Merge pull request #10182 from eugenp/issue-8208
add the oidc legacy code back
This commit is contained in:
commit
02640da539
|
@ -28,6 +28,7 @@
|
||||||
<module>spring-security-web-login</module>
|
<module>spring-security-web-login</module>
|
||||||
<module>spring-security-web-persisted-remember-me</module>
|
<module>spring-security-web-persisted-remember-me</module>
|
||||||
<module>spring-security-web-sockets</module>
|
<module>spring-security-web-sockets</module>
|
||||||
|
<module>spring-security-legacy-oidc</module>
|
||||||
<module>spring-security-oidc</module>
|
<module>spring-security-oidc</module>
|
||||||
<module>spring-security-okta</module>
|
<module>spring-security-okta</module>
|
||||||
<module>spring-security-web-react</module>
|
<module>spring-security-web-react</module>
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
## Spring Security OpenID
|
||||||
|
|
||||||
|
This module contains articles about OpenID with Spring Security
|
||||||
|
|
||||||
|
### Relevant articles
|
||||||
|
|
||||||
|
- [Spring Security and OpenID Connect (Legacy)](https://www.baeldung.com/spring-security-openid-connect-legacy)
|
||||||
|
|
||||||
|
### OpenID Connect with Spring Security
|
||||||
|
|
||||||
|
### Run the Project
|
||||||
|
|
||||||
|
```
|
||||||
|
mvn spring-boot:run
|
||||||
|
```
|
||||||
|
|
||||||
|
### Obtain Google App - Client ID, Secret
|
||||||
|
|
||||||
|
- We need to get client id and client secret by creating a new project at [Google Developer Console](https://console.developers.google.com/project/_/apiui/credential?pli=1)
|
||||||
|
- We can follow these instructions to register our client application on their platform
|
||||||
|
|
||||||
|
- Once we have the client id and secret, we have to make sure we add them to the YAML files of the project
|
||||||
|
|
|
@ -0,0 +1,58 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
|
||||||
|
<modelVersion>4.0.0</modelVersion>
|
||||||
|
<artifactId>spring-security-legacy-oidc</artifactId>
|
||||||
|
<name>spring-security-legacy-oidc</name>
|
||||||
|
<packaging>war</packaging>
|
||||||
|
<description>Spring OpenID Connect sample project</description>
|
||||||
|
|
||||||
|
<parent>
|
||||||
|
<groupId>com.baeldung</groupId>
|
||||||
|
<artifactId>parent-boot-2</artifactId>
|
||||||
|
<version>0.0.1-SNAPSHOT</version>
|
||||||
|
<relativePath>../../parent-boot-2</relativePath>
|
||||||
|
</parent>
|
||||||
|
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.boot</groupId>
|
||||||
|
<artifactId>spring-boot-starter-security</artifactId>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.boot</groupId>
|
||||||
|
<artifactId>spring-boot-starter-web</artifactId>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.boot</groupId>
|
||||||
|
<artifactId>spring-boot-starter-tomcat</artifactId>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.security.oauth</groupId>
|
||||||
|
<artifactId>spring-security-oauth2</artifactId>
|
||||||
|
<version>${spring-security-oauth2.version}</version>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.springframework.security</groupId>
|
||||||
|
<artifactId>spring-security-jwt</artifactId>
|
||||||
|
<version>${spring-security-jwt.version}</version>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
|
<dependency>
|
||||||
|
<groupId>com.auth0</groupId>
|
||||||
|
<artifactId>jwks-rsa</artifactId>
|
||||||
|
<version>${jwks-rsa.version}</version>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
|
||||||
|
<properties>
|
||||||
|
<spring-security-oauth2.version>2.2.1.RELEASE</spring-security-oauth2.version>
|
||||||
|
<spring-security-jwt.version>1.0.9.RELEASE</spring-security-jwt.version>
|
||||||
|
<jwks-rsa.version>0.3.0</jwks-rsa.version>
|
||||||
|
</properties>
|
||||||
|
|
||||||
|
</project>
|
|
@ -0,0 +1,51 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import java.util.Arrays;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Value;
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.oauth2.client.OAuth2ClientContext;
|
||||||
|
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
|
||||||
|
import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
