feature : new Oauth2 supporting module (authorization code) development started

patternhelloworld · patternhelloworld · commit 976200edf52a · 2024-09-19T02:41:03.000+09:00
diff --git a/README.md b/README.md
@@ -1,6 +1,11 @@
-# Spring Security Oauth2 Password JPA Implementation
-
-> App-Token based OAuth2 ROPC POC built to grow with Spring Boot and ORM
+# Spring Security Oauth2 JPA Implementation
+
+> App-Token based OAuth2 POC built to grow with Spring Boot and ORM
+> 
+## Supporting Oauth2 Type
+| ROPC      | Authorization Code |
+|-----------|-------------------|
+| available | in development    |
 
 ## Quick Start
 ```xml
diff --git a/client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/web/WebMvcConfig.java b/client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/web/WebMvcConfig.java
@@ -14,7 +14,7 @@ public class WebMvcConfig implements WebMvcConfigurer {
 
     @Override
     public void addResourceHandlers(ResourceHandlerRegistry registry) {
-        registry.addResourceHandler("/docs/**").addResourceLocations("classpath:/static/docs/");
+        registry.addResourceHandler("/docs/**", "/favicon.ico").addResourceLocations("classpath:/static/docs/");
     }
 
 }
diff --git a/client/src/main/resources/application.properties b/client/src/main/resources/application.properties
@@ -68,3 +68,6 @@ spring.servlet.multipart.maxRequestSize=10MB
 management.endpoints.web.exposure.include=*
 app.timezone=Asia/Seoul
 
+logginglevel.org.springframework.security=trace
+
+io.github.patternknife.securityhelper.oauth2.no-app-token-same-access-token=true
diff --git a/client/src/test/java/com/patternknife/securityhelper/oauth2/client/integration/auth/CustomerIntegrationTest.java b/client/src/test/java/com/patternknife/securityhelper/oauth2/client/integration/auth/CustomerIntegrationTest.java
@@ -97,6 +97,7 @@ public void setUp(RestDocumentationContextProvider restDocumentationContextProvi
 
     }
 
+
     @Test
     public void test_SameAppTokensUseSameAccessToken_EXPOSED() throws Exception {
 
diff --git a/mysql/schema.sql b/mysql/schema.sql
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthenticationConverter.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthenticationConverter.java
@@ -0,0 +1,99 @@
+package io.github.patternknife.securityhelper.oauth2.api.config.security.converter.auth.endpoint;
+
+
+import io.github.patternknife.securityhelper.oauth2.api.config.security.util.RequestOAuth2Distiller;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+
+
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+
+import java.util.*;
+
+@RequiredArgsConstructor
+public final class AuthorizationCodeAuthenticationConverter implements AuthenticationConverter {
+
+    /*
+    *   `
+    *      CustomGrantAuthenticationToken <- OAuth2ClientAuthenticationToken
+    *       /oauth2/authorize?response_type=code&client_id=client_customer&redirect_uri=http://localhost:8370/callback1&scope=read%20write&state=random-state&prompt=consent&access_type=offline
+     * */
+    private final RegisteredClientRepository registeredClientRepository;
+
+    public void setClientAuthentication(String clientId) {
+
+        RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
+
+        if (registeredClient == null) {
+            throw new IllegalArgumentException("Invalid client ID");
+        }
+
+        OAuth2ClientAuthenticationToken clientAuthenticationToken = new OAuth2ClientAuthenticationToken(registeredClient , ClientAuthenticationMethod.CLIENT_SECRET_BASIC, null);
+
+        SecurityContextHolder.getContext().setAuthentication(clientAuthenticationToken);
+    }
+
+    @Nullable
+    @Override
+    public Authentication convert(HttpServletRequest request) {
+        MultiValueMap<String, String> parameters = RequestOAuth2Distiller.getAuthorizationCodeSecurityAdditionalParameters(request);
+
+        // grant_type (REQUIRED)
+        String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE);
+        if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantType)) {
+            return null;
+        }
+
+        // 클라이언트 인증 설정
+        setClientAuthentication(parameters.getFirst(OAuth2ParameterNames.CLIENT_ID));
