https://github.com/spring-projects/spring-security-samples/tree/main/servlet/spring-boot/java/oauth2/resource-server/hello-security[resource-server sample] in this project which is pre-configured to work with this authorization server sample out of the box.
|
||||||
|
|
||||||
|
You can run that app similarly to the authorization server:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
./gradlew bootRun
|
||||||
|
```
|
||||||
|
|
||||||
|
Once it is up and running, you can issue the following request:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -X POST messaging-client:secret@localhost:9000/oauth2/token -d "grant_type=client_credentials" -d "scope=message:read"
|
||||||
|
```
|
||||||
|
|
||||||
|
Then, export the access token from the response:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
export TOKEN=...
|
||||||
|
```
|
||||||
|
|
||||||
|
Then issue the following request:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
curl -H "Authorization: Bearer $TOKEN" localhost:8080
|
||||||
|
```
|
||||||
|
|
||||||
|
Which will respond with the phrase:
|
||||||
|
|
||||||
|
```
|
||||||
|
Hello, messaging-client!
|
||||||
|
```
|
@ -0,0 +1,37 @@
|
|||||||
|
import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
|
||||||
|
|
||||||
|
plugins {
|
||||||
|
id("org.springframework.boot") version "2.6.4"
|
||||||
|
id("io.spring.dependency-management") version "1.0.11.RELEASE"
|
||||||
|
id("nebula.integtest") version "8.2.0"
|
||||||
|
kotlin("jvm") version "1.6.10"
|
||||||
|
kotlin("plugin.spring") version "1.6.10"
|
||||||
|
}
|
||||||
|
|
||||||
|
repositories {
|
||||||
|
mavenCentral()
|
||||||
|
maven { setUrl("https://repo.spring.io/milestone") }
|
||||||
|
maven { setUrl("https://repo.spring.io/snapshot") }
|
||||||
|
}
|
||||||
|
|
||||||
|
dependencies {
|
||||||
|
implementation("org.springframework.boot:spring-boot-starter-web")
|
||||||
|
implementation("org.springframework.security:spring-security-oauth2-authorization-server:0.2.3")
|
||||||
|
|
||||||
|
testImplementation("org.springframework.boot:spring-boot-starter-test")
|
||||||
|
testImplementation("org.springframework.security:spring-security-test")
|
||||||
|
|
||||||
|
integTestImplementation("net.sourceforge.htmlunit:htmlunit")
|
||||||
|
}
|
||||||
|
|
||||||
|
tasks {
|
||||||
|
withType<Test> {
|
||||||
|
useJUnitPlatform()
|
||||||
|
outputs.upToDateWhen { false }
|
||||||
|
}
|
||||||
|
withType<KotlinCompile> {
|
||||||
|
kotlinOptions {
|
||||||
|
freeCompilerArgs = listOf("-Xjsr305=strict")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,2 @@
|
|||||||
|
version=5.7.0-SNAPSHOT
|
||||||
|
spring-security.version=5.7.0-SNAPSHOT
|
BIN
servlet/spring-boot/kotlin/oauth2/authorization-server/gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
BIN
servlet/spring-boot/kotlin/oauth2/authorization-server/gradle/wrapper/gradle-wrapper.jar
vendored
Normal file
Binary file not shown.
@ -0,0 +1,5 @@
|
|||||||
|
distributionBase=GRADLE_USER_HOME
|
||||||
|
distributionPath=wrapper/dists
|
||||||
|
distributionUrl=https\://services.gradle.org/distributions/gradle-7.1-bin.zip
|
||||||
|
zipStoreBase=GRADLE_USER_HOME
|
||||||
|
zipStorePath=wrapper/dists
|
185
servlet/spring-boot/kotlin/oauth2/authorization-server/gradlew
vendored
Executable file
185
servlet/spring-boot/kotlin/oauth2/authorization-server/gradlew
vendored
Executable file
@ -0,0 +1,185 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright 2015 the original author or authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
##
|
||||||
|
## Gradle start up script for UN*X
|
||||||
|
##
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Attempt to set APP_HOME
|
||||||
|
# Resolve links: $0 may be a link
|
||||||
|
PRG="$0"
