Fixing bug in Authorization server

Author: Nasruddin

microservices/course-composite-service/src/main/java/io/javatab/microservices/composite/course/configuration/SecurityConfig.java

@@ -17,9 +17,9 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
                 .pathMatchers("/openapi/**").permitAll()
                 .pathMatchers("/webjars/**").permitAll()
                 .pathMatchers("/actuator/**").permitAll()
-                .pathMatchers(POST, "/course-composite/**").hasAuthority("SCOPE_product:write")
-                .pathMatchers(DELETE, "/course-composite/**").hasAuthority("SCOPE_product:write")
-                .pathMatchers(GET, "/course-composite/**").hasAuthority("SCOPE_product:read")
+                .pathMatchers(POST, "/course-composite/**").hasAuthority("SCOPE_course:write")
+                .pathMatchers(DELETE, "/course-composite/**").hasAuthority("SCOPE_course:write")
+                .pathMatchers(GET, "/course-composite/**").hasAuthority("SCOPE_course:read")
                 .anyExchange().authenticated()
                 .and()
                 .oauth2ResourceServer()

spring-cloud/authorization-server/src/main/java/io/javatab/springcloud/auth/configuration/AuthorizationServerConfig.java

@@ -1,94 +1,146 @@
+//CHECKSTYLE:OFF
+/*
+ * Copyright 2020-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.javatab.springcloud.auth.configuration;
 
+import java.time.Duration;
+import java.util.List;
+import java.util.UUID;
+import java.util.function.Consumer;
+
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
 import io.javatab.springcloud.auth.jose.Jwks;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.server.authorization.authentication.*;
+import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
-import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
-import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
-import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
-import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 
-import java.time.Duration;
-import java.util.UUID;
-
+/**
+ * @author Joe Grandja
+ * @since 0.0.1
+ */
 @Configuration(proxyBeanMethods = false)
 public class AuthorizationServerConfig {
 
     private static final Logger LOG = LoggerFactory.getLogger(AuthorizationServerConfig.class);
 
-
     @Bean
     @Order(Ordered.HIGHEST_PRECEDENCE)
     public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
-        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+
+        // Replaced this call with the implementation of applyDefaultSecurity() to be able to add a custom redirect_uri validator
+        // OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+
+        OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
+                new OAuth2AuthorizationServerConfigurer();
+
+        // Register a custom redirect_uri validator, that allows redirect uris based on https://localhost during development
+        authorizationServerConfigurer
+                .authorizationEndpoint(authorizationEndpoint ->
+                        authorizationEndpoint
+                                .authenticationProviders(configureAuthenticationValidator())
+                );
+
+        RequestMatcher endpointsMatcher = authorizationServerConfigurer
+                .getEndpointsMatcher();
+
+        http
+                .securityMatcher(endpointsMatcher)
+                .authorizeHttpRequests(authorize ->
+                        authorize.anyRequest().authenticated()
+                )
+                .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
+                .apply(authorizationServerConfigurer);
+
         http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
-                .oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
+                .oidc(Customizer.withDefaults()); // Enable OpenID Connect 1.0
 
-        // @formatter:off
         http
                 .exceptionHandling(exceptions ->
                         exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
                 )
                 .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
-        // @formatter:on
+
         return http.build();
     }
 
-    // @formatter:off
     @Bean
     public RegisteredClientRepository registeredClientRepository() {
-
-        LOG.info("register OAUth client allowing all grant flows...");
         RegisteredClient writerClient = RegisteredClient.withId(UUID.randomUUID().toString())
                 .clientId("writer")
-                .clientSecret("secret")
+                .clientSecret("{noop}secret-writer")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                 .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                 .redirectUri("https://my.redirect.uri")
-                .redirectUri("https://localhost:8443/webjars/swagger-ui/oauth2-redirect.html")
+                .redirectUri("https://localhost:8443/openapi/webjars/swagger-ui/oauth2-redirect.html")
                 .scope(OidcScopes.OPENID)
-                .scope("product:read")
-                .scope("product:write")
+                .scope("course:read")
+                .scope("course:write")
                 .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
                 .tokenSettings(TokenSettings.builder().accessTokenTimeToLive(Duration.ofHours(1)).build())
                 .build();
 