+        Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+
+        // code (REQUIRED) - Authorization Code 요청 시에는 아직 발급되지 않음
+        String code = parameters.getFirst(OAuth2ParameterNames.CODE);
+        if (!StringUtils.hasText(code) || parameters.get(OAuth2ParameterNames.CODE).size() != 1) {
+            // 예외 처리 필요 시 여기에 추가
+        }
+
+        // redirect_uri (REQUIRED)
+        String redirectUri = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
+        if (StringUtils.hasText(redirectUri) && parameters.get(OAuth2ParameterNames.REDIRECT_URI).size() != 1) {
+            // 예외 처리 필요 시 여기에 추가
+        }
+
+        // scopes
+        Set<String> scopes = new HashSet<>(parameters.getOrDefault(OAuth2ParameterNames.SCOPE, Collections.emptyList()));
+
+        // 추가적인 파라미터 처리
+        Map<String, Object> additionalParameters = new HashMap<>();
+        parameters.forEach((key, value) -> {
+            additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
+        });
+
+        // OAuth2AuthorizationCodeRequestAuthenticationToken 생성
+        return new OAuth2AuthorizationCodeRequestAuthenticationToken(
+                request.getRequestURI(), // authorizationUri
+                parameters.getFirst(OAuth2ParameterNames.CLIENT_ID), // clientId
+                clientPrincipal, // principal (사용자 인증 객체)
+                redirectUri, // redirectUri
+                parameters.getFirst(OAuth2ParameterNames.STATE), // state
+                scopes, // 요청한 스코프
+                additionalParameters // 추가 파라미터
+        );
+    }
+
+
+}
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/PasswordAuthenticationConverter.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/PasswordAuthenticationConverter.java
@@ -7,13 +7,15 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 
 import java.util.Map;
 
 @RequiredArgsConstructor
-public final class KnifeGrantAuthenticationConverter implements AuthenticationConverter {
+public final class PasswordAuthenticationConverter implements AuthenticationConverter {
     /*
     *   `
     *      CustomGrantAuthenticationToken <- OAuth2ClientAuthenticationToken
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/dao/KnifeAuthorizationConsentRepository.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/dao/KnifeAuthorizationConsentRepository.java
@@ -0,0 +1,13 @@
+package io.github.patternknife.securityhelper.oauth2.api.config.security.dao;
+
+import io.github.patternknife.securityhelper.oauth2.api.config.security.entity.KnifeAuthorizationConsent;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+
+@Repository
+public interface KnifeAuthorizationConsentRepository extends JpaRepository<KnifeAuthorizationConsent, KnifeAuthorizationConsent.AuthorizationConsentId> {
+    Optional<KnifeAuthorizationConsent> findByRegisteredClientIdAndPrincipalName(String registeredClientId, String principalName);
+    void deleteByRegisteredClientIdAndPrincipalName(String registeredClientId, String principalName);
+}
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/entity/KnifeAuthorizationConsent.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/entity/KnifeAuthorizationConsent.java
@@ -0,0 +1,78 @@
+package io.github.patternknife.securityhelper.oauth2.api.config.security.entity;
+
+import jakarta.persistence.*;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+@Entity
+@Table(name = "`authorization_consent`")
+@IdClass(KnifeAuthorizationConsent.AuthorizationConsentId.class)
+public class KnifeAuthorizationConsent {
+    @Id
+    @Column(name = "registered_client_id")
+    private String registeredClientId;
+    @Id
+    @Column(name = "principal_name")
+    private String principalName;
+    @Column(name = "authorities", length = 1000)
+    private String authorities;
+
+    public String getRegisteredClientId() {
+        return registeredClientId;
+    }
+
+    public void setRegisteredClientId(String registeredClientId) {
+        this.registeredClientId = registeredClientId;
+    }
+
+    public String getPrincipalName() {
+        return principalName;
+    }
+
+    public void setPrincipalName(String principalName) {
