[BAEL-8063] Dynamic Client Registration in Spring Authorization Server (#17286)

* [BAEL-7978] WIP: Sanity check

* [BAEL-7978] Article code

* [BAEL-8063] WIP

* [BAEL-8063] Article code

* [BAEL-8063] Article code

* [BAEL-8063] Article code

* [BAEL-8063] Code cleanup

* [BAEL-8063] UnitTests

---------

Co-authored-by: Philippe Sevestre <[email protected]>

Author: psevestre

spring-security-modules/pom.xml

@@ -59,6 +59,7 @@
         <module>spring-security-pkce-spa</module>
         <module>spring-security-compromised-password</module>
         <module>spring-security-authorization</module>
+        <module>spring-security-dynamic-registration</module>
     </modules>
 
 </project>

spring-security-modules/spring-security-dynamic-registration/client/pom.xml

@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+	
+
+    <parent>
+        <groupId>com.baeldung</groupId>
+		<artifactId>spring-security-dynamic-registration</artifactId>
+        <version>0.0.1-SNAPSHOT</version>
+    </parent>
+	
+    <artifactId>spring-security-dynamic-registration-client</artifactId>
+    <packaging>jar</packaging>
+    <name>${project.artifactId}</name>
+    <description>Demo project for Dynamic Client: Client module</description>
+	
+    <dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-client</artifactId>
+		</dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-configuration-processor</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.projectlombok</groupId>
+            <artifactId>lombok</artifactId>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor</groupId>
+            <artifactId>reactor-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-devtools</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+                <configuration>
+                    <excludes>
+                        <exclude>
+                            <groupId>org.projectlombok</groupId>
+                            <artifactId>lombok</artifactId>
+                        </exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <configuration>
+                    <source>16</source>
+                    <target>16</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

spring-security-modules/spring-security-dynamic-registration/client/src/main/java/com/baeldung/spring/security/dynreg/client/DynamicRegistrationClientApplication.java

@@ -0,0 +1,12 @@
+package com.baeldung.spring.security.dynreg.client;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class DynamicRegistrationClientApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(DynamicRegistrationClientApplication.class,args);
+    }
+}

spring-security-modules/spring-security-dynamic-registration/client/src/main/java/com/baeldung/spring/security/dynreg/client/config/OAuth2DynamicClientConfiguration.java

@@ -0,0 +1,98 @@
+package com.baeldung.spring.security.dynreg.client.config;
+
+import com.baeldung.spring.security.dynreg.client.service.DynamicClientRegistrationRepository;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import lombok.Setter;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.client.RestTemplateBuilder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AuthorizeHttpRequestsConfigurer;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
+import org.springframework.security.web.SecurityFilterChain;
+
+import java.net.URI;
+import java.util.List;
+import java.util.Map;
+
+@Configuration
+@EnableConfigurationProperties({ OAuth2DynamicClientConfiguration.RegistrationProperties.class, OAuth2ClientProperties.class })
+@Slf4j
+@RequiredArgsConstructor
+public class OAuth2DynamicClientConfiguration {
+
+    private final OAuth2ClientProperties clientProperties;
+    private final RegistrationProperties registrationProperties;
+
+    @Bean
+    ClientRegistrationRepository dynamicClientRegistrationRepository( DynamicClientRegistrationRepository.RegistrationRestTemplate restTemplate) {
+
+        log.info("Creating a dynamic client registration repository");
+
+        var registrationDetails = new DynamicClientRegistrationRepository.RegistrationDetails(
+          registrationProperties.getRegistrationEndpoint(),
+          registrationProperties.getRegistrationUsername(),
+          registrationProperties.getRegistrationPassword(),
+          registrationProperties.getRegistrationScopes(),
+          registrationProperties.getGrantTypes(),
+          registrationProperties.getRedirectUris(),
+          registrationProperties.getTokenEndpoint());
+
+        // Use standard client registrations as
+        Map<String,ClientRegistration> staticClients = (new OAuth2ClientPropertiesMapper(clientProperties)).asClientRegistrations();
+        var repo =  new DynamicClientRegistrationRepository(registrationDetails, staticClients, restTemplate);
+        repo.doRegistrations();
+        return repo;
+    }
+
+
+    @Bean
+    DynamicClientRegistrationRepository.RegistrationRestTemplate registrationRestTemplate(RestTemplateBuilder restTemplateBuilder) {
+        return restTemplateBuilder.build(DynamicClientRegistrationRepository.RegistrationRestTemplate.class);
+    }
+
+
+    // As of Spring Boot 3.2, we could use a record instead of a class.
+    @ConfigurationProperties(prefix = "baeldung.security.client.registration")
+    @Getter
+    @Setter
+    public static final class RegistrationProperties {
+        URI registrationEndpoint;
+        String registrationUsername;
+        String registrationPassword;
+        List<String> registrationScopes;
+        List<String> grantTypes;
+        List<String> redirectUris;
+        URI tokenEndpoint;
+    }
+
+    @Bean
+    public OAuth2AuthorizationRequestResolver pkceResolver(ClientRegistrationRepository repo) {
+        var resolver = new DefaultOAuth2AuthorizationRequestResolver(repo, "/oauth2/authorization");
+        resolver.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
+        return resolver;
+    }
+
+    @Bean
+    SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http, OAuth2AuthorizationRequestResolver resolver) throws Exception {
+        http.authorizeHttpRequests((requests) -> {
+            requests.anyRequest().authenticated();
+        });
+        http.oauth2Login(a -> a.authorizationEndpoint(c -> c.authorizationRequestResolver(resolver))) ;
+        http.oauth2Client(Customizer.withDefaults());
+        return http.build();
+    }
+
+
+}

spring-security-modules/spring-security-dynamic-registration/client/src/main/java/com/baeldung/spring/security/dynreg/client/controller/HomeController.java

