Feature: Validator

- The Spring Authorization Server recommends using functional interfaces for validation (https://docs.spring.io/spring-authorization-server/reference/protocol-endpoints.html).
- Instead of applying OAuth2ClientCredentialsAuthenticationContext, additional parameters from OAuth2ClientAuthenticationToken were used. I could create OAuth2ClientCredentialsAuthenticationContext in OpaqueGrantTypeAuthenticationProvider, but I believe that would be a bit overkill.
- Renamed RegisteredClientRepositoryImpl to CacheableRegisteredClientRepositoryImpl to reflect its original caching functionality.

Author: patternhelloworld

client/src/test/java/com/patternhelloworld/securityhelper/oauth2/client/integration/auth/AuthorizationIntegrationTest.java

@@ -0,0 +1,87 @@
+package com.patternhelloworld.securityhelper.oauth2.client.integration.auth;
+
+
+import jakarta.xml.bind.DatatypeConverter;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.autoconfigure.restdocs.AutoConfigureRestDocs;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.restdocs.RestDocumentationContextProvider;
+import org.springframework.restdocs.RestDocumentationExtension;
+import org.springframework.restdocs.mockmvc.RestDocumentationResultHandler;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.MvcResult;
+import org.springframework.web.context.WebApplicationContext;
+
+import java.io.UnsupportedEncodingException;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
+
+/*
+*    Functions ending with
+*       "ORIGINAL" : '/oauth2/token'
+*       "EXPOSED" : '/api/v1/traditional-oauth/token'
+* */
+@ExtendWith(RestDocumentationExtension.class)
+@ExtendWith(SpringExtension.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@AutoConfigureMockMvc
+@AutoConfigureRestDocs(outputDir = "target/generated-snippets",uriScheme = "http", uriHost = "localhost", uriPort = 8370)
+public class AuthorizationIntegrationTest {
+
+    private static final Logger logger = LoggerFactory.getLogger(AuthorizationIntegrationTest.class);
+
+
+    @Autowired
+    private MockMvc mockMvc;
+
+
+    @Value("${app.oauth2.appUser.clientId}")
+    private String appUserClientId;
+    @Value("${app.oauth2.appUser.clientSecret}")
+    private String appUserClientSecret;
+
+    @Value("${app.test.auth.customer.username}")
+    private String testUserName;
+    @Value("${app.test.auth.customer.password}")
+    private String testUserPassword;
+
+
+    private RestDocumentationResultHandler document;
+
+    private String basicHeader;
+
+    @Autowired
+    private WebApplicationContext webApplicationContext;
+
+
+    @BeforeEach
+    public void setUp(RestDocumentationContextProvider restDocumentationContextProvider) throws UnsupportedEncodingException {
+
+        basicHeader = "Basic " + DatatypeConverter.printBase64Binary((appUserClientId + ":" + appUserClientSecret).getBytes("UTF-8"));
+
+    }
+    @Test
+    public void testAuthorizationCodeMissingException() throws Exception {
+        MvcResult result = mockMvc.perform(get("/oauth2/authorize?response_type=code&client_id=client_customer&state=xxx&scope=read&redirect_uri=http://localhost:8081/callback1"))
+                .andExpect(status().is2xxSuccessful())
+                .andDo(print())
+                .andReturn();
+        assertEquals("/login", result.getResponse().getForwardedUrl());
+/*        String responseContent = result.getResponse().getContentAsString(StandardCharsets.UTF_8);
+        assertTrue(responseContent.contains("AUTHENTICATION_AUTHORIZATION_CODE_MISSING"),
+                "The response should contain the error code 'AUTHENTICATION_AUTHORIZATION_CODE_MISSING'.");*/
+    }
+
+}

client/src/test/java/com/patternhelloworld/securityhelper/oauth2/client/integration/auth/CustomerIntegrationTest.java renamed to client/src/test/java/com/patternhelloworld/securityhelper/oauth2/client/integration/auth/TokenIntegrationTest.java

@@ -1,8 +1,8 @@
 package com.patternhelloworld.securityhelper.oauth2.client.integration.auth;
 
 
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusHttpHeaders;
 import com.patternhelloworld.securityhelper.oauth2.client.config.securityimpl.message.CustomSecurityUserExceptionMessage;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusHttpHeaders;
 import jakarta.xml.bind.DatatypeConverter;
 import lombok.SneakyThrows;
 import org.codehaus.jackson.map.ObjectMapper;
@@ -61,10 +61,10 @@
 @ExtendWith(SpringExtension.class)
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
 @AutoConfigureMockMvc
-@AutoConfigureRestDocs(outputDir = "target/generated-snippets",uriScheme = "https", uriHost = "vholic.com", uriPort = 8300)
-public class CustomerIntegrationTest {
+@AutoConfigureRestDocs(outputDir = "target/generated-snippets",uriScheme = "http", uriHost = "localhost", uriPort = 8370)
+public class TokenIntegrationTest {
 
-    private static final Logger logger = LoggerFactory.getLogger(CustomerIntegrationTest.class);
+    private static final Logger logger = LoggerFactory.getLogger(TokenIntegrationTest.class);
 
 
     @Autowired
@@ -808,6 +808,4 @@ public OperationResponse preprocess(OperationResponse response) {
     }
 
 
-
-
 }

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter.java renamed to lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/TokenRequestAfterClientBasicSecretAuthenticatedConverter.java

@@ -12,14 +12,15 @@
 import java.util.Map;
 
 @RequiredArgsConstructor
-public final class OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter implements AuthenticationConverter {
+public final class TokenRequestAfterClientBasicSecretAuthenticatedConverter implements AuthenticationConverter {
 
     @Override
     public Authentication convert(HttpServletRequest request) {
 
         Map<String, Object> allParameters = EasyPlusOAuth2EndpointUtils.getApiParametersContainingEasyPlusHeaders(request);
 
-        // ClientId is a must
+        // The client_id has already been parsed by ClientSecretBasicAuthenticationConverter.
+        // Therefore, there is no need to validate the client_id again at this point.
         String clientId = allParameters.get("client_id").toString();
 
         // All token requests are "CLIENT_SECRET_BASIC"

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/AuthorizationCodeAuthenticationProvider.java renamed to lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/authorization/AuthorizationCodeAuthenticationProvider.java

@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.provider.auth.endpoint;
+package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.provider.auth.endpoint.authorization;
 
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.CommonOAuth2AuthorizationSaver;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
@@ -34,8 +34,6 @@
 
 public final class AuthorizationCodeAuthenticationProvider implements AuthenticationProvider {
 
-    private static final String ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc6749#section-5.2";
-
     private final OAuth2AuthorizationService authorizationService;
 
     private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/OpaqueGrantTypeAuthenticationProvider.java renamed to lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/token/OpaqueGrantTypeAuthenticationProvider.java

@@ -1,4 +1,4 @@
-package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.provider.auth.endpoint;
+package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.provider.auth.endpoint.token;
 
 
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
@@ -8,9 +8,11 @@
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.CommonOAuth2AuthorizationSaver;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.DefaultOauth2AuthenticationHashCheckService;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.persistence.client.RegisteredClientRepositoryImpl;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
-import lombok.AllArgsConstructor;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.validator.endpoint.token.OpaqueGrantTypeTokenValidationResult;
+import lombok.RequiredArgsConstructor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -25,29 +27,30 @@
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AccessTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
-import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.util.Assert;
 
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.Set;
-import java.util.stream.Collectors;
+import java.util.function.Function;
 
 /*
  *    1) ROPC (grant_type=password, grant_type=refresh_token)
  *    2) Authorization Code flow
  *      - Get an authorization_code with username and password (grant_type=authorization_code)
  *      - Login with code received from the authorization code flow instead of username & password (grant_type=code)
  */
-@AllArgsConstructor
+@RequiredArgsConstructor
 public final class OpaqueGrantTypeAuthenticationProvider implements AuthenticationProvider {
 
+    private static final Logger logger = LoggerFactory.getLogger(OpaqueGrantTypeAuthenticationProvider.class);
+
+    private Function<Map<String, Object>, OpaqueGrantTypeTokenValidationResult> authenticationValidator;
+
     private final CommonOAuth2AuthorizationSaver commonOAuth2AuthorizationSaver;
     private final ConditionalDetailsService conditionalDetailsService;
     private final DefaultOauth2AuthenticationHashCheckService oauth2AuthenticationHashCheckService;
     private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
     private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
-    private final RegisteredClientRepositoryImpl registeredClientRepository;
 
     @Override
     public Authentication authenticate(Authentication authentication)
@@ -56,41 +59,26 @@ public Authentication authenticate(Authentication authentication)
         try {
             if (authentication instanceof OAuth2ClientAuthenticationToken token) {
 
-                // [NOTICE] If an incorrect client ID or Secret is detected, the OpaqueGrantTypeAccessTokenRequestConverter is not be invoked, which means there is NO mandatory client_id header parameter.
-                // For reference, if an incorrect Basic header, such as base64(client_id:<--no secret here-->), is detected, the ClientSecretBasicAuthenticationConverter handles it directly and passes it to the AuthenticationFailureHandler.
-                String clientId = token.getAdditionalParameters().getOrDefault("client_id", "").toString();
-                if (clientId.isEmpty()) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("Invalid Request. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate incorrect payloads or expired code or code_verifier.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
-                }
-
                 Map<String, Object> modifiableAdditionalParameters = new HashMap<>(token.getAdditionalParameters());
-
+                OpaqueGrantTypeTokenValidationResult opaqueGrantTypeTokenValidationResult = this.authenticationValidator.apply(modifiableAdditionalParameters);
 
                 UserDetails userDetails;
-
-                String grantType = modifiableAdditionalParameters.getOrDefault("grant_type", "").toString();
-                if (grantType.isEmpty()) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("No grant_type key found").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
-                }
-
-                String responseType = modifiableAdditionalParameters.getOrDefault("response_type", "").toString();
-
-                switch (grantType) {
+                switch (opaqueGrantTypeTokenValidationResult.getGrantType()) {
                     case "authorization_code" -> {
-                        OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByAuthorizationCode((String) modifiableAdditionalParameters.get("code"));
+                        OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByAuthorizationCode(opaqueGrantTypeTokenValidationResult.getCode());
                         if (oAuth2Authorization == null) {
-                            throw new EasyPlusOauth2AuthenticationException("authorization code not found");
+                            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("No user info found for the authorization code").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_FAILURE)).build());
                         }
-                        userDetails = conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), clientId);
+                        userDetails = conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), opaqueGrantTypeTokenValidationResult.getClientId());
                     }
                     case "password" -> {
-                        userDetails = conditionalDetailsService.loadUserByUsername((String) modifiableAdditionalParameters.get("username"), clientId);
+                        userDetails = conditionalDetailsService.loadUserByUsername((String) modifiableAdditionalParameters.get("username"), opaqueGrantTypeTokenValidationResult.getClientId());
                         oauth2AuthenticationHashCheckService.validateUsernamePassword((String) modifiableAdditionalParameters.get("password"), userDetails);
                     }
                     case "refresh_token" -> {
                         OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByToken((String) modifiableAdditionalParameters.get("refresh_token"), OAuth2TokenType.REFRESH_TOKEN);
                         if (oAuth2Authorization != null) {
-                            userDetails = conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), clientId);
+                            userDetails = conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), opaqueGrantTypeTokenValidationResult.getClientId());
                         } else {
                             throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR));
                         }
@@ -99,34 +87,16 @@ public Authentication authenticate(Authentication authentication)
                 }
 
                 // Create tokens at this point
-                OAuth2Authorization oAuth2Authorization = commonOAuth2AuthorizationSaver.save(userDetails, new AuthorizationGrantType(modifiableAdditionalParameters.get("grant_type").toString()), clientId, modifiableAdditionalParameters);
+                OAuth2Authorization oAuth2Authorization = commonOAuth2AuthorizationSaver.save(userDetails, new AuthorizationGrantType(modifiableAdditionalParameters.get("grant_type").toString()), opaqueGrantTypeTokenValidationResult.getClientId(), modifiableAdditionalParameters);
 
-                RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
-                if (registeredClient == null) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("client_id NOT found in DB").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
-                }
-                Set<String> registeredScopes = registeredClient.getScopes();
-                Set<String> requestedScopes = Arrays.stream(
-                                modifiableAdditionalParameters.getOrDefault(OAuth2ParameterNames.SCOPE, "")
-                                        .toString()
-                                        .split(",")
-                        )
-                        .map(String::trim)
-                        .filter(scope -> !scope.isEmpty())
-                        .collect(Collectors.toSet());
-                if (!registeredScopes.containsAll(requestedScopes)) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI))
-                            .message("Invalid scopes: " + requestedScopes + ". Allowed scopes: " + registeredScopes).build());
-                }
-
-                if (responseType.equals(OAuth2ParameterNames.CODE)) {
+                if (opaqueGrantTypeTokenValidationResult.getResponseType() != null && opaqueGrantTypeTokenValidationResult.getResponseType().equals(OAuth2ParameterNames.CODE)) {
                     // [IMPORTANT] To return the "code" not "access_token". Check "AuthenticationSuccessHandler".
                     modifiableAdditionalParameters.put("code", oAuth2Authorization.getToken(OAuth2AuthorizationCode.class).getToken().getTokenValue());
                 }
 
                 authentication.setAuthenticated(true);
                 return new OAuth2AccessTokenAuthenticationToken(
-                        registeredClient,
+                        opaqueGrantTypeTokenValidationResult.getRegisteredClient(),
                         getAuthenticatedClientElseThrowInvalidClient(authentication),
                         oAuth2Authorization.getAccessToken().getToken(),
                         oAuth2Authorization.getRefreshToken() != null ? oAuth2Authorization.getRefreshToken().getToken() : null,
@@ -160,4 +130,9 @@ private OAuth2ClientAuthenticationToken getAuthenticatedClientElseThrowInvalidCl
         }
         throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT));
     }
+
+    public void setAuthenticationValidator(Function<Map<String, Object>, OpaqueGrantTypeTokenValidationResult> authenticationValidator) {
+        Assert.notNull(authenticationValidator, "authenticationValidator cannot be null");
+        this.authenticationValidator = authenticationValidator;
+    }
 }

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationServiceImpl.java

@@ -4,7 +4,7 @@
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.aop.SecurityPointCut;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.dao.EasyPlusAuthorizationRepository;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.entity.EasyPlusAuthorization;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.persistence.client.RegisteredClientRepositoryImpl;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.persistence.client.CacheableRegisteredClientRepositoryImpl;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.token.generator.CustomAuthenticationKeyGenerator;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusHttpHeaders;
 import jakarta.annotation.Nullable;
@@ -47,7 +47,7 @@ public class OAuth2AuthorizationServiceImpl implements OAuth2AuthorizationServic
 
     private final EasyPlusAuthorizationRepository easyPlusAuthorizationRepository;
     private final SecurityPointCut securityPointCut;
-    private final RegisteredClientRepositoryImpl registeredClientRepositoryImpl;
+    private final CacheableRegisteredClientRepositoryImpl cacheableRegisteredClientRepositoryImpl;
 
 
     /*