|
||||||
|
import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
|
||||||
|
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableOAuth2Client
|
||||||
|
public class GoogleOpenIdConnectConfig {
|
||||||
|
@Value("${google.clientId}")
|
||||||
|
private String clientId;
|
||||||
|
|
||||||
|
@Value("${google.clientSecret}")
|
||||||
|
private String clientSecret;
|
||||||
|
|
||||||
|
@Value("${google.accessTokenUri}")
|
||||||
|
private String accessTokenUri;
|
||||||
|
|
||||||
|
@Value("${google.userAuthorizationUri}")
|
||||||
|
private String userAuthorizationUri;
|
||||||
|
|
||||||
|
@Value("${google.redirectUri}")
|
||||||
|
private String redirectUri;
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public OAuth2ProtectedResourceDetails googleOpenId() {
|
||||||
|
final AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
|
||||||
|
details.setClientId(clientId);
|
||||||
|
details.setClientSecret(clientSecret);
|
||||||
|
details.setAccessTokenUri(accessTokenUri);
|
||||||
|
details.setUserAuthorizationUri(userAuthorizationUri);
|
||||||
|
details.setScope(Arrays.asList("openid", "email"));
|
||||||
|
details.setPreEstablishedRedirectUri(redirectUri);
|
||||||
|
details.setUseCurrentUri(false);
|
||||||
|
return details;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public OAuth2RestTemplate googleOpenIdTemplate(final OAuth2ClientContext clientContext) {
|
||||||
|
final OAuth2RestTemplate template = new OAuth2RestTemplate(googleOpenId(), clientContext);
|
||||||
|
return template;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,22 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import org.slf4j.Logger;
|
||||||
|
import org.slf4j.LoggerFactory;
|
||||||
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
|
import org.springframework.stereotype.Controller;
|
||||||
|
import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
|
import org.springframework.web.bind.annotation.ResponseBody;
|
||||||
|
|
||||||
|
@Controller
|
||||||
|
public class HomeController {
|
||||||
|
private final Logger logger = LoggerFactory.getLogger(getClass());
|
||||||
|
|
||||||
|
@RequestMapping("/")
|
||||||
|
@ResponseBody
|
||||||
|
public final String home() {
|
||||||
|
final String username = SecurityContextHolder.getContext().getAuthentication().getName();
|
||||||
|
logger.info(username);
|
||||||
|
return "Welcome, " + username;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,103 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import java.io.IOException;
|
||||||
|
import java.net.URL;
|
||||||
|
import java.security.interfaces.RSAPublicKey;
|
||||||
|
import java.util.Date;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javax.servlet.ServletException;
|
||||||
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpServletResponse;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Value;
|
||||||
|
import org.springframework.security.authentication.AuthenticationManager;
|
||||||
|
import org.springframework.security.authentication.BadCredentialsException;
|
||||||
|
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
|
||||||
|
import org.springframework.security.core.Authentication;
|
||||||
|
import org.springframework.security.core.AuthenticationException;
|
||||||
|
import org.springframework.security.jwt.Jwt;
|
||||||
|
import org.springframework.security.jwt.JwtHelper;
|
||||||
|
import org.springframework.security.jwt.crypto.sign.RsaVerifier;
|
||||||
|
import org.springframework.security.oauth2.client.OAuth2RestOperations;
|
||||||
|
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
|
||||||
|
import org.springframework.security.oauth2.common.OAuth2AccessToken;
|
||||||
|
import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
|
||||||
|
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
|
||||||
|
|
||||||
|
import com.auth0.jwk.Jwk;
|
||||||
|
import com.auth0.jwk.JwkProvider;
|
||||||
|
import com.auth0.jwk.UrlJwkProvider;
|
||||||
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
|
|
||||||
|
public class OpenIdConnectFilter extends AbstractAuthenticationProcessingFilter {
