:Merge branch 'self-contained-feature'

Author: patternhelloworld

README.md

@@ -1,11 +1,23 @@
 # Spring Security Oauth2 JPA Implementation
 
-> App-Token based OAuth2 POC built to grow with Spring Boot and ORM
+> App-Token based OAuth2 implementation built to grow with Spring Boot and JPA
+
+## Table of Contents
+
+- [Quick Start](#quick-start)
+- [Features](#features)
+- [Dependencies](#dependencies)
+- [Run the App](#run-the-app)
+- [API Guide](#api-guide)
+    - [Registration](#registration)
+    - [Implementations](#implementations)
+        - [Mandatory Settings](#mandatory-settings)
+        - [Customizable Settings](#customizable-settings)
+- [OAuth2 - ROPC](#oauth2---ropc)
+- [OAuth2 - Authorization Code](#oauth2---authorization-code)
+- [Running this App with Docker](#running-this-app-with-docker)
+- [Contribution Guide](#contribution-guide)
 
-## Supporting Oauth2 Type
-| ROPC             | Authorization Code                              |
-|------------------|-------------------------------------------------|
-| production-level | Beta (expected to reach production-level in v3) |
 
 ## Quick Start
 ```xml
@@ -15,21 +27,15 @@
     <version>3.5.0</version>
 </dependency>
 ```
-For v2, using the database tables from Spring Security 5 (only the database tables; follow the dependencies as above):
-```xml
-<dependency>
-    <groupId>io.github.patternknife.securityhelper.oauth2.api</groupId>
-    <artifactId>spring-security-oauth2-password-jpa-implementation</artifactId>
-    <version>2.8.2</version>
-</dependency>
-```
 
-## Overview
 
-* Complete separation of the library (API) and the client for testing it
+## Features
+
+* Complete separation of the library and the client
+  * Library : API
+  * Client : DOC, Integration tester
 * Immediate Permission (Authority) Check: Not limited to verifying the token itself, but also ensuring real-time validation of any updates to permissions in the database.
 * Token Introspector: Enable the ``/oauth2/introspect`` endpoint to allow multiple resource servers to verify the token's validity and permissions with the authorization server.
-
 * Set up the same access & refresh token APIs on both ``/oauth2/token`` and on our controller layer such as ``/api/v1/traditional-oauth/token``, both of which function same and have `the same request & response payloads for success and errors`. (However, ``/oauth2/token`` is the standard that "spring-authorization-server" provides.)
   * As you are aware, the API ``/oauth2/token`` is what "spring-authorization-server" provides.
     * ``/api/v1/traditional-oauth/token`` is what this library implemented directly.

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/response/error/GlobalExceptionHandler.java

@@ -1,13 +1,12 @@
 package com.patternknife.securityhelper.oauth2.client.config.response.error;
 
 
-import com.patternknife.securityhelper.oauth2.client.config.response.error.message.GeneralErrorMessage;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.util.ExceptionKnifeUtils;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.dto.SecurityKnifeErrorResponsePayload;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.exception.KnifeOauth2AuthenticationException;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
-import io.github.patternknife.securityhelper.oauth2.api.config.util.OrderConstants;
+import io.github.patternknife.securityhelper.oauth2.api.config.util.KnifeOrderConstants;
 import lombok.RequiredArgsConstructor;;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
@@ -28,7 +27,7 @@
  *   Once you create 'GlobalExceptionHandler', you should insert the following two (authenticationException, authorizationException)  as default. Otherwise, 'unhandledExceptionHandler' is prior to 'io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.handler.SecurityKnifeExceptionHandler'.
  *   "OrderConstants.SECURITY_KNIFE_EXCEPTION_HANDLER_ORDER - 1" means this is prior to "SecurityKnifeExceptionHandler"
  * */
-@Order(OrderConstants.SECURITY_KNIFE_EXCEPTION_HANDLER_ORDER - 1)
+@Order(KnifeOrderConstants.SECURITY_KNIFE_EXCEPTION_HANDLER_ORDER - 1)
 @ControllerAdvice
 @RequiredArgsConstructor
 public class GlobalExceptionHandler {

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/introspector/CustomResourceServerTokenIntrospector.java