+        this.principalName = principalName;
+    }
+
+    public String getAuthorities() {
+        return authorities;
+    }
+
+    public void setAuthorities(String authorities) {
+        this.authorities = authorities;
+    }
+
+    public static class AuthorizationConsentId implements Serializable {
+        private String registeredClientId;
+        private String principalName;
+
+        public String getRegisteredClientId() {
+            return registeredClientId;
+        }
+
+        public void setRegisteredClientId(String registeredClientId) {
+            this.registeredClientId = registeredClientId;
+        }
+
+        public String getPrincipalName() {
+            return principalName;
+        }
+
+        public void setPrincipalName(String principalName) {
+            this.principalName = principalName;
+        }
+
+        @Override
+        public boolean equals(Object o) {
+            if (this == o) return true;
+            if (o == null || getClass() != o.getClass()) return false;
+            AuthorizationConsentId that = (AuthorizationConsentId) o;
+            return registeredClientId.equals(that.registeredClientId) && principalName.equals(that.principalName);
+        }
+
+        @Override
+        public int hashCode() {
+            return Objects.hash(registeredClientId, principalName);
+        }
+    }
+}
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/provider/auth/endpoint/KnifeOauth2AuthenticationProvider.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/provider/auth/endpoint/KnifeOauth2AuthenticationProvider.java
@@ -31,7 +31,7 @@
 @AllArgsConstructor
 public final class KnifeOauth2AuthenticationProvider implements AuthenticationProvider {
 
-    private final CommonOAuth2AuthorizationSaver commonOAuth2AuthorizationCycle;
+    private final CommonOAuth2AuthorizationSaver commonOAuth2AuthorizationSaver;
     private final ConditionalDetailsService conditionalDetailsService;
     private final DefaultOauth2AuthenticationHashCheckService oauth2AuthenticationHashCheckService;
     private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
@@ -67,7 +67,7 @@ public Authentication authenticate(Authentication authentication)
                 }
 
 
-                OAuth2Authorization oAuth2Authorization = commonOAuth2AuthorizationCycle.save(userDetails, ((CustomGrantAuthenticationToken) authentication).getGrantType(), clientId, ((CustomGrantAuthenticationToken) authentication).getAdditionalParameters(), null);
+                OAuth2Authorization oAuth2Authorization = commonOAuth2AuthorizationSaver.save(userDetails, ((CustomGrantAuthenticationToken) authentication).getGrantType(), clientId, ((CustomGrantAuthenticationToken) authentication).getAdditionalParameters(), null);
 
                 RegisteredClient registeredClient = oAuth2ClientAuthenticationToken.getRegisteredClient();
 
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationConsentServiceImpl.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationConsentServiceImpl.java
@@ -0,0 +1,82 @@
+package io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization;
+
+import io.github.patternknife.securityhelper.oauth2.api.config.security.dao.KnifeAuthorizationConsentRepository;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.entity.KnifeAuthorizationConsent;
+import org.springframework.dao.DataRetrievalFailureException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+import java.util.HashSet;
+import java.util.Set;
+
+public class OAuth2AuthorizationConsentServiceImpl implements OAuth2AuthorizationConsentService {
+    private final KnifeAuthorizationConsentRepository authorizationConsentRepository;
+    private final RegisteredClientRepository registeredClientRepository;
+
+    public OAuth2AuthorizationConsentServiceImpl(KnifeAuthorizationConsentRepository authorizationConsentRepository, RegisteredClientRepository registeredClientRepository) {
+        Assert.notNull(authorizationConsentRepository, "authorizationConsentRepository cannot be null");
+        Assert.notNull(registeredClientRepository, "registeredClientRepository cannot be null");