|
||||||
|
# Need this for relative symlinks.
|
||||||
|
while [ -h "$PRG" ] ; do
|
||||||
|
ls=`ls -ld "$PRG"`
|
||||||
|
link=`expr "$ls" : '.*-> \(.*\)$'`
|
||||||
|
if expr "$link" : '/.*' > /dev/null; then
|
||||||
|
PRG="$link"
|
||||||
|
else
|
||||||
|
PRG=`dirname "$PRG"`"/$link"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
SAVED="`pwd`"
|
||||||
|
cd "`dirname \"$PRG\"`/" >/dev/null
|
||||||
|
APP_HOME="`pwd -P`"
|
||||||
|
cd "$SAVED" >/dev/null
|
||||||
|
|
||||||
|
APP_NAME="Gradle"
|
||||||
|
APP_BASE_NAME=`basename "$0"`
|
||||||
|
|
||||||
|
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
|
||||||
|
|
||||||
|
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
||||||
|
MAX_FD="maximum"
|
||||||
|
|
||||||
|
warn () {
|
||||||
|
echo "$*"
|
||||||
|
}
|
||||||
|
|
||||||
|
die () {
|
||||||
|
echo
|
||||||
|
echo "$*"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# OS specific support (must be 'true' or 'false').
|
||||||
|
cygwin=false
|
||||||
|
msys=false
|
||||||
|
darwin=false
|
||||||
|
nonstop=false
|
||||||
|
case "`uname`" in
|
||||||
|
CYGWIN* )
|
||||||
|
cygwin=true
|
||||||
|
;;
|
||||||
|
Darwin* )
|
||||||
|
darwin=true
|
||||||
|
;;
|
||||||
|
MSYS* | MINGW* )
|
||||||
|
msys=true
|
||||||
|
;;
|
||||||
|
NONSTOP* )
|
||||||
|
nonstop=true
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
||||||
|
|
||||||
|
|
||||||
|
# Determine the Java command to use to start the JVM.
|
||||||
|
if [ -n "$JAVA_HOME" ] ; then
|
||||||
|
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
|
||||||
|
# IBM's JDK on AIX uses strange locations for the executables
|
||||||
|
JAVACMD="$JAVA_HOME/jre/sh/java"
|
||||||
|
else
|
||||||
|
JAVACMD="$JAVA_HOME/bin/java"
|
||||||
|
fi
|
||||||
|
if [ ! -x "$JAVACMD" ] ; then
|
||||||
|
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
JAVACMD="java"
|
||||||
|
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
|
||||||
|
Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
location of your Java installation."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Increase the maximum file descriptors if we can.
|
||||||
|
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
|
||||||
|
MAX_FD_LIMIT=`ulimit -H -n`
|
||||||
|
if [ $? -eq 0 ] ; then
|
||||||
|
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
|
||||||
|
MAX_FD="$MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
ulimit -n $MAX_FD
|
||||||
|
if [ $? -ne 0 ] ; then
|
||||||
|
warn "Could not set maximum file descriptor limit: $MAX_FD"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Darwin, add options to specify how the application appears in the dock
|
||||||
|
if $darwin; then
|
||||||
|
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# For Cygwin or MSYS, switch paths to Windows format before running java
|
||||||
|
if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
|
||||||
|
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
|
||||||
|
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
|
||||||
|
|
||||||
|
JAVACMD=`cygpath --unix "$JAVACMD"`
|
||||||
|
|
||||||
|
# We build the pattern for arguments to be converted via cygpath
|
||||||
|
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
|
||||||
|
SEP=""
|
||||||
|
for dir in $ROOTDIRSRAW ; do
|
||||||
|
ROOTDIRS="$ROOTDIRS$SEP$dir"
|
||||||
|
SEP="|"
|
||||||
|
done
|
||||||
|
OURCYGPATTERN="(^($ROOTDIRS))"
|
||||||
|
# Add a user-defined pattern to the cygpath arguments
|
||||||
|
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
|
||||||
|
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
|
||||||
|
fi
|
||||||
|
# Now convert the arguments - kludge to limit ourselves to /bin/sh
|
||||||
|
i=0
|
||||||
|
for arg in "$@" ; do
|
||||||
|
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
|
||||||
|
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
|
||||||
|
|
||||||
|
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
|
||||||
|
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
|
||||||
|
else
|
||||||
|
eval `echo args$i`="\"$arg\""
|
||||||
|
fi
|
||||||
|
i=`expr $i + 1`
|
||||||
|
done
|
||||||
|
case $i in
|
||||||
|
0) set -- ;;
|
||||||
|
1) set -- "$args0" ;;
|
||||||
|
2) set -- "$args0" "$args1" ;;
|
||||||
|
3) set -- "$args0" "$args1" "$args2" ;;
|
||||||
|
4) set -- "$args0" "$args1" "$args2" "$args3" ;;
|
||||||
|
5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
|
||||||
|
6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
|
||||||
|
7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
|
||||||
|
8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
|
||||||
|
9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Escape application args
|
||||||
|
save () {
|
||||||
|
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
|
||||||
|
echo " "
|
||||||
|
}
|
||||||
|
APP_ARGS=`save "$@"`
|
||||||
|
|
||||||
|
# Collect all arguments for the java command, following the shell quoting and substitution rules
|
||||||
|
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
|
||||||
|
|
||||||
|
exec "$JAVACMD" "$@"
|
89
servlet/spring-boot/kotlin/oauth2/authorization-server/gradlew.bat
vendored
Normal file
89
servlet/spring-boot/kotlin/oauth2/authorization-server/gradlew.bat
vendored
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
@rem
|
||||||
|
@rem Copyright 2015 the original author or authors.
