OpenID Connect example

spring-openid/.classpath

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<classpath>
+	<classpathentry kind="src" output="target/classes" path="src/main/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry excluding="**" kind="src" output="target/classes" path="src/main/resources">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+			<attribute name="org.eclipse.jst.component.dependency" value="/WEB-INF/lib"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="output" path="target/classes"/>
+</classpath>

spring-openid/.project

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>spring-openid</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.wst.jsdt.core.javascriptValidator</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.jdt.core.javabuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.wst.common.project.facet.core.builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.springframework.ide.eclipse.core.springbuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.wst.validation.validationbuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.eclipse.m2e.core.maven2Builder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.eclipse.jem.workbench.JavaEMFNature</nature>
+		<nature>org.eclipse.wst.common.modulecore.ModuleCoreNature</nature>
+		<nature>org.springframework.ide.eclipse.core.springnature</nature>
+		<nature>org.eclipse.jdt.core.javanature</nature>
+		<nature>org.eclipse.m2e.core.maven2Nature</nature>
+		<nature>org.eclipse.wst.common.project.facet.core.nature</nature>
+		<nature>org.eclipse.wst.jsdt.core.jsNature</nature>
+	</natures>
+</projectDescription>

spring-openid/pom.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>org.baeldung</groupId>
+	<artifactId>spring-openid</artifactId>
+	<version>0.0.1-SNAPSHOT</version>
+	<packaging>war</packaging>
+
+	<name>spring-openid</name>
+	<description>Spring OpenID sample project</description>
+
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>1.3.2.RELEASE</version>
+	</parent>
+
+	
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-tomcat</artifactId>
+			<scope>provided</scope>
+		</dependency>
+		
+		 <dependency>
+            <groupId>org.springframework.security.oauth</groupId>
+            <artifactId>spring-security-oauth2</artifactId>
+        </dependency>
+
+		<dependency>
+		    <groupId>org.springframework.security</groupId>
+		    <artifactId>spring-security-jwt</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+	
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+	
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <java.version>1.8</java.version>
+    </properties>
+</project>

spring-openid/src/main/java/org/baeldung/config/GoogleOpenIdConnectConfig.java

@@ -0,0 +1,51 @@
+package org.baeldung.config;
+
+import java.util.Arrays;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.client.OAuth2ClientContext;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
+import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
+import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
+
+@Configuration
+@EnableOAuth2Client
+public class GoogleOpenIdConnectConfig {
+    @Value("${google.clientId}")
+    private String clientId;
+
+    @Value("${google.clientSecret}")
+    private String clientSecret;
+
+    @Value("${google.accessTokenUri}")
+    private String accessTokenUri;
+
+    @Value("${google.userAuthorizationUri}")
+    private String userAuthorizationUri;
+
+    @Value("${google.redirectUri}")
+    private String redirectUri;
+
+    @Bean
+    public OAuth2ProtectedResourceDetails googleOpenId() {
+        final AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
+        details.setClientId(clientId);
+        details.setClientSecret(clientSecret);
+        details.setAccessTokenUri(accessTokenUri);
+        details.setUserAuthorizationUri(userAuthorizationUri);
+        details.setScope(Arrays.asList("openid", "email"));
+        details.setPreEstablishedRedirectUri(redirectUri);
+        details.setUseCurrentUri(false);
+        return details;
+    }
+
+    @Bean
+    public OAuth2RestTemplate googleOpenIdTemplate(final OAuth2ClientContext clientContext) {
+        final OAuth2RestTemplate template = new OAuth2RestTemplate(googleOpenId(), clientContext);
+        return template;
+    }
+
+}

spring-openid/src/main/java/org/baeldung/config/HomeController.java

@@ -0,0 +1,22 @@
+package org.baeldung.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseBody;
+
+@Controller
+public class HomeController {
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+
+    @RequestMapping("/")
+    @ResponseBody
+    public final String home() {
+        final String username = SecurityContextHolder.getContext().getAuthentication().getName();
+        logger.info(username);
+        return "Welcome, " + username;
+    }
+
+}

spring-openid/src/main/java/org/baeldung/config/SecurityConfig.java

@@ -0,0 +1,49 @@
+package org.baeldung.config;
+
+import org.baeldung.security.OpenIdConnectFilter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+    @Autowired
+    private OAuth2RestTemplate restTemplate;
+
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().antMatchers("/resources/**");
+    }
+
+    @Bean
+    public OpenIdConnectFilter myFilter() {
+        final OpenIdConnectFilter filter = new OpenIdConnectFilter("/google-login");
+        filter.setRestTemplate(restTemplate);
+        return filter;
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        // @formatter:off
+        http
+        .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
+        .addFilterAfter(myFilter(), OAuth2ClientContextFilter.class)
+        .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/google-login"))
+        .and()
+        .authorizeRequests()
+       // .antMatchers("/","/index*").permitAll()
+        .anyRequest().authenticated()
+        ;
+
+     // @formatter:on
+    }
+}

spring-openid/src/main/java/org/baeldung/config/SpringOpenidApplication.java

@@ -0,0 +1,13 @@
+package org.baeldung.config;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class SpringOpenidApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(SpringOpenidApplication.class, args);
+    }
+
+}

spring-openid/src/main/java/org/baeldung/security/OpenIdConnectFilter.java

@@ -0,0 +1,71 @@
+package org.baeldung.security;
+
+import java.io.IOException;
+import java.util.Map;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.jwt.Jwt;
+import org.springframework.security.jwt.JwtHelper;
+import org.springframework.security.oauth2.client.OAuth2RestOperations;
+import org.springframework.security.oauth2.client.OAuth2RestTemplate;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+public class OpenIdConnectFilter extends AbstractAuthenticationProcessingFilter {
+    public OAuth2RestOperations restTemplate;
+
+    public OpenIdConnectFilter(String defaultFilterProcessesUrl) {
+        super(defaultFilterProcessesUrl);
+        setAuthenticationManager(new NoopAuthenticationManager());
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
+
+        OAuth2AccessToken accessToken;
+        try {
+            accessToken = restTemplate.getAccessToken();
+        } catch (final OAuth2Exception e) {
+            throw new BadCredentialsException("Could not obtain access token", e);
+        }
+        try {
+            final String idToken = accessToken.getAdditionalInformation().get("id_token").toString();
+            final Jwt tokenDecoded = JwtHelper.decode(idToken);
+            System.out.println("===== : " + tokenDecoded.getClaims());
+
+            final Map<String, String> authInfo = new ObjectMapper().readValue(tokenDecoded.getClaims(), Map.class);
+
+            final OpenIdConnectUserDetails user = new OpenIdConnectUserDetails(authInfo, accessToken);
+            return new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
+        } catch (final InvalidTokenException e) {
+            throw new BadCredentialsException("Could not obtain user details from token", e);
+        }
+
+    }
+
+    public void setRestTemplate(OAuth2RestTemplate restTemplate2) {
+        restTemplate = restTemplate2;
+
+    }
+
+    private static class NoopAuthenticationManager implements AuthenticationManager {
+
+        @Override
+        public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+            throw new UnsupportedOperationException("No authentication should be done with this AuthenticationManager");
+        }
+
+    }
+}

spring-openid/src/main/java/org/baeldung/security/OpenIdConnectUserDetails.java

@@ -0,0 +1,81 @@
+package org.baeldung.security;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Map;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+
+public class OpenIdConnectUserDetails implements UserDetails {
+
+    private static final long serialVersionUID = 1L;
+
+    private String userId;
+    private String username;
+    private OAuth2AccessToken token;
+
+    public OpenIdConnectUserDetails(Map<String, String> userInfo, OAuth2AccessToken token) {
+        this.userId = userInfo.get("sub");
+        this.username = userInfo.get("email");
+        this.token = token;
+    }
+
+    @Override
+    public String getUsername() {
+        return username;
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"));
+    }
+
+    public String getUserId() {
+        return userId;
+    }
+
+    public void setUserId(String userId) {
+        this.userId = userId;
+    }
+
+    public OAuth2AccessToken getToken() {
+        return token;
+    }
+
+    public void setToken(OAuth2AccessToken token) {
+        this.token = token;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    @Override
+    public String getPassword() {
+        return null;
+    }
+
+    @Override
+    public boolean isAccountNonExpired() {
+        return true;
+    }
+
+    @Override
+    public boolean isAccountNonLocked() {
+        return true;
+    }
+
+    @Override
+    public boolean isCredentialsNonExpired() {
+        return true;
+    }
+
+    @Override
+    public boolean isEnabled() {
+        return true;
+    }
+
+}

spring-openid/src/main/resources/application.properties

@@ -0,0 +1,6 @@
+server.port=8081
+google.clientId=497324626536-d6fphsh1qpl2o6j2j66nukajrfqc0rtq.apps.googleusercontent.com
+google.clientSecret=vtueZycMsrRjjCjnY6JzbEZT
+google.accessTokenUri=https://www.googleapis.com/oauth2/v3/token
+google.userAuthorizationUri=https://accounts.google.com/o/oauth2/auth
+google.redirectUri=http://localhost:8081/google-login