Add Sample

Issue: gh-5605

samples/boot/oauth2resourceserver-webflux/README.adoc

@@ -0,0 +1,169 @@
+= OAuth 2.0 Resource Server Sample
+
+This sample demonstrates integrations with a handful of different authorization servers.
+
+With it, you can run the integration tests or run the application as a stand-alone service to explore how you can
+secure your own service with OAuth 2.0 Bearer Tokens using Spring Security.
+
+== 1. Running the tests
+
+To run the tests, do:
+
+```bash
+../../../gradlew integrationTest
+```
+
+Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there.
+
+=== What is it doing?
+
+By default, the tests are pointing at a demonstration Okta instance. The test that performs a valid round trip does so
+by querying the Okta Authorization Server using the client_credentials grant type to get a valid JWT token. Then, the test
+makes a query to the Resource Server with that token. The Resource Server subsquently verifies with Okta and
+authorizes the request, returning the phrase
+
+```bash
+Hello, {subject}!
+```
+
+where subject is the value of the `sub` field in the JWT returned by the Authorization Server.
+
+== 2. Running the app
+
+To run as a stand-alone application, do:
+
+```bash
+../../../gradlew bootRun
+```
+
+Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there.
+
+Once it is up, you can retreive a valid JWT token from the authorization server, and then hit the endpoint:
+
+```bash
+curl -H "Authorization: Bearer {token}" localhost:8081
+```
+
+Which will respond with the phrase:
+
+```bash
+Hello, {subject}!
+```
+
+where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server.
+
+=== How do I obtain a valid JWT token?
+
+Getting a valid JWT token from an Authorization Server will vary, depending on your setup. However, it will typically
+look something like this:
+
+```bash
+curl --user {client id}:{client password} -d "grant_type=client_credentials" {auth server endpoint}/token
+```
+
+which will respond with a JSON payload containing the `access_token` among other things:
+
+```bash
+{ "access_token" : "{the access token}", "token_type" : "Bearer", "expires_in" : "{an expiry}", "scope" : "{a list of scopes}" }
+```
+
+For example, the following can be used to hit the sample Okta endpoint for a valid JWT token:
+
+```bash
+curl --user 0oaf5u5g4m6CW4x6z0h7:HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv -d "grant_type=client_credentials" https://dev-805262.oktapreview.com/oauth2/default/v1/token
+```
+
+Which will give a response similar to this (formatting mine):
+
+```json
+{
+  "access_token": "eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ",
+  "token_type": "Bearer",
+  "expires_in": 3600,
+  "scope": "ok"
+}
+```
+
+Then, using that access token:
+
+```bash
+curl -H  "Authorization: Bearer eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ" \
+  localhost:8081
+```
+
+I get:
+
+```bash
+Hello, 0oaf5u5g4m6CW4x6z0h7!
+```
+
+== 3. Testing against other Authorization Servers
+
+The sample is already prepared to demonstrate integrations with a handful of other Authorization Servers. Do exercise
+one, simply uncomment two commented out sections, both in the application.yml file:
+
+```yaml
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        issuer:
+```
+
+First, find the above section in the application.yml. Beneath it, you will see sections for each Authorization Server
+already prepared with the one for Okta commented out:
+
+```yaml
+#          master: #keycloak
+#            issuer: http://localhost:8080/auth/realms/master
+#            jwk-set-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs
+          okta:
+            issuer: https://dev-805262.oktapreview.com/oauth2/default
+            jwk-set-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/keys
+```
+
+Comment out the `okta` section and uncomment the desired section.
+
+Second, find the following section, which the sample needs in order to retreive a valid token from the Authorization
+Server:
+
+```yaml
+#  ### keycloak
+#  token-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/token
+#  token-body:
+#    grant_type: client_credentials
+#  client-id: service
+#  client-password: 9114712b-be55-4dab-b270-04734abda1c4
+#  container:
+#    config-file-name: keycloak.config
+#    docker-file-name: keycloak.docker
+  ### okta
+  token-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/token
+  token-body:
+    grant_type: client_credentials
+  client-id: 0oaf5u5g4m6CW4x6z0h7
+  client-password: HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv
+```
+
+Comment out the `okta` section and uncomment the desired section.
+
+=== How can I test with my own Authorization Server instance?
+
+To test with your own Okta or other Authorization Server instance, simply provide the following information:
+
+```yaml
+spring.security.oauth2.resourceserver.issuer.name.uri: the issuer uri
+spring.security.oauth2.resourceserver.issuer.name.jwk-set-uri: the jwk key uri
+```
+
+And indicate, using the sample.provider properties, how the sample should generate a valid JWT token:
+
+```yaml
+sample.provider.token-uri: the token endpoint
+sample.provider.token-body.grant_type: the grant to use
+sample.provider.token-body.another_property: another_value
+sample.provider.client-id: the client id
+sample.provider.client-password: the client password, only required for confidential clients
+```
+
+You can provide values for any OAuth 2.0-compliant Authorization Server.