@@ -2,29 +2,41 @@
 
 import io.github.patternknife.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.dto.KnifeErrorMessages;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.exception.KnifeOauth2AuthenticationException;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
 import org.springframework.stereotype.Component;
-import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
-import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
+
+import java.util.Arrays;
+import java.util.Map;
 
 /*
-*   Set this to your resource servers
+*   Set this to your resource servers.
 * */
 @Component
 public class CustomResourceServerTokenIntrospector implements OpaqueTokenIntrospector {
 
     private final OpaqueTokenIntrospector delegate;
+    private final JwtDecoder jwtDecoder;
 
     /*
-    *   api : resource servers call the authorization server
-    *   database : the database is shared with the authorization server and resource servers
-    * */
+     * Specifies the type of introspection:
+     * - "api": Resource servers call the authorization server.
+     * - "database": The database is shared between the authorization server and resource servers.
+     * - "decode": Token is decoded locally using JWT.
+     *
+     * You can customize logic by combining "api" and "decode" methods.
+     * For example, if a token is created within the last 10 minutes, the API can be used for validation.
+     */
     String introspectionType;
 
     private final OAuth2AuthorizationServiceImpl authorizationService;
@@ -39,7 +51,7 @@ public CustomResourceServerTokenIntrospector(
             @Value("${patternknife.securityhelper.oauth2.introspection.type:database}") String introspectionType,
             @Value("${patternknife.securityhelper.oauth2.introspection.uri:default-introspect-uri}") String introspectionUri,
             @Value("${patternknife.securityhelper.oauth2.introspection.client-id:default-client-id}") String clientId,
-            @Value("${patternknife.securityhelper.oauth2.introspection.client-secret:default-client-secret}") String clientSecret) {
+            @Value("${patternknife.securityhelper.oauth2.introspection.client-secret:default-client-secret}") String clientSecret, JwtDecoder jwtDecoder) {
 
         this.authorizationService = authorizationService;
         this.conditionalDetailsService = conditionalDetailsService;
@@ -48,26 +60,42 @@ public CustomResourceServerTokenIntrospector(
         this.introspectionType = introspectionType;
 
         this.delegate = new SpringOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
+        this.jwtDecoder = jwtDecoder;
     }
 
     @Override
     public OAuth2AuthenticatedPrincipal introspect(String token) {
-        if(introspectionType.equals("api")) {
-            try {
-                return delegate.introspect(token);
-            } catch (Exception e) {
-                throw new KnifeOauth2AuthenticationException(e.getMessage());
+        switch (introspectionType) {
+            case "api" -> {
+                try {
+                    return delegate.introspect(token);
+                } catch (Exception e) {
+                    throw new KnifeOauth2AuthenticationException(KnifeErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_TOKEN_FAILURE)).message(e.getMessage() + Arrays.toString(e.getStackTrace())).build());
+                }
+            }
+            case "database" -> {
+                OAuth2Authorization oAuth2Authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+
+                if (oAuth2Authorization == null || oAuth2Authorization.getAccessToken() == null || oAuth2Authorization.getAccessToken().isExpired()
+                        || oAuth2Authorization.getRefreshToken() == null || oAuth2Authorization.getRefreshToken().isExpired()) {
+                    throw new KnifeOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_TOKEN_FAILURE));
+                }
+                return (OAuth2AuthenticatedPrincipal) conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), (String) oAuth2Authorization.getAttributes().get("client_id"));
             }
-        } else if (introspectionType.equals("database")) {
-            OAuth2Authorization oAuth2Authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+            case "decode" -> {
+                try {
+                    Jwt jwt = jwtDecoder.decode(token);
+
+                    Map<String, Object> claims = jwt.getClaims();
+                    String username = (String) claims.get("username");
+                    String clientId = (String) claims.get("client_id");
 