@@ -0,0 +1,20 @@
+package com.baeldung.spring.security.dynreg.client.controller;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+
+import java.security.Principal;
+
+@Controller
+public class HomeController {
+
+    @GetMapping(path = {"/", "/index"} )
+    String index( Authentication user, Model model) {
+        model.addAttribute("user", user);
+        return "index";
+    }
+}

spring-security-modules/spring-security-dynamic-registration/client/src/main/java/com/baeldung/spring/security/dynreg/client/service/DynamicClientRegistrationRepository.java

@@ -0,0 +1,152 @@
+package com.baeldung.spring.security.dynreg.client.service;
+
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.http.RequestEntity;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.util.Assert;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import java.net.URI;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+@RequiredArgsConstructor
+@Slf4j
+public class DynamicClientRegistrationRepository implements ClientRegistrationRepository, Iterable<ClientRegistration> {
+
+    private final RegistrationDetails registrationDetails;
+    private final Map<String, ClientRegistration> staticClients;
+    private final RegistrationRestTemplate registrationClient;
+    private final Map<String, ClientRegistration> registrations = new HashMap<>();
+
+    @Override
+    public ClientRegistration findByRegistrationId(String registrationId) {
+        log.info("findByRegistrationId: {}", registrationId);
+        return registrations.computeIfAbsent(registrationId, this::doRegistration);
+    }
+
+    private ClientRegistration doRegistration(String registrationId) {
+
+        log.info("doRegistration: registrationId={}", registrationId);
+        String token = createRegistrationToken();
+
+        var staticRegistration = staticClients.get(registrationId);
+        Assert.notNull(staticRegistration,"Invalid registrationId: " + registrationId);
+
+        var body = Map.of(
+          "client_name", staticRegistration.getClientName(),
+          "grant_types", List.of(staticRegistration.getAuthorizationGrantType()),
+          "scope", String.join(" ", staticRegistration.getScopes()),
+          "redirect_uris", List.of(resolveCallbackUri(staticRegistration)));
+
+        var headers = new HttpHeaders();
+        headers.setBearerAuth(token);
+        headers.setContentType(MediaType.APPLICATION_JSON);
+
+        var request = new RequestEntity<>(
+          body,
+          headers,
+          HttpMethod.POST,
+          registrationDetails.registrationEndpoint());
+
+        var response = registrationClient.exchange(request, ObjectNode.class);
+
+        if ( response.getBody() == null ) {
+            throw new RuntimeException("Invalid registration response");
+        }
+
+        return createClientRegistration(staticRegistration, response.getBody());
+
+    }
+
+    private String resolveCallbackUri(ClientRegistration registration) {
+
+        var path = UriComponentsBuilder.fromUriString(registration.getRedirectUri())
+          .build(Map.of(
+            "baseUrl", "",
+            "action", "login",
+            "registrationId", registration.getRegistrationId()))
+          .toString();
+
+        return "http://localhost:8090" + path;
+    }
+
+    private ClientRegistration createClientRegistration(ClientRegistration staticRegistration, ObjectNode body) {
+
+        var clientId = body.get("client_id").asText();
+        var clientSecret = body.get("client_secret").asText();
+
+        log.info("creating ClientRegistration: registrationId={}, client_id={}", staticRegistration.getRegistrationId(),clientId);
+
+        return ClientRegistration.withClientRegistration(staticRegistration)
+          .clientId(body.get("client_id").asText())
+          .clientSecret(body.get("client_secret").asText())
+          .build();
+
+    }
+
+    private String createRegistrationToken() {
+
+        var body = new LinkedMultiValueMap<String,String>();
+        body.put( "grant_type", List.of("client_credentials"));
+        body.put(  "scope", registrationDetails.registrationScopes());
+
+        var headers = new HttpHeaders();
+        headers.setBasicAuth(registrationDetails.registrationUsername(), registrationDetails.registrationPassword());
+        headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+
+        var request = new RequestEntity<>(
+          body,
+          headers,
+          HttpMethod.POST,
+          registrationDetails.tokenEndpoint());
+
+        var result = registrationClient.exchange(request, ObjectNode.class);
+        if ( !result.getStatusCode().is2xxSuccessful()) {
+            throw new RuntimeException("Failed to create registration token: code=" + result.getStatusCode());
+        }
+
+        return result.getBody().get("access_token").asText();
+    }
+
+    /**
+     * Returns an iterator over elements of type {@code T}.
+     *
+     * @return an Iterator.
+     */
+    @Override
+    public Iterator<ClientRegistration> iterator() {
+        return registrations
+          .values()
+          .iterator();
+    }
+
+    public void doRegistrations() {
+        staticClients.forEach((key, value) -> findByRegistrationId(key));
+    }
+
+    public record RegistrationDetails(
+      URI registrationEndpoint,
+      String registrationUsername,
+      String registrationPassword,
+      List<String> registrationScopes,
+      List<String> grantTypes,
+      List<String> redirectUris,
+      URI tokenEndpoint
+      ) {
+    }
+
+    // Type-safe RestTemplate
+    public static class RegistrationRestTemplate extends RestTemplate {
+    }
+}