samples/boot/oauth2resourceserver-webflux/spring-security-samples-boot-oauth2resourceserver-webflux.gradle

@@ -0,0 +1,15 @@
+apply plugin: 'io.spring.convention.spring-sample-boot'
+
+dependencies {
+	compile project(':spring-security-config')
+	compile project(':spring-security-oauth2-jose')
+	compile project(':spring-security-oauth2-client')
+	compile project(':spring-security-oauth2-resource-server')
+
+	compile 'org.springframework.boot:spring-boot-starter-webflux'
+
+	testCompile project(':spring-security-test')
+	testCompile 'org.springframework.boot:spring-boot-starter-test'
+
+	testCompile 'com.squareup.okhttp3:mockwebserver'
+}

samples/boot/oauth2resourceserver-webflux/src/main/java/sample/OAuth2ResourceServerController.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author Josh Cummings
+ */
+@RestController
+public class OAuth2ResourceServerController {
+
+	@GetMapping("/")
+	public String index(@AuthenticationPrincipal Jwt jwt) {
+		return String.format("Hello, %s!", jwt.getSubject());
+	}
+}

samples/boot/oauth2resourceserver-webflux/src/main/java/sample/SecurityConfig.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.RSAPublicKeySpec;
+
+/**
+ * @author Rob Winch
+ * @since 5.1
+ */
+@EnableWebFluxSecurity
+public class SecurityConfig {
+	private static final String JWK_SET_URI_PROP = "sample.jwk-set-uri";
+
+	@Bean
+	@ConditionalOnProperty(SecurityConfig.JWK_SET_URI_PROP)
+	SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, @Value("${sample.jwk-set-uri}") String jwkSetUri) throws Exception {
+		http
+			.authorizeExchange()
+				.anyExchange().authenticated()
+				.and()
+			.oauth2()
+				.resourceServer()
+					.jwt()
+						.jwkSetUri(jwkSetUri);
+		return http.build();
+	}
+
+	@Bean
+	@ConditionalOnProperty(matchIfMissing = true, name = SecurityConfig.JWK_SET_URI_PROP)
+	SecurityWebFilterChain springSecurityFilterChainWithJwkSetUri(ServerHttpSecurity http) throws Exception {
+		http
+			.authorizeExchange()
+				.anyExchange().authenticated()
+				.and()
+			.oauth2()
+				.resourceServer()
+					.jwt()
+						.publicKey(publicKey());
+		return http.build();
+	}
+
+	private RSAPublicKey publicKey()
+			throws NoSuchAlgorithmException, InvalidKeySpecException {
+		String modulus = "21301844740604653578042500449274548398885553541276518010855123403873267398204269788903348794459771698460057967144865511347818036788093430902099139850950702438493841101242291810362822203615900335437741117578551216365305797763072813300890517195382010982402736091906390325356368590938709762826676219814134995844721978269999358693499223506089799649124650473473086179730568497569430199548044603025675755473148289824338392487941265829853008714754732175256733090080910187256164496297277607612684421019218165083081805792835073696987599616469568512360535527950859101589894643349122454163864596223876828010734083744763850611111";
+		String exponent = "65537";
+
+		RSAPublicKeySpec spec = new RSAPublicKeySpec(new BigInteger(modulus), new BigInteger(exponent));
+		KeyFactory factory = KeyFactory.getInstance("RSA");
+		return (RSAPublicKey) factory.generatePublic(spec);
+	}
+}