-            if(oAuth2Authorization == null || oAuth2Authorization.getAccessToken() == null || oAuth2Authorization.getAccessToken().isExpired()
-                    || oAuth2Authorization.getRefreshToken() == null || oAuth2Authorization.getRefreshToken().isExpired()){
-                throw new KnifeOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_TOKEN_FAILURE));
+                    return (OAuth2AuthenticatedPrincipal) conditionalDetailsService.loadUserByUsername(username, clientId);
+                }catch (Exception e) {
+                    throw new KnifeOauth2AuthenticationException(KnifeErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_TOKEN_FAILURE)).message(e.getMessage() + Arrays.toString(e.getStackTrace())).build());
+                }
             }
-            return (OAuth2AuthenticatedPrincipal) conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), (String) oAuth2Authorization.getAttributes().get("client_id"));
-        }else{
-            throw new KnifeOauth2AuthenticationException("Wrong introspection type : " + introspectionType);
+            default -> throw new KnifeOauth2AuthenticationException("Wrong introspection type : " + introspectionType);
         }
     }
 }

client/src/main/java/com/patternknife/securityhelper/oauth2/client/domain/customer/api/CustomerApi.java

@@ -103,7 +103,7 @@ public Map<String, Boolean> logoutCustomer(HttpServletRequest request) {
 
     @PreAuthorize("@resourceServerAuthorityChecker.hasRole('CUSTOMER_ADMIN')")
     @GetMapping("/customers/{id}")
-    public CustomerResDTO.Id getCustomerForAuthorizationTest(@PathVariable("id") final long id, @CustomAuthenticationPrincipal KnifeUserInfo knifeUserInfo)
+    public CustomerResDTO.Id getCustomerForAuthorizationTest(@PathVariable("id") final long id, @CustomAuthenticationPrincipal KnifeUserInfo<CustomizedUserInfo> knifeUserInfo)
             throws ResourceNotFoundException {
         return new CustomerResDTO.Id(id);
     }

client/src/main/resources/application.properties

@@ -77,10 +77,14 @@ spring.mvc.view.suffix=.html
 
 
 # Introspection type configuration:
-# - api: The Resource Server sends introspection requests to the Authorization Server (better scalability)
-# - database: The Resource Server and Authorization Server share the same database (faster performance)
+# - api: The Resource Server sends introspection requests to the Authorization Server (high traffic, better scalability, instant authorization check)
+# - database: The Resource Server and Authorization Server share the same database (low traffic, low scalability, instant authorization check)
+# - decode: The Resource Server decodes the Access Token according to the JWT algorithm. (no traffic, better scalability, no instant authorization check)
 # [WARNING] api: Some test codes are currently NOT working due to the following introspection URI calls
 patternknife.securityhelper.oauth2.introspection.type=database
 patternknife.securityhelper.oauth2.introspection.uri=http://localhost:8370/oauth2/introspect
 patternknife.securityhelper.oauth2.introspection.client-id=client_customer
-patternknife.securityhelper.oauth2.introspection.client-secret=12345
+patternknife.securityhelper.oauth2.introspection.client-secret=12345
+
+patternknife.securityhelper.jwt.secret=5pAq6zRyX8bC3dV2wS7gN1mK9jF0hL4tUoP6iBvE3nG8xZaQrY7cW2fA
+patternknife.securityhelper.jwt.algorithm=HmacSHA256

lib/pom.xml

@@ -10,7 +10,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <artifactId>spring-security-oauth2-password-jpa-implementation</artifactId>
     <version>3.5.0</version>
     <name>spring-security-oauth2-password-jpa-implementation</name>
-    <description>The implementation of Spring Security 6 Spring Authorization Server for stateful OAuth2 Password Grant</description>
+    <description>App-Token based OAuth2 implementation built to grow with Spring Boot and JPA</description>
     <packaging>jar</packaging>
 
     <url>https://github.com/patternknife/spring-security-oauth2-password-jpa-implementation</url>

lib/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/PasswordAccessTokenRequestConverter.java

@@ -30,7 +30,7 @@ public Authentication convert(HttpServletRequest request) {
 
         KnifeGrantAuthenticationToken knifeGrantAuthenticationToken = new KnifeGrantAuthenticationToken(new AuthorizationGrantType((String) additionalParameters.get("grant_type")),
                 oAuth2ClientAuthenticationToken, additionalParameters);
-        additionalParameters.put(Principal.class.getName(), knifeGrantAuthenticationToken);
+      //  additionalParameters.put(Principal.class.getName(), knifeGrantAuthenticationToken);
 
         return knifeGrantAuthenticationToken;
     }