|
||||||
|
@rem
|
||||||
|
@rem Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
@rem you may not use this file except in compliance with the License.
|
||||||
|
@rem You may obtain a copy of the License at
|
||||||
|
@rem
|
||||||
|
@rem https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
@rem
|
||||||
|
@rem Unless required by applicable law or agreed to in writing, software
|
||||||
|
@rem distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
@rem See the License for the specific language governing permissions and
|
||||||
|
@rem limitations under the License.
|
||||||
|
@rem
|
||||||
|
|
||||||
|
@if "%DEBUG%" == "" @echo off
|
||||||
|
@rem ##########################################################################
|
||||||
|
@rem
|
||||||
|
@rem Gradle startup script for Windows
|
||||||
|
@rem
|
||||||
|
@rem ##########################################################################
|
||||||
|
|
||||||
|
@rem Set local scope for the variables with windows NT shell
|
||||||
|
if "%OS%"=="Windows_NT" setlocal
|
||||||
|
|
||||||
|
set DIRNAME=%~dp0
|
||||||
|
if "%DIRNAME%" == "" set DIRNAME=.
|
||||||
|
set APP_BASE_NAME=%~n0
|
||||||
|
set APP_HOME=%DIRNAME%
|
||||||
|
|
||||||
|
@rem Resolve any "." and ".." in APP_HOME to make it shorter.
|
||||||
|
for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
|
||||||
|
|
||||||
|
@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
||||||
|
set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"
|
||||||
|
|
||||||
|
@rem Find java.exe
|
||||||
|
if defined JAVA_HOME goto findJavaFromJavaHome
|
||||||
|
|
||||||
|
set JAVA_EXE=java.exe
|
||||||
|
%JAVA_EXE% -version >NUL 2>&1
|
||||||
|
if "%ERRORLEVEL%" == "0" goto execute
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:findJavaFromJavaHome
|
||||||
|
set JAVA_HOME=%JAVA_HOME:"=%
|
||||||
|
set JAVA_EXE=%JAVA_HOME%/bin/java.exe
|
||||||
|
|
||||||
|
if exist "%JAVA_EXE%" goto execute
|
||||||
|
|
||||||
|
echo.
|
||||||
|
echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME%
|
||||||
|
echo.
|
||||||
|
echo Please set the JAVA_HOME variable in your environment to match the
|
||||||
|
echo location of your Java installation.
|
||||||
|
|
||||||
|
goto fail
|
||||||
|
|
||||||
|
:execute
|
||||||
|
@rem Setup the command line
|
||||||
|
|
||||||
|
set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
|
||||||
|
|
||||||
|
|
||||||
|
@rem Execute Gradle
|
||||||
|
"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
|
||||||
|
|
||||||
|
:end
|
||||||
|
@rem End local scope for the variables with windows NT shell
|
||||||
|
if "%ERRORLEVEL%"=="0" goto mainEnd
|
||||||
|
|
||||||
|
:fail
|
||||||
|
rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
|
||||||
|
rem the _cmd.exe /c_ return code!
|
||||||
|
if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
|
||||||
|
exit /b 1
|
||||||
|
|
||||||
|
:mainEnd
|
||||||
|
if "%OS%"=="Windows_NT" endlocal
|
||||||
|
|
||||||
|
:omega
|
@ -0,0 +1 @@
|
|||||||
|
|
@ -0,0 +1,181 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example
|
||||||
|
|
||||||
|
import com.fasterxml.jackson.core.type.TypeReference
|
||||||
|
import com.fasterxml.jackson.databind.ObjectMapper
|
||||||
|
import org.junit.jupiter.api.Test
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired
|
||||||
|
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc
|
||||||
|
import org.springframework.boot.test.context.SpringBootTest
|
||||||
|
import org.springframework.http.HttpHeaders
|
||||||
|
import org.springframework.mock.web.MockHttpServletRequest
|
||||||
|
import org.springframework.test.context.ActiveProfiles
|
||||||
|
import org.springframework.test.web.servlet.MockMvc
|
||||||
|
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders
|
||||||
|
import org.springframework.test.web.servlet.request.RequestPostProcessor
|
||||||
|
import org.springframework.test.web.servlet.result.MockMvcResultMatchers
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Integration tests for [OAuth2AuthorizationServerApplication].
|
||||||
|
*
|
||||||
|
* @author Steve Riesenberg
|
||||||
|
*/
|
||||||
|
@SpringBootTest
|
||||||
|
@AutoConfigureMockMvc
|
||||||
|
@ActiveProfiles("test")
|
||||||
|
class OAuth2AuthorizationServerApplicationITests {
|
||||||
|
private val objectMapper = ObjectMapper()
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private val mockMvc: MockMvc? = null
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performTokenRequestWhenValidClientCredentialsThenOk() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
|
||||||
|
.param("grant_type", "client_credentials")
|
||||||
|
.param("scope", "message:read")
|
||||||
|
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isOk)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.access_token").isString)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.expires_in").isNumber)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.scope").value("message:read"))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.token_type").value("Bearer"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performTokenRequestWhenMissingScopeThenOk() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
|
||||||
|
.param("grant_type", "client_credentials")
|
||||||
|
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isOk)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.access_token").isString)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.expires_in").isNumber)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.scope").value("message:read message:write"))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.token_type").value("Bearer"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performTokenRequestWhenInvalidClientCredentialsThenUnauthorized() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
|
||||||
|
.param("grant_type", "client_credentials")
|
||||||
|
.param("scope", "message:read")
|
||||||
|
.with(basicAuth("bad", "password")))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isUnauthorized)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("invalid_client"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performTokenRequestWhenMissingGrantTypeThenUnauthorized() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
|
||||||
|
.with(basicAuth("bad", "password")))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isUnauthorized)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("invalid_client"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performTokenRequestWhenGrantTypeNotRegisteredThenBadRequest() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
|
||||||
|
.param("grant_type", "client_credentials")
|
||||||
|
.with(basicAuth("login-client", "openid-connect")))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isBadRequest)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("unauthorized_client"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performIntrospectionRequestWhenValidTokenThenOk() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/introspect")
|
||||||
|
.param("token", accessToken)
|
||||||
|
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isOk)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.active").value("true"))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.aud[0]").value(CLIENT_ID))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.client_id").value(CLIENT_ID))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.exp").isNumber)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.iat").isNumber)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.iss").value("http://localhost:9000"))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.nbf").isNumber)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.scope").value("message:read"))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.sub").value(CLIENT_ID))
