Add servlet OAuth2 login Kotlin samples

Issue gh-8172
2020-08-28 17:48:13 +02:00 · 2020-08-28 17:48:13 +02:00 · a9fe2cb377
parent 44399a5256
commit a9fe2cb377
1 changed files with 152 additions and 6 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
@ -250,7 +250,9 @@ If you need to override the auto-configuration based on your specific requiremen

 The following example shows how to register a `ClientRegistrationRepository` `@Bean`:

-[source,java,attrs="-attributes"]
+====
+.Java
+[source,java,role="primary",attrs="-attributes"]
 ----
@Configuration
 public class OAuth2LoginConfig {
@ -279,6 +281,36 @@ public class OAuth2LoginConfig {
 }
 ----

+.Kotlin
+[source,kotlin,role="secondary",attrs="-attributes"]
+----
+@Configuration
+class OAuth2LoginConfig {
+    @Bean
+    fun clientRegistrationRepository(): ClientRegistrationRepository {
+        return InMemoryClientRegistrationRepository(googleClientRegistration())
+    }
+
+    private fun googleClientRegistration(): ClientRegistration {
+        return ClientRegistration.withRegistrationId("google")
+                .clientId("google-client-id")
+                .clientSecret("google-client-secret")
+                .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
+                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
+                .scope("openid", "profile", "email", "address", "phone")
+                .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
+                .tokenUri("https://www.googleapis.com/oauth2/v4/token")
+                .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
+                .userNameAttributeName(IdTokenClaimNames.SUB)
+                .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
+                .clientName("Google")
+                .build()
+    }
+}
+----
+====
+

 [[oauth2login-provide-websecurityconfigureradapter]]
 ==== Provide a WebSecurityConfigurerAdapter
@ -856,7 +888,8 @@ You also need to ensure the `ClientRegistration.redirectUri` matches the custom

 The following listing shows an example:

-[source,java,attrs="-attributes"]
+.Java
+[source,java,role="primary",attrs="-attributes"]
 ----
 return CommonOAuth2Provider.GOOGLE.getBuilder("google")
 	.clientId("google-client-id")
@ -864,6 +897,16 @@ return CommonOAuth2Provider.GOOGLE.getBuilder("google")
 	.redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
 	.build();
 ----
+
+.Kotlin
+[source,kotlin,role="secondary",attrs="-attributes"]
+----
+return CommonOAuth2Provider.GOOGLE.getBuilder("google")
+    .clientId("google-client-id")
+    .clientSecret("google-client-secret")
+    .redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
+    .build()
+----
 ====


@ -1166,7 +1209,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error

 Whether you customize `DefaultOAuth2UserService` or provide your own implementation of `OAuth2UserService`, you'll need to configure it as shown in the following example:

-[source,java]
+====
+.Java
+[source,java,role="primary"]
 ----
@EnableWebSecurity
 public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -1188,6 +1233,30 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 }
 ----

+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@EnableWebSecurity
+class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
+
+    override fun configure(http: HttpSecurity) {
+        http {
+            oauth2Login {
+                userInfoEndpoint {
+                    userService = oauth2UserService()
+                    // ...
+                }
+            }
+        }
+    }
+
+    private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
+        // ...
+    }
+}
+----
+====
+

 [[oauth2login-advanced-oidc-user-service]]
 ===== OpenID Connect 1.0 UserService
@ -1200,7 +1269,9 @@ If you need to customize the pre-processing of the UserInfo Request and/or the p

 Whether you customize `OidcUserService` or provide your own implementation of `OAuth2UserService` for OpenID Connect 1.0 Provider's, you'll need to configure it as shown in the following example:

-[source,java]
+====
+.Java
+[source,java,role="primary"]
 ----
@EnableWebSecurity
 public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -1222,6 +1293,30 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 }
 ----

+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@EnableWebSecurity
+class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
+
+    override fun configure(http: HttpSecurity) {
+        http {
+            oauth2Login {
+                userInfoEndpoint {
+                    oidcUserService = oidcUserService()
+                    // ...
+                }
+            }
+        }
+    }
+
+    private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
+        // ...
+    }
+}
+----
+====
+

 [[oauth2login-advanced-idtoken-verify]]
 ==== ID Token Signature Verification
@ -1237,7 +1332,9 @@ The JWS algorithm resolver is a `Function` that accepts a `ClientRegistration` a

 The following code shows how to configure the `OidcIdTokenDecoderFactory` `@Bean` to default to `MacAlgorithm.HS256` for all `ClientRegistration`:

-[source,java]
+====
+.Java
+[source,java,role="primary"]
 ----
@Bean
 public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
@ -1247,6 +1344,18 @@ public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
 }
 ----

+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun idTokenDecoderFactory(): JwtDecoderFactory<ClientRegistration?> {
+    val idTokenDecoderFactory = OidcIdTokenDecoderFactory()
+    idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
+    return idTokenDecoderFactory
+}
+----
+====
+
 [NOTE]
 For MAC based algorithms such as `HS256`, `HS384` or `HS512`, the `client-secret` corresponding to the `client-id` is used as the symmetric key for signature verification.

@ -1281,7 +1390,9 @@ spring:

 ...and the `OidcClientInitiatedLogoutSuccessHandler`, which implements RP-Initiated Logout, may be configured as follows:

-[source,java]
+====
+.Java
+[source,java,role="primary"]
 ----
@EnableWebSecurity
 public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -1316,3 +1427,38 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 NOTE: `OidcClientInitiatedLogoutSuccessHandler` supports the `{baseUrl}` placeholder.
 If used, the application's base URL, like `https://app.example.org`, will replace it at request time.
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@EnableWebSecurity
+class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
+    @Autowired
+    private lateinit var clientRegistrationRepository: ClientRegistrationRepository
+
+    override fun configure(http: HttpSecurity) {
+        http {
+            authorizeRequests {
+                authorize(anyRequest, authenticated)
+            }
+            oauth2Login { }
+            logout {
+                logoutSuccessHandler = oidcLogoutSuccessHandler()
+            }
+        }
+    }
+
+    private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {
+        val oidcLogoutSuccessHandler = OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository)
+
+        // Sets the location that the End-User's User Agent will be redirected to
+        // after the logout has been performed at the Provider
+        oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}")
+        return oidcLogoutSuccessHandler
+    }
+}
+
+NOTE: `OidcClientInitiatedLogoutSuccessHandler` supports the `{baseUrl}` placeholder.
+If used, the application's base URL, like `https://app.example.org`, will replace it at request time.
+----
+====