|
||||||
|
@Value("${google.clientId}")
|
||||||
|
private String clientId;
|
||||||
|
|
||||||
|
@Value("${google.issuer}")
|
||||||
|
private String issuer;
|
||||||
|
|
||||||
|
@Value("${google.jwkUrl}")
|
||||||
|
private String jwkUrl;
|
||||||
|
|
||||||
|
public OAuth2RestOperations restTemplate;
|
||||||
|
|
||||||
|
public OpenIdConnectFilter(String defaultFilterProcessesUrl) {
|
||||||
|
super(defaultFilterProcessesUrl);
|
||||||
|
setAuthenticationManager(new NoopAuthenticationManager());
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
|
||||||
|
|
||||||
|
OAuth2AccessToken accessToken;
|
||||||
|
try {
|
||||||
|
accessToken = restTemplate.getAccessToken();
|
||||||
|
} catch (final OAuth2Exception e) {
|
||||||
|
throw new BadCredentialsException("Could not obtain access token", e);
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
final String idToken = accessToken.getAdditionalInformation().get("id_token").toString();
|
||||||
|
String kid = JwtHelper.headers(idToken)
|
||||||
|
.get("kid");
|
||||||
|
final Jwt tokenDecoded = JwtHelper.decodeAndVerify(idToken, verifier(kid));
|
||||||
|
final Map<String, String> authInfo = new ObjectMapper().readValue(tokenDecoded.getClaims(), Map.class);
|
||||||
|
verifyClaims(authInfo);
|
||||||
|
final OpenIdConnectUserDetails user = new OpenIdConnectUserDetails(authInfo, accessToken);
|
||||||
|
return new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
|
||||||
|
} catch (final Exception e) {
|
||||||
|
throw new BadCredentialsException("Could not obtain user details from token", e);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public void verifyClaims(Map claims) {
|
||||||
|
int exp = (int) claims.get("exp");
|
||||||
|
Date expireDate = new Date(exp * 1000L);
|
||||||
|
Date now = new Date();
|
||||||
|
if (expireDate.before(now) || !claims.get("iss").equals(issuer) || !claims.get("aud").equals(clientId)) {
|
||||||
|
throw new RuntimeException("Invalid claims");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
private RsaVerifier verifier(String kid) throws Exception {
|
||||||
|
JwkProvider provider = new UrlJwkProvider(new URL(jwkUrl));
|
||||||
|
Jwk jwk = provider.get(kid);
|
||||||
|
return new RsaVerifier((RSAPublicKey) jwk.getPublicKey());
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setRestTemplate(OAuth2RestTemplate restTemplate2) {
|
||||||
|
restTemplate = restTemplate2;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
private static class NoopAuthenticationManager implements AuthenticationManager {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||||
|
throw new UnsupportedOperationException("No authentication should be done with this AuthenticationManager");
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,81 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
|
import org.springframework.security.core.userdetails.UserDetails;
|
||||||
|
import org.springframework.security.oauth2.common.OAuth2AccessToken;
|
||||||
|
|
||||||
|
public class OpenIdConnectUserDetails implements UserDetails {
|
||||||
|
|
||||||
|
private static final long serialVersionUID = 1L;
|
||||||
|
|
||||||
|
private String userId;
|
||||||
|
private String username;
|
||||||
|
private OAuth2AccessToken token;
|
||||||
|
|
||||||
|
public OpenIdConnectUserDetails(Map<String, String> userInfo, OAuth2AccessToken token) {
|
||||||
|
this.userId = userInfo.get("sub");
|
||||||
|
this.username = userInfo.get("email");
|
||||||
|
this.token = token;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getUsername() {
|
||||||
|
return username;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Collection<? extends GrantedAuthority> getAuthorities() {
|
||||||
|
return Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
|
||||||
|
}
|
||||||
|
|
||||||
|
public String getUserId() {
|
||||||
|
return userId;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUserId(String userId) {
|
||||||
|
this.userId = userId;
|
||||||
|
}
|
||||||
|
|
||||||
|
public OAuth2AccessToken getToken() {
|
||||||
|
return token;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setToken(OAuth2AccessToken token) {