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.token_type").value("Bearer"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
fun performIntrospectionRequestWhenInvalidCredentialsThenUnauthorized() {
|
||||||
|
// @formatter:off
|
||||||
|
mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/introspect")
|
||||||
|
.param("token", accessToken)
|
||||||
|
.with(basicAuth("bad", "password")))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isUnauthorized)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.error").value("invalid_client"))
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
// @formatter:off
|
||||||
|
private val accessToken:
|
||||||
|
// @formatter:on
|
||||||
|
String
|
||||||
|
get() {
|
||||||
|
// @formatter:off
|
||||||
|
val mvcResult = mockMvc!!.perform(MockMvcRequestBuilders.post("/oauth2/token")
|
||||||
|
.param("grant_type", "client_credentials")
|
||||||
|
.param("scope", "message:read")
|
||||||
|
.with(basicAuth(CLIENT_ID, CLIENT_SECRET)))
|
||||||
|
.andExpect(MockMvcResultMatchers.status().isOk)
|
||||||
|
.andExpect(MockMvcResultMatchers.jsonPath("$.access_token").exists())
|
||||||
|
.andReturn()
|
||||||
|
// @formatter:on
|
||||||
|
val tokenResponseJson = mvcResult.response.contentAsString
|
||||||
|
val tokenResponse: Map<String, Any> =
|
||||||
|
objectMapper.readValue(tokenResponseJson, object : TypeReference<Map<String, Any>>() {})
|
||||||
|
return tokenResponse["access_token"].toString()
|
||||||
|
}
|
||||||
|
|
||||||
|
private class BasicAuthenticationRequestPostProcessor constructor(
|
||||||
|
private val username: String,
|
||||||
|
private val password: String,
|
||||||
|
) :
|
||||||
|
RequestPostProcessor {
|
||||||
|
override fun postProcessRequest(request: MockHttpServletRequest): MockHttpServletRequest {
|
||||||
|
val headers = HttpHeaders()
|
||||||
|
headers.setBasicAuth(username, password)
|
||||||
|
request.addHeader("Authorization", headers.getFirst("Authorization")!!)
|
||||||
|
return request
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
companion object {
|
||||||
|
private const val CLIENT_ID = "messaging-client"
|
||||||
|
private const val CLIENT_SECRET = "secret"
|
||||||
|
private fun basicAuth(username: String, password: String): BasicAuthenticationRequestPostProcessor {
|
||||||
|
return BasicAuthenticationRequestPostProcessor(username, password)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,27 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example
|
||||||
|
|
||||||
|
import org.springframework.boot.autoconfigure.SpringBootApplication
|
||||||
|
import org.springframework.boot.runApplication
|
||||||
|
|
||||||
|
@SpringBootApplication
|
||||||
|
class OAuth2AuthorizationServerApplication
|
||||||
|
|
||||||
|
fun main(args: Array<String>) {
|
||||||
|
runApplication<OAuth2AuthorizationServerApplication>(*args)
|
||||||
|
}
|
@ -0,0 +1,154 @@
|
|||||||
|
/*
|
||||||
|
* Copyright 2021 the original author or authors.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package example
|
||||||
|
|
||||||
|
import com.nimbusds.jose.jwk.JWKSet
|
||||||
|
import com.nimbusds.jose.jwk.RSAKey
|
||||||
|
import com.nimbusds.jose.jwk.source.ImmutableJWKSet
|
||||||
|
import com.nimbusds.jose.jwk.source.JWKSource
|
||||||
|
import com.nimbusds.jose.proc.SecurityContext
|
||||||
|
import org.springframework.beans.factory.config.BeanDefinition
|
||||||
|
import org.springframework.context.annotation.Bean
|
||||||
|
import org.springframework.context.annotation.Configuration
|
||||||
|
import org.springframework.context.annotation.Role
|
||||||
|
import org.springframework.core.annotation.Order
|
||||||
|
import org.springframework.security.config.Customizer
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration
|
||||||
|
import org.springframework.security.core.userdetails.User
|
||||||
|
import org.springframework.security.core.userdetails.UserDetailsService
|
||||||
|
import org.springframework.security.oauth2.core.AuthorizationGrantType
|
||||||
|
import org.springframework.security.oauth2.core.ClientAuthenticationMethod
|
||||||
|
import org.springframework.security.oauth2.core.oidc.OidcScopes
|
||||||
|
import org.springframework.security.oauth2.jwt.JwtDecoder
|
||||||
|
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder
|
||||||
|
import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository
|
||||||
|
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient
|
||||||
|
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository
|
||||||
|
import org.springframework.security.oauth2.server.authorization.config.ClientSettings
|
||||||
|
import org.springframework.security.oauth2.server.authorization.config.ProviderSettings
|
||||||
|
import org.springframework.security.provisioning.InMemoryUserDetailsManager
|
||||||
|
import org.springframework.security.web.SecurityFilterChain
|
||||||
|
import java.security.KeyPair
|
||||||
|
import java.security.KeyPairGenerator
|
||||||
|
import java.security.interfaces.RSAPrivateKey
|
||||||
|
import java.security.interfaces.RSAPublicKey
|
||||||
|
import java.util.UUID
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* OAuth Authorization Server Configuration.
