Add servlet OAuth2 login Kotlin samples

Issue gh-8172
2020-08-28 17:48:13 +02:00 · 2020-08-28 17:48:13 +02:00 · a9fe2cb377
parent 44399a5256
commit a9fe2cb377
1 changed files with 152 additions and 6 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
@ -250,7 +250,9 @@ If you need to override the auto-configuration based on your specific requiremen
 The following example shows how to register a `ClientRegistrationRepository` `@Bean`:
-[source,java,attrs="-attributes"]
+====
 .Java
 [source,java,role="primary",attrs="-attributes"]
 ----
@Configuration
 public class OAuth2LoginConfig {
@ -279,6 +281,36 @@ public class OAuth2LoginConfig {
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary",attrs="-attributes"]
 ----
@Configuration
 class OAuth2LoginConfig {
    @Bean
    fun clientRegistrationRepository(): ClientRegistrationRepository {
        return InMemoryClientRegistrationRepository(googleClientRegistration())
    }
    private fun googleClientRegistration(): ClientRegistration {
        return ClientRegistration.withRegistrationId("google")
                .clientId("google-client-id")
                .clientSecret("google-client-secret")
                .clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}")
                .scope("openid", "profile", "email", "address", "phone")
                .authorizationUri("https://accounts.google.com/o/oauth2/v2/auth")
                .tokenUri("https://www.googleapis.com/oauth2/v4/token")
                .userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo")
                .userNameAttributeName(IdTokenClaimNames.SUB)
                .jwkSetUri("https://www.googleapis.com/oauth2/v3/certs")
                .clientName("Google")
                .build()
    }
 }
 ----
 ====
 [[oauth2login-provide-websecurityconfigureradapter]]
 ==== Provide a WebSecurityConfigurerAdapter
@ -856,7 +888,8 @@ You also need to ensure the `ClientRegistration.redirectUri` matches the custom
 The following listing shows an example:
-[source,java,attrs="-attributes"]
+.Java
 [source,java,role="primary",attrs="-attributes"]
 ----
 return CommonOAuth2Provider.GOOGLE.getBuilder("google")
 	.clientId("google-client-id")
@ -864,6 +897,16 @@ return CommonOAuth2Provider.GOOGLE.getBuilder("google")
 	.redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
 	.build();
 ----
 .Kotlin
 [source,kotlin,role="secondary",attrs="-attributes"]
 ----
 return CommonOAuth2Provider.GOOGLE.getBuilder("google")
    .clientId("google-client-id")
    .clientSecret("google-client-secret")
    .redirectUri("{baseUrl}/login/oauth2/callback/{registrationId}")
    .build()
 ----
 ====
@ -1166,7 +1209,9 @@ It uses an `OAuth2ErrorHttpMessageConverter` for converting the OAuth 2.0 Error
 Whether you customize `DefaultOAuth2UserService` or provide your own implementation of `OAuth2UserService`, you'll need to configure it as shown in the following example:
-[source,java]
+====
 .Java
 [source,java,role="primary"]
 ----
@EnableWebSecurity
 public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -1188,6 +1233,30 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@EnableWebSecurity
 class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
    override fun configure(http: HttpSecurity) {
        http {
            oauth2Login {
                userInfoEndpoint {
                    userService = oauth2UserService()
                    // ...
                }
            }
        }
    }
    private fun oauth2UserService(): OAuth2UserService<OAuth2UserRequest, OAuth2User> {
        // ...
    }
 }
 ----
 ====
 [[oauth2login-advanced-oidc-user-service]]
 ===== OpenID Connect 1.0 UserService
@ -1200,7 +1269,9 @@ If you need to customize the pre-processing of the UserInfo Request and/or the p
 Whether you customize `OidcUserService` or provide your own implementation of `OAuth2UserService` for OpenID Connect 1.0 Provider's, you'll need to configure it as shown in the following example:
-[source,java]
+====
 .Java
 [source,java,role="primary"]
 ----
@EnableWebSecurity
 public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -1222,6 +1293,30 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@EnableWebSecurity
 class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
    override fun configure(http: HttpSecurity) {
        http {
            oauth2Login {
                userInfoEndpoint {
                    oidcUserService = oidcUserService()
                    // ...
                }
            }
        }
    }
    private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
        // ...
    }
 }
 ----
 ====
 [[oauth2login-advanced-idtoken-verify]]
 ==== ID Token Signature Verification
@ -1237,7 +1332,9 @@ The JWS algorithm resolver is a `Function` that accepts a `ClientRegistration` a
 The following code shows how to configure the `OidcIdTokenDecoderFactory` `@Bean` to default to `MacAlgorithm.HS256` for all `ClientRegistration`:
-[source,java]
+====
 .Java
 [source,java,role="primary"]
 ----
@Bean
 public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
@ -1247,6 +1344,18 @@ public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
 }
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@Bean
 fun idTokenDecoderFactory(): JwtDecoderFactory<ClientRegistration?> {
    val idTokenDecoderFactory = OidcIdTokenDecoderFactory()
    idTokenDecoderFactory.setJwsAlgorithmResolver { MacAlgorithm.HS256 }
    return idTokenDecoderFactory
 }
 ----
 ====
 [NOTE]
 For MAC based algorithms such as `HS256`, `HS384` or `HS512`, the `client-secret` corresponding to the `client-id` is used as the symmetric key for signature verification.
@ -1281,7 +1390,9 @@ spring:
 ...and the `OidcClientInitiatedLogoutSuccessHandler`, which implements RP-Initiated Logout, may be configured as follows:
-[source,java]
+====
 .Java
 [source,java,role="primary"]
 ----
@EnableWebSecurity
 public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
@ -1316,3 +1427,38 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
 NOTE: `OidcClientInitiatedLogoutSuccessHandler` supports the `{baseUrl}` placeholder.
 If used, the application's base URL, like `https://app.example.org`, will replace it at request time.
 ----
 .Kotlin
 [source,kotlin,role="secondary"]
 ----
@EnableWebSecurity
 class OAuth2LoginSecurityConfig : WebSecurityConfigurerAdapter() {
    @Autowired
    private lateinit var clientRegistrationRepository: ClientRegistrationRepository
    override fun configure(http: HttpSecurity) {
        http {
            authorizeRequests {
                authorize(anyRequest, authenticated)
            }
            oauth2Login { }
            logout {
                logoutSuccessHandler = oidcLogoutSuccessHandler()
            }
        }
    }
    private fun oidcLogoutSuccessHandler(): LogoutSuccessHandler {
        val oidcLogoutSuccessHandler = OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository)
        // Sets the location that the End-User's User Agent will be redirected to
        // after the logout has been performed at the Provider
        oidcLogoutSuccessHandler.setPostLogoutRedirectUri("{baseUrl}")
        return oidcLogoutSuccessHandler
    }
 }
 NOTE: `OidcClientInitiatedLogoutSuccessHandler` supports the `{baseUrl}` placeholder.
 If used, the application's base URL, like `https://app.example.org`, will replace it at request time.
 ----
 ====