+        this.authorizationConsentRepository = authorizationConsentRepository;
+        this.registeredClientRepository = registeredClientRepository;
+    }
+
+    @Override
+    public void save(OAuth2AuthorizationConsent authorizationConsent) {
+        Assert.notNull(authorizationConsent, "authorizationConsent cannot be null");
+        this.authorizationConsentRepository.save(toEntity(authorizationConsent));
+    }
+
+    @Override
+    public void remove(OAuth2AuthorizationConsent authorizationConsent) {
+        Assert.notNull(authorizationConsent, "authorizationConsent cannot be null");
+        this.authorizationConsentRepository.deleteByRegisteredClientIdAndPrincipalName(
+                authorizationConsent.getRegisteredClientId(), authorizationConsent.getPrincipalName());
+    }
+
+    @Override
+    public OAuth2AuthorizationConsent findById(String registeredClientId, String principalName) {
+        Assert.hasText(registeredClientId, "registeredClientId cannot be empty");
+        Assert.hasText(principalName, "principalName cannot be empty");
+        return this.authorizationConsentRepository.findByRegisteredClientIdAndPrincipalName(
+                registeredClientId, principalName).map(this::toObject).orElse(null);
+    }
+
+    private OAuth2AuthorizationConsent toObject(KnifeAuthorizationConsent authorizationConsent) {
+        String registeredClientId = authorizationConsent.getRegisteredClientId();
+        RegisteredClient registeredClient = this.registeredClientRepository.findById(registeredClientId);
+        if (registeredClient == null) {
+            throw new DataRetrievalFailureException(
+                    "The RegisteredClient with id '" + registeredClientId + "' was not found in the RegisteredClientRepository.");
+        }
+
+        OAuth2AuthorizationConsent.Builder builder = OAuth2AuthorizationConsent.withId(
+                registeredClientId, authorizationConsent.getPrincipalName());
+        if (authorizationConsent.getAuthorities() != null) {
+            for (String authority : StringUtils.commaDelimitedListToSet(authorizationConsent.getAuthorities())) {
+                builder.authority(new SimpleGrantedAuthority(authority));
+            }
+        }
+
+        return builder.build();
+    }
+
+    private KnifeAuthorizationConsent toEntity(OAuth2AuthorizationConsent authorizationConsent) {
+        KnifeAuthorizationConsent entity = new KnifeAuthorizationConsent();
+        entity.setRegisteredClientId(authorizationConsent.getRegisteredClientId());
+        entity.setPrincipalName(authorizationConsent.getPrincipalName());
+
+        Set<String> authorities = new HashSet<>();
+        for (GrantedAuthority authority : authorizationConsent.getAuthorities()) {
+            authorities.add(authority.getAuthority());
+        }
+        entity.setAuthorities(StringUtils.collectionToCommaDelimitedString(authorities));
+
+        return entity;
+    }
+}
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationServiceImpl.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationServiceImpl.java
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/server/ServerConfig.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/server/ServerConfig.java
diff --git a/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/util/RequestOAuth2Distiller.java b/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/util/RequestOAuth2Distiller.java

Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ public class WebMvcConfig implements WebMvcConfigurer {`
`14`	`14`
`15`	`15`	`@Override`
`16`	`16`	`public void addResourceHandlers(ResourceHandlerRegistry registry) {`
`17`		`- registry.addResourceHandler("/docs/**").addResourceLocations("classpath:/static/docs/");`
	`17`	`+ registry.addResourceHandler("/docs/**", "/favicon.ico").addResourceLocations("classpath:/static/docs/");`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,7 @@ public void setUp(RestDocumentationContextProvider restDocumentationContextProvi`
`97`	`97`
`98`	`98`	`}`
`99`	`99`
	`100`	`+`
`100`	`101`	`@Test`
`101`	`102`	`public void test_SameAppTokensUseSameAccessToken_EXPOSED() throws Exception {`
`102`	`103`