|
||||||
|
*
|
||||||
|
* @author Steve Riesenberg
|
||||||
|
*/
|
||||||
|
@Configuration
|
||||||
|
class OAuth2AuthorizationServerSecurityConfiguration {
|
||||||
|
@Bean
|
||||||
|
@Order(1)
|
||||||
|
fun authorizationServerSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
|
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http)
|
||||||
|
return http.formLogin(Customizer.withDefaults()).build()
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
@Order(2)
|
||||||
|
fun standardSecurityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
|
// @formatter:off
|
||||||
|
http
|
||||||
|
.authorizeHttpRequests { authorize ->
|
||||||
|
authorize.anyRequest().authenticated()
|
||||||
|
}
|
||||||
|
.formLogin(Customizer.withDefaults())
|
||||||
|
// @formatter:on
|
||||||
|
return http.build()
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
fun registeredClientRepository(): RegisteredClientRepository {
|
||||||
|
// @formatter:off
|
||||||
|
val loginClient = RegisteredClient.withId(UUID.randomUUID().toString())
|
||||||
|
.clientId("login-client")
|
||||||
|
.clientSecret("{noop}openid-connect")
|
||||||
|
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
|
||||||
|
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
|
||||||
|
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
|
||||||
|
.redirectUri("http://127.0.0.1:8080/login/oauth2/code/login-client")
|
||||||
|
.redirectUri("http://127.0.0.1:8080/authorized")
|
||||||
|
.scope(OidcScopes.OPENID)
|
||||||
|
.scope(OidcScopes.PROFILE)
|
||||||
|
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
|
||||||
|
.build()
|
||||||
|
val registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
|
||||||
|
.clientId("messaging-client")
|
||||||
|
.clientSecret("{noop}secret")
|
||||||
|
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
|
||||||
|
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
|
||||||
|
.scope("message:read")
|
||||||
|
.scope("message:write")
|
||||||
|
.build()
|
||||||
|
// @formatter:on
|
||||||
|
return InMemoryRegisteredClientRepository(loginClient, registeredClient)
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
fun jwkSource(keyPair: KeyPair): JWKSource<SecurityContext> {
|
||||||
|
val publicKey = keyPair.public as RSAPublicKey
|
||||||
|
val privateKey = keyPair.private as RSAPrivateKey
|
||||||
|
// @formatter:off
|
||||||
|
val rsaKey = RSAKey.Builder(publicKey)
|
||||||
|
.privateKey(privateKey)
|
||||||
|
.keyID(UUID.randomUUID().toString())
|
||||||
|
.build()
|
||||||
|
// @formatter:on
|
||||||
|
val jwkSet = JWKSet(rsaKey)
|
||||||
|
return ImmutableJWKSet(jwkSet)
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
fun jwtDecoder(keyPair: KeyPair): JwtDecoder {
|
||||||
|
return NimbusJwtDecoder.withPublicKey(keyPair.public as RSAPublicKey).build()
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
fun providerSettings(): ProviderSettings {
|
||||||
|
return ProviderSettings.builder().issuer("http://localhost:9000").build()
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
fun userDetailsService(): UserDetailsService {
|
||||||
|
// @formatter:off
|
||||||
|
val userDetails = User.withDefaultPasswordEncoder()
|
||||||
|
.username("user")
|
||||||
|
.password("password")
|
||||||
|
.roles("USER")
|
||||||
|
.build()
|
||||||
|
// @formatter:on
|
||||||
|
return InMemoryUserDetailsManager(userDetails)
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
|
||||||
|
fun generateRsaKey(): KeyPair {
|
||||||
|
try {
|
||||||
|
val keyPairGenerator = KeyPairGenerator.getInstance("RSA")
|
||||||
|
keyPairGenerator.initialize(2048)
|
||||||
|
return keyPairGenerator.generateKeyPair()
|
||||||
|
} catch (ex: Exception) {
|
||||||
|
throw IllegalStateException(ex)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,2 @@
|
|||||||
|
server:
|
||||||
|
port: 9000
|
Loading…
x
Reference in New Issue
Block a user