         RegisteredClient readerClient = RegisteredClient.withId(UUID.randomUUID().toString())
                 .clientId("reader")
-                .clientSecret("secret")
+                .clientSecret("{noop}secret-reader")
                 .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                 .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
                 .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
                 .redirectUri("https://my.redirect.uri")
-                .redirectUri("https://localhost:8443/webjars/swagger-ui/oauth2-redirect.html")
+                .redirectUri("https://localhost:8443/openapi/webjars/swagger-ui/oauth2-redirect.html")
                 .scope(OidcScopes.OPENID)
-                .scope("product:read")
+                .scope("course:read")
                 .clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
                 .tokenSettings(TokenSettings.builder().accessTokenTimeToLive(Duration.ofHours(1)).build())
                 .build();
+
         return new InMemoryRegisteredClientRepository(writerClient, readerClient);
+
     }
 
     @Bean
@@ -98,8 +150,51 @@ public JWKSource<SecurityContext> jwkSource() {
         return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
     }
 
-   /* @Bean
-    public ProviderSettings providerSettings() {
-        return new ProviderSettings().issuer("http://auth-server:9999");
-    }*/
-}
+    @Bean
+    public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+        return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+    }
+
+    @Bean
+    public AuthorizationServerSettings authorizationServerSettings() {
+        return AuthorizationServerSettings.builder().issuer("http://auth-server").build();
+    }
+
+    private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
+        return (authenticationProviders) ->
+                authenticationProviders.forEach((authenticationProvider) -> {
+                    if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
+                        Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
+                                // Override default redirect_uri validator
+                                new CustomRedirectUriValidator()
+                                        // Reuse default scope validator
+                                        .andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);
+
+                        ((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
+                                .setAuthenticationValidator(authenticationValidator);
+                    }
+                });
+    }
+
+    static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
+
+        @Override
+        public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
+            OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
+                    authenticationContext.getAuthentication();
+            RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
+            String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();
+
+            LOG.trace("Will validate the redirect uri {}", requestedRedirectUri);
+
+            // Use exact string matching when comparing client redirect URIs against pre-registered URIs
+            if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
+                LOG.trace("Redirect uri is invalid!");
+                OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
+                throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
+            }
+            LOG.trace("Redirect uri is OK!");
+        }
+    }
+}
+//CHECKSTYLE:ON

spring-cloud/authorization-server/src/main/java/io/javatab/springcloud/auth/configuration/DefaultSecurityConfig.java

@@ -1,8 +1,27 @@
+//CHECKSTYLE:OFF
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package io.javatab.springcloud.auth.configuration;
 
+import static org.springframework.security.config.Customizer.withDefaults;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
@@ -11,12 +30,14 @@
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 
-import static org.springframework.security.config.Customizer.withDefaults;
-
+/**
+ * @author Joe Grandja
+ * @since 0.1.0
+ */
+@Configuration
 @EnableWebSecurity
 public class DefaultSecurityConfig {
 
-
     private static final Logger LOG = LoggerFactory.getLogger(DefaultSecurityConfig.class);
 
     // formatter:off

spring-cloud/authorization-server/src/main/java/io/javatab/springcloud/auth/jose/Jwks.java

@@ -13,21 +13,22 @@
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
+
  */
+
 package io.javatab.springcloud.auth.jose;
 
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.OctetSequenceKey;
 import com.nimbusds.jose.jwk.RSAKey;
-
-import javax.crypto.SecretKey;
 import java.security.KeyPair;
 import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.UUID;
+import javax.crypto.SecretKey;
 
 /**
  * @author Joe Grandja
@@ -44,9 +45,9 @@ public static RSAKey generateRsa() {
     RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
     // @formatter:off
     return new RSAKey.Builder(publicKey)
-        .privateKey(privateKey)
-        .keyID(UUID.randomUUID().toString())
-        .build();
+            .privateKey(privateKey)
+            .keyID(UUID.randomUUID().toString())
+            .build();
     // @formatter:on
   }
 
@@ -57,18 +58,18 @@ public static ECKey generateEc() {
     Curve curve = Curve.forECParameterSpec(publicKey.getParams());
     // @formatter:off
     return new ECKey.Builder(curve, publicKey)
-        .privateKey(privateKey)
-        .keyID(UUID.randomUUID().toString())
-        .build();
+            .privateKey(privateKey)
+            .keyID(UUID.randomUUID().toString())
+            .build();
     // @formatter:on
   }
 
   public static OctetSequenceKey generateSecret() {
     SecretKey secretKey = KeyGeneratorUtils.generateSecretKey();
     // @formatter:off
     return new OctetSequenceKey.Builder(secretKey)
-        .keyID(UUID.randomUUID().toString())
-        .build();
+            .keyID(UUID.randomUUID().toString())
+            .build();
     // @formatter:on
   }
 }