samples/boot/oauth2resourceserver-webflux/src/main/java/sample/ServerOAuth2ResourceServerApplication.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author Rob Winch
+ */
+@SpringBootApplication
+public class ServerOAuth2ResourceServerApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(ServerOAuth2ResourceServerApplication.class, args);
+	}
+}

samples/boot/oauth2resourceserver-webflux/src/main/resources/application.yml

@@ -0,0 +1,11 @@
+logging:
+  level:
+    root: INFO
+    org.springframework.web: INFO
+    org.springframework.security: INFO
+#    org.springframework.boot.autoconfigure: DEBUG
+
+sample:
+# By default this sample uses a hard coded public key in SecurityConfig
+# To use a JWK Set URI, uncomment and change the value below
+#  jwk-set-uri: https://example.com/oauth2/default/v1/keys

samples/boot/oauth2resourceserver-webflux/src/test/java/sample/ServerOauth2ResourceApplicationTests.java

@@ -0,0 +1,78 @@
+/*
+ * Copyright 2002-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.HttpHeaders;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.test.web.reactive.server.WebTestClient;
+
+import static org.springframework.security.web.http.SecurityHeaders.bearerToken;
+
+/**
+ * @author Rob Winch
+ * @since 5.1
+ */
+@SpringBootTest
+@AutoConfigureWebTestClient
+@RunWith(SpringJUnit4ClassRunner.class)
+public class ServerOauth2ResourceApplicationTests {
+	@Autowired
+	private WebTestClient rest;
+
+	@Test
+	public void getWhenValidTokenThenIsOk() {
+		String token = "eyJhbGciOiJSUzI1NiJ9.eyJzY29wZSI6Im1lc3NhZ2U6cmVhZCIsImV4cCI6MzEwNjMyODEzMSwianRpIjoiOGY5ZjFiYzItOWVlMi00NTJkLThhMGEtODg3YmE4YmViYjYzIn0.CM_KulSsIrNXW1x6NFeN5VwKQiIW-LIAScJzakRFDox8Ql7o4WOb0ubY3CjWYnglwqYzBvH9McCFqVrUtzdfODY5tyEEJSxWndIGExOi2osrwRPsY3AGzNa23GMfC9I03BFP1IFCq4ZfL-L6yVcIjLke-rA40UG-r-oA7r-N_zsLc5poO7Azf29IQgQF0GSRp4AKQprYHF5Q-Nz9XkILMDz9CwPQ9cbdLCC9smvaGmEAjMUr-C1QgM-_ulb42gWtRDLorW_eArg8g-fmIP0_w82eNWCBjLTy-WaDMACnDVrrUVsUMCqx6jS6h8_uejKly2NFuhyueIHZTTySqCZoTA";
+		this.rest.get().uri("/")
+				.headers(bearerToken(token))
+				.exchange()
+				.expectStatus().isOk()
+				.expectBody(String.class).isEqualTo("Hello, null!");
+	}
+
+	@Test
+	public void getWhenNoTokenThenIsUnauthorized() {
+		this.rest.get().uri("/")
+				.exchange()
+				.expectStatus().isUnauthorized()
+				.expectHeader().valueEquals(HttpHeaders.WWW_AUTHENTICATE, "Bearer");
+	}
+
+	@Test
+	public void getWhenNone() {
+		String token = "ew0KICAiYWxnIjogIm5vbmUiLA0KICAidHlwIjogIkpXVCINCn0.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJpYXQiOiAxNTE2MjM5MDIyDQp9.";
+		this.rest.get().uri("/")
+				.headers(bearerToken(token))
+				.exchange()
+				.expectStatus().isUnauthorized()
+				.expectHeader().valueEquals(HttpHeaders.WWW_AUTHENTICATE, "Bearer error=\"invalid_token\", error_description=\"Unsupported algorithm of none\", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"");
+	}
+
+	@Test
+	public void getWhenInvalidToken() {
+		String token = "a";
+		this.rest.get().uri("/")
+				.headers(bearerToken(token))
+				.exchange()
+				.expectStatus().isUnauthorized()
+				.expectHeader().valueEquals(HttpHeaders.WWW_AUTHENTICATE, "Bearer error=\"invalid_token\", error_description=\"An error occurred while attempting to decode the Jwt: Invalid JWT serialization: Missing dot delimiter(s)\", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\"");
+	}
+}