|
||||||
|
this.token = token;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUsername(String username) {
|
||||||
|
this.username = username;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public String getPassword() {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isAccountNonExpired() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isAccountNonLocked() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isCredentialsNonExpired() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isEnabled() {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,48 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.WebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||||
|
import org.springframework.security.oauth2.client.OAuth2RestTemplate;
|
||||||
|
import org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter;
|
||||||
|
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
|
||||||
|
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
@Autowired
|
||||||
|
private OAuth2RestTemplate restTemplate;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public void configure(WebSecurity web) throws Exception {
|
||||||
|
web.ignoring().antMatchers("/resources/**");
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public OpenIdConnectFilter myFilter() {
|
||||||
|
final OpenIdConnectFilter filter = new OpenIdConnectFilter("/google-login");
|
||||||
|
filter.setRestTemplate(restTemplate);
|
||||||
|
return filter;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
http
|
||||||
|
.addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
|
||||||
|
.addFilterAfter(myFilter(), OAuth2ClientContextFilter.class)
|
||||||
|
.httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/google-login"))
|
||||||
|
.and()
|
||||||
|
.authorizeRequests()
|
||||||
|
// .antMatchers("/","/index*").permitAll()
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
;
|
||||||
|
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,14 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import org.springframework.boot.SpringApplication;
|
||||||
|
import org.springframework.boot.autoconfigure.SpringBootApplication;
|
||||||
|
import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
|
||||||
|
|
||||||
|
@SpringBootApplication
|
||||||
|
public class SpringOpenidApplication extends SpringBootServletInitializer {
|
||||||
|
|
||||||
|
public static void main(String[] args) {
|
||||||
|
SpringApplication.run(SpringOpenidApplication.class, args);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
server.port=8081
|
||||||
|
google.clientId=475873350264-g1opb20lf2fc60h0o84rrkn972krgkvo.apps.googleusercontent.com
|
||||||
|
google.clientSecret=GiA1Agf_aSt-bhTrnXjre-5Z
|
||||||
|
google.accessTokenUri=https://www.googleapis.com/oauth2/v3/token
|
||||||
|
google.userAuthorizationUri=https://accounts.google.com/o/oauth2/auth
|
||||||
|
google.redirectUri=http://localhost:8081/google-login
|
||||||
|
google.issuer=accounts.google.com
|
||||||
|
google.jwkUrl=https://www.googleapis.com/oauth2/v2/certs
|
|
@ -0,0 +1,13 @@
|
||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<configuration>
|
||||||
|
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
|
||||||
|
<encoder>
|
||||||
|
<pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n
|
||||||
|
</pattern>
|
||||||
|
</encoder>
|
||||||
|
</appender>
|
||||||
|
|
||||||
|
<root level="INFO">
|
||||||
|
<appender-ref ref="STDOUT" />
|
||||||
|
</root>
|
||||||
|
</configuration>
|
|
@ -0,0 +1,15 @@
|
||||||
|
package com.baeldung.openid.oidc;
|
||||||
|
|
||||||
|
import org.junit.Test;
|
||||||
|
import org.junit.runner.RunWith;
|
||||||
|
import org.springframework.boot.test.context.SpringBootTest;
|
||||||
|
import org.springframework.test.context.junit4.SpringRunner;
|
||||||
|
|
||||||
|
@RunWith(SpringRunner.class)
|
||||||
|
@SpringBootTest(classes = SpringOpenidApplication.class)
|
||||||
|
public class SpringContextTest {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void whenSpringContextIsBootstrapped_thenNoExceptions() {
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue