[BAEL-2765] PKCE Support for Secret Clients (#12605)

* [BAEL-4849] Article code

* [BAEL-4968] Article code

* [BAEL-4968] Article code

* [BAEL-4968] Article code

* [BAEL-4968] Remove extra comments

* [BAEL-5258] Article Code

* [BAEL-2765] PKCE Support for Secret Clients

spring-security-modules/spring-security-pkce/.gitignore

@@ -0,0 +1,33 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/

spring-security-modules/spring-security-pkce/client/pom.xml

@@ -0,0 +1,24 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>com.baeldung</groupId>
+    <artifactId>spring-security-pkce</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+  </parent>
+  <artifactId>pkce-client</artifactId>
+  
+  <dependencies>
+	<dependency>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-webflux</artifactId>
+	</dependency>
+  	<dependency>
+		<groupId>org.springframework.boot</groupId>
+	    <artifactId>spring-boot-starter-oauth2-client</artifactId>
+  	</dependency>
+  	<dependency>
+		<groupId>org.springframework.boot</groupId>
+	    <artifactId>spring-boot-starter-thymeleaf</artifactId>
+  	</dependency>
+  </dependencies>
+</project>

spring-security-modules/spring-security-pkce/client/src/main/java/com/baeldung/security/pkce/client/PkceClientApplication.java

@@ -0,0 +1,13 @@
+package com.baeldung.security.pkce.client;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class PkceClientApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(PkceClientApplication.class, args);
+	}
+
+}

spring-security-modules/spring-security-pkce/client/src/main/java/com/baeldung/security/pkce/client/config/OAuth2ClientConfiguration.java

@@ -0,0 +1,30 @@
+package com.baeldung.security.pkce.client.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
+import org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizationRequestResolver;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+
+@Configuration
+public class OAuth2ClientConfiguration {
+
+    @Bean
+    public SecurityWebFilterChain  pkceFilterChain(ServerHttpSecurity http, ServerOAuth2AuthorizationRequestResolver resolver) {        
+        http.authorizeExchange(r -> r.anyExchange().authenticated());
+        http.oauth2Login(auth -> auth.authorizationRequestResolver(resolver));
+        return http.build();
+    }
+
+    @Bean
+    public ServerOAuth2AuthorizationRequestResolver pkceResolver(ReactiveClientRegistrationRepository repo) {
+        var resolver = new DefaultServerOAuth2AuthorizationRequestResolver(repo);
+        resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
+        return resolver;
+    }
+    
+
+}

spring-security-modules/spring-security-pkce/client/src/main/resources/application.yaml

@@ -0,0 +1,13 @@
+spring:
+  security:
+    oauth2:
+      client:
+        provider:
+          baeldung:
+            issuer-uri: http://localhost:8085
+        registration: 
+          pkce: 
+            provider: baeldung
+            client-id: pkce-client
+            client-secret: obscura
+            scope: openid,email

spring-security-modules/spring-security-pkce/client/src/main/resources/static/index.html

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="ISO-8859-1">
+<title>Baeldung :: PKCE-Client</title>
+</head>
+<body>
+	<h1>Hello from PKCE-Client</h1>
+</body>
+</html>

spring-security-modules/spring-security-pkce/pom.xml

@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	
+    <parent>
+        <groupId>com.baeldung</groupId>
+        <artifactId>parent-boot-2</artifactId>
+        <version>0.0.1-SNAPSHOT</version>
+        <relativePath>../../parent-boot-2</relativePath>
+    </parent>
+	
+	<artifactId>spring-security-pkce</artifactId>
+	<packaging>pom</packaging>	
+	<name>spring-security-pkce</name>
+	<description>Demo project for Spring Boot</description>
+	<properties>
+		<!-- Need 2.7.x to bring spring-security 5.7.x-->
+		<spring-boot.version>2.7.2</spring-boot.version>
+		<java.version>11</java.version>
+	</properties>
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-configuration-processor</artifactId>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<optional>true</optional>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>io.projectreactor</groupId>
+			<artifactId>reactor-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+				<configuration>
+					<excludes>
+						<exclude>
+							<groupId>org.projectlombok</groupId>
+							<artifactId>lombok</artifactId>
+						</exclude>
+					</excludes>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<modules>
+	    <module>server</module>
+	    <module>client</module>
+	</modules>
+</project>

spring-security-modules/spring-security-pkce/server/pom.xml

@@ -0,0 +1,25 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>com.baeldung</groupId>
+    <artifactId>spring-security-pkce</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+  </parent>
+  <artifactId>pkce-auth-server</artifactId>
+  
+  <properties>
+  	<spring-authorization-server.version>0.3.1</spring-authorization-server.version>
+  </properties>
+  
+  <dependencies>
+	<dependency>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-web</artifactId>
+	</dependency>
+  	<dependency>
+		<groupId>org.springframework.security</groupId>
+	    <artifactId>spring-security-oauth2-authorization-server</artifactId>
+    	<version>${spring-authorization-server.version}</version>  	
+  	</dependency>
+  </dependencies>
+</project>

spring-security-modules/spring-security-pkce/server/src/main/java/com/baeldung/security/pkce/authserver/PkceAuthServerApplication.java

@@ -0,0 +1,13 @@
+package com.baeldung.security.pkce.authserver;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class PkceAuthServerApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(PkceAuthServerApplication.class, args);
+	}
+
+}

spring-security-modules/spring-security-pkce/server/src/main/java/com/baeldung/security/pkce/authserver/conf/AuthServerConfiguration.java

@@ -0,0 +1,99 @@
+package com.baeldung.security.pkce.authserver.conf;
+
+import java.util.UUID;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
+import org.springframework.security.crypto.password.NoOpPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+@Configuration
+public class AuthServerConfiguration {
+    
+    @Bean
+    @Order(1)
+    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+        
+        var authorizationServerConfigurer = new OAuth2AuthorizationServerConfigurer<HttpSecurity>();
+        var endpointsMatcher = authorizationServerConfigurer.getEndpointsMatcher();
+
+        // @formatter:off
+        http
+          .requestMatcher(endpointsMatcher)
+            .authorizeRequests(authorize ->
+                authorize              
+                  .anyRequest()
+                  .authenticated());
+        http
+          .exceptionHandling(exceptions -> 
+              exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")))
+          .csrf( csrf -> 
+              csrf
+                .ignoringRequestMatchers(endpointsMatcher))
+          .apply(authorizationServerConfigurer);
+         
+        // Required by /userinfo endpoint
+        http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+        return http.build();
+        // @formatter:on
+    }
+    
+    @Bean 
+    @Order(2)
+    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+        // @formatter:off
+        return http
+          .formLogin(Customizer.withDefaults())
+          .build(); 
+        // @formatter:on
+    }
+        
+    @Bean 
+    public RegisteredClientRepository registeredClientRepository() {
+                
+        var pkceClient = RegisteredClient
+            .withId(UUID.randomUUID().toString())
+            .clientId("pkce-client")
+            .clientSecret("{noop}obscura")
+            .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+            .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+            .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
+            .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
+            .scope(OidcScopes.OPENID)          
+            .scope(OidcScopes.EMAIL)          
+            .scope(OidcScopes.PROFILE)
+            .clientSettings(ClientSettings.builder()
+              .requireAuthorizationConsent(false)
+              .requireProofKey(true)
+              .build())
+            .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce") // Localhost not allowed
+            .build();
+        
+        return new InMemoryRegisteredClientRepository(pkceClient);
+    }
+    
+    @Bean 
+    public ProviderSettings providerSettings() {
+        return ProviderSettings
+          .builder()
+          .build();
+    }
+
+}

spring-security-modules/spring-security-pkce/server/src/main/java/com/baeldung/security/pkce/authserver/conf/JwksConfiguration.java

@@ -0,0 +1,53 @@
+package com.baeldung.security.pkce.authserver.conf;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.UUID;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
+
+@Configuration
+public class JwksConfiguration {
+    
+    @Bean
+    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+    }
+    
+    @Bean 
+    public JWKSource<SecurityContext> jwkSource() {
+        KeyPair keyPair = generateRsaKey();
+        RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
+        RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
+        RSAKey rsaKey = new RSAKey.Builder(publicKey)
+          .privateKey(privateKey)
+          .keyID(UUID.randomUUID().toString())
+          .build();
+        JWKSet jwkSet = new JWKSet(rsaKey);
+        return new ImmutableJWKSet<>(jwkSet);
+    }
+
+    private static KeyPair generateRsaKey() { 
+        KeyPair keyPair;
+        try {
+            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+            keyPairGenerator.initialize(2048);
+            keyPair = keyPairGenerator.generateKeyPair();
+        }
+        catch (Exception ex) {
+            throw new IllegalStateException(ex);
+        }
+        return keyPair;
+    }
+}

spring-security-modules/spring-security-pkce/server/src/main/java/com/baeldung/security/pkce/authserver/conf/UserDetailsConfiguration.java

@@ -0,0 +1,26 @@
+package com.baeldung.security.pkce.authserver.conf;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+
+@Configuration
+public class UserDetailsConfiguration {
+    
+    @Bean 
+    public UserDetailsService userDetailsService() {
+        // @formatter:off
+        UserDetails userDetails = User.withDefaultPasswordEncoder()
+          .username("user")
+          .password("password")
+          .roles("USER")
+          .build();
+
+        return new InMemoryUserDetailsManager(userDetails);        
+        // @formatter:on
+    }
+
+}

spring-security-modules/spring-security-pkce/server/src/main/resources/application.properties

@@ -0,0 +1 @@
+server.port=8085

spring-security-modules/spring-security-pkce/server/src/test/java/com/baeldung/security/pkce/SpringSecurityPkceApplicationTests.java

@@ -0,0 +1,13 @@
+package com.baeldung.security.pkce;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class SpringSecurityPkceApplicationLiveTest {
+
+    @Test
+    void whenContextLoads_thenSuccess() {
+    }
+
+}