Merge branch 'multi-resource-server-introspector'

Author: patternhelloworld

README.md

@@ -1,7 +1,9 @@
 # Spring Security Oauth2 JPA Implementation
 
 > App-Token based OAuth2 POC built to grow with Spring Boot and ORM
-> 
+
+- [NOTICE] Test codes will be temporarily non-functional due to the introduction of the Introspector, until the next version.
+
 ## Supporting Oauth2 Type
 | ROPC             | Authorization Code                              |
 |------------------|-------------------------------------------------|
@@ -27,6 +29,8 @@ For v2, using the database tables from Spring Security 5 (only the database tabl
 ## Overview
 
 * Complete separation of the library (API) and the client for testing it
+* Immediate Permission (Authority) Check: Not limited to verifying the token itself, but also ensuring real-time validation of any updates to permissions in the database.
+* Token Introspector: Enable the ``/oauth2/introspect`` endpoint to allow multiple resource servers to verify the token's validity and permissions with the authorization server.
 
 * Set up the same access & refresh token APIs on both ``/oauth2/token`` and on our controller layer such as ``/api/v1/traditional-oauth/token``, both of which function same and have `the same request & response payloads for success and errors`. (However, ``/oauth2/token`` is the standard that "spring-authorization-server" provides.)
   * As you are aware, the API ``/oauth2/token`` is what "spring-authorization-server" provides.
@@ -79,7 +83,7 @@ For v2, using the database tables from Spring Security 5 (only the database tabl
 * For v2, provide MySQL DDL, which consists of ``oauth_access_token, oauth_refresh_token and oauth_client_details``, which are tables in Security 5. As I meant to migrate current security system to Security 6 back then, I hadn't changed them to the ``oauth2_authorization`` table indicated in https://github.com/spring-projects/spring-authorization-server.
 
 * Application of Spring Rest Docs
- 
+
 ## Dependencies
 
 | Category          | Dependencies                                                      |
@@ -194,6 +198,9 @@ public class CommonDataSourceConfiguration {
  - **Customize the verification logic for UsernamePassword and Client as desired**
     - ``IOauth2AuthenticationHashCheckService``
 
+ - **Customize OpaqueTokenIntrospector as desired (!Set this to your Resource Servers)**
+    - ``client.config.securityimpl.introspector.CustomResourceServerTokenIntrospector``
+
 ## OAuth2 - ROPC
 * Refer to ``client/src/docs/asciidoc/api-app.adoc``
 

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/guard/ResourceServerAuthorityChecker.java

@@ -1,30 +1,66 @@
 package com.patternknife.securityhelper.oauth2.client.config.securityimpl.guard;
 
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
+import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication;
 import org.springframework.stereotype.Service;
 
+@RequiredArgsConstructor
 @Service
 public class ResourceServerAuthorityChecker {
 
+    private final OAuth2AuthorizationServiceImpl authorizationService;
+    private final ConditionalDetailsService conditionalDetailsService;
+    private final RegisteredClientRepository registeredClientRepository;
+
+
     public boolean hasAnyAdminRole() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication == null || authentication.getAuthorities() == null) {
+        if (!(authentication instanceof BearerTokenAuthentication bearerTokenAuth)) {
+            return false;
+        }
+
+        String bearerAccessToken = bearerTokenAuth.getToken().getTokenValue();
+
+        OAuth2Authorization oAuth2Authorization = authorizationService.findByToken(bearerAccessToken, OAuth2TokenType.ACCESS_TOKEN);
+        if (oAuth2Authorization == null) {
             return false;
         }
-        return authentication.getAuthorities().stream()
+
+        UserDetails userDetails = conditionalDetailsService.loadUserByUsername(
+                oAuth2Authorization.getPrincipalName(),
+                oAuth2Authorization.getAttribute("client_id")
+        );
+
+        // Check for any _ADMIN roles
+        return userDetails.getAuthorities().stream()
                 .anyMatch(authority -> authority.getAuthority().endsWith("_ADMIN"));
     }
 
     private boolean hasRoleOrSuperAdmin(String role) {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication == null || authentication.getAuthorities() == null) {
+        if (authentication == null) {
             return false;
         }
 
+        String bearerAccessToken = ((BearerTokenAuthentication) authentication).getToken().getTokenValue();
+
+        OAuth2Authorization oAuth2Authorization = authorizationService.findByToken(bearerAccessToken, OAuth2TokenType.ACCESS_TOKEN);
+
+        UserDetails userDetails = conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), oAuth2Authorization.getAttribute("client_id"));
+
         // Check for SUPER_ADMIN role or the specific role
-        return authentication.getAuthorities().stream()
-                .anyMatch(authority -> "SUPER_ADMIN".equals(authority.getAuthority())
+        return userDetails.getAuthorities().stream()
+                .anyMatch(authority -> role.equals(authority.getAuthority())
                         || authority.getAuthority().equals(role));
     }
 

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/guard/SecurityGuardUtil.java

@@ -2,6 +2,7 @@
 
 import com.patternknife.securityhelper.oauth2.client.config.securityimpl.guard.AccessTokenUserInfo;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
 
 public class SecurityGuardUtil {
 
@@ -10,6 +11,8 @@ public static AccessTokenUserInfo getAccessTokenUser(){
 
         Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
 
+        String userName =((OAuth2IntrospectionAuthenticatedPrincipal)principal).getAttribute("username");
+
         if (principal instanceof AccessTokenUserInfo) {
             return ((AccessTokenUserInfo) principal);
         }

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/guard/UserCustomerOnlyImpl.java

@@ -1,19 +1,45 @@
 package com.patternknife.securityhelper.oauth2.client.config.securityimpl.guard;
 
 import com.patternknife.securityhelper.oauth2.client.config.response.error.exception.auth.CustomAuthGuardException;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
+import lombok.RequiredArgsConstructor;
 import org.aspectj.lang.ProceedingJoinPoint;
 import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
 import org.springframework.stereotype.Component;
 
 @Aspect
 @Component
+@RequiredArgsConstructor
 public class UserCustomerOnlyImpl {
 
+    private final OAuth2AuthorizationServiceImpl authorizationService;
+    private final ConditionalDetailsService conditionalDetailsService;
+
     @Around("@annotation(com.patternknife.securityhelper.oauth2.client.config.securityimpl.guard.UserCustomerOnly)")
     public Object check(ProceedingJoinPoint joinPoint) throws Throwable {
 
-        AccessTokenUserInfo accessTokenUserInfo = SecurityGuardUtil.getAccessTokenUser();
+        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+
+        String userName =((OAuth2IntrospectionAuthenticatedPrincipal)principal).getUsername();
+        String clientId  =((OAuth2IntrospectionAuthenticatedPrincipal)principal).getClientId();
+        String appToken =  ((OAuth2IntrospectionAuthenticatedPrincipal)principal).getAttribute("App-Token");
+
+
+        OAuth2Authorization oAuth2Authorization = authorizationService.findByUserNameAndClientIdAndAppToken(userName, clientId, appToken);
+
+        UserDetails userDetails = conditionalDetailsService.loadUserByUsername(userName, clientId);
+
+        AccessTokenUserInfo accessTokenUserInfo = ((AccessTokenUserInfo)userDetails);
+
 
         if(accessTokenUserInfo != null && (accessTokenUserInfo.getAdditionalAccessTokenUserInfo().getUserType() != AdditionalAccessTokenUserInfo.UserType.CUSTOMER)){
             throw new CustomAuthGuardException("ID \"" + accessTokenUserInfo.getUsername() + "\" : Not in Customer Group");

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/securityimpl/introspector/CustomDefaultResourceServerTokenIntrospector.java

@@ -0,0 +1,35 @@
+package com.patternknife.securityhelper.oauth2.client.config.securityimpl.introspector;
+
+import io.github.patternknife.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.exception.KnifeOauth2AuthenticationException;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector;
+import org.springframework.stereotype.Component;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
+
+@Component
+public class CustomDefaultResourceServerTokenIntrospector implements OpaqueTokenIntrospector {
+
+    private final OpaqueTokenIntrospector delegate;
+
+    public CustomDefaultResourceServerTokenIntrospector(
+            @Value("${security.oauth2.introspection.uri}") String introspectionUri,
+            @Value("${security.oauth2.introspection.client-id}") String clientId,
+            @Value("${security.oauth2.introspection.client-secret}") String clientSecret) {
+        this.delegate = new SpringOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);
+    }
+
+    @Override
+    public OAuth2AuthenticatedPrincipal introspect(String token) {
+        try {
+            return delegate.introspect(token);
+        } catch (Exception e) {
+            throw new KnifeOauth2AuthenticationException(e.getMessage());
+        }
+    }
+}
+

client/src/main/java/com/patternknife/securityhelper/oauth2/client/domain/customer/api/CustomerApi.java

@@ -39,7 +39,7 @@ public class CustomerApi {
     @UserCustomerOnly
     @PreAuthorize("isAuthenticated()")
     @GetMapping("/customers/me")
-    public CustomerResDTO.IdNameWithAccessTokenRemainingSeconds getCustomerSelf(@AuthenticationPrincipal AccessTokenUserInfo accessTokenUserInfo,
+    public CustomerResDTO.IdNameWithAccessTokenRemainingSeconds getCustomerSelf(
                                                                                                       @RequestHeader("Authorization") String authorizationHeader) throws ResourceNotFoundException {
         String token = authorizationHeader.substring("Bearer ".length());
 
@@ -58,8 +58,8 @@ public CustomerResDTO.IdNameWithAccessTokenRemainingSeconds getCustomerSelf(@Aut
             }
         }
 
-        return new CustomerResDTO.IdNameWithAccessTokenRemainingSeconds(customerRepository.findByIdName(accessTokenUserInfo.getUsername())
-                .orElseThrow(() -> new ResourceNotFoundException("Couldn't find the user (username : " + accessTokenUserInfo.getUsername() + ")")), accessTokenRemainingSeconds);
+        return new CustomerResDTO.IdNameWithAccessTokenRemainingSeconds(customerRepository.findByIdName(oAuth2Authorization.getPrincipalName())
+                .orElseThrow(() -> new ResourceNotFoundException("Couldn't find the user (username : " + oAuth2Authorization.getPrincipalName() + ")")), accessTokenRemainingSeconds);
 
     }
 

client/src/main/resources/application.properties

@@ -73,4 +73,9 @@ logginglevel.org.springframework.security=trace
 io.github.patternknife.securityhelper.oauth2.no-app-token-same-access-token=true
 
 spring.mvc.view.prefix=/templates/
-spring.mvc.view.suffix=.html
+spring.mvc.view.suffix=.html
+
+
+security.oauth2.introspection.uri=http://localhost:8370/oauth2/introspect
+security.oauth2.introspection.client-id=client_customer
+security.oauth2.introspection.client-secret=12345

client/src/test/java/com/patternknife/securityhelper/oauth2/client/integration/auth/CustomerIntegrationTest.java

@@ -630,6 +630,12 @@ public void testLoginWithInvalidCredentials_EXPOSE() throws Exception {
         assertEquals(userMessage, CustomSecurityUserExceptionMessage.AUTHENTICATION_WRONG_GRANT_TYPE.getMessage());
     }
 
+    /*
+    *   [IMPORTANT] To test this, as '/oauth2/introspect' has been introduced, this can't connect to itself at this point. Check 'CustomDefaultResourceServerTokenIntrospector'.
+    *
+    * */
+
+
     @Test
     public void testFetchResourceWithInvalidCredentialsAndValidCredentialsButWithNoPermission() throws Exception {
 
@@ -719,6 +725,7 @@ public void testFetchResourceWithInvalidCredentialsAndValidCredentialsButWithNoP
 
 
 
+
     private static class AccessTokenMaskingPreprocessor implements OperationPreprocessor {
 
         @Override

lib/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/KnifeOAuth2TokenIntrospectionAuthenticationConverter.java

@@ -0,0 +1,85 @@
+package io.github.patternknife.securityhelper.oauth2.api.config.security.converter.auth.endpoint;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import io.github.patternknife.securityhelper.oauth2.api.config.security.provider.auth.introspectionendpoint.KnifeOauth2OpaqueTokenAuthenticationProvider;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.userdetail.ConditionalDetailsService;
+import io.github.patternknife.securityhelper.oauth2.api.config.util.KnifeOAuth2EndpointUtils;
+import jakarta.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenIntrospection;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenIntrospectionAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter;
+
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.util.Assert;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+
+/**
+ * Attempts to extract an Introspection Request from {@link HttpServletRequest} and then
+ * converts it to an {@link OAuth2TokenIntrospectionAuthenticationToken} used for
+ * authenticating the request.
+ *
+ * @author Gerardo Roza
+ * @author Joe Grandja
+ * @since 0.4.0
+ * @see AuthenticationConverter
+ * @see OAuth2TokenIntrospectionAuthenticationToken
+ * @see OAuth2TokenIntrospectionEndpointFilter
+ */
+public final class KnifeOAuth2TokenIntrospectionAuthenticationConverter implements AuthenticationConverter {
+
+    /*
+    * Now, this only takes "access_token".
+    * */
+    @Override
+    public Authentication convert(HttpServletRequest request) {
+        Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+
+        MultiValueMap<String, String> parameters = KnifeOAuth2EndpointUtils.getFormParameters(request);
+
+        // token (REQUIRED)
+        String token = parameters.getFirst(OAuth2ParameterNames.TOKEN);
+        if (!StringUtils.hasText(token) || parameters.get(OAuth2ParameterNames.TOKEN).size() != 1) {
+            throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.TOKEN);
+        }
+
+        // token_type_hint (OPTIONAL)
+        String tokenTypeHint = parameters.getFirst(OAuth2ParameterNames.TOKEN_TYPE_HINT);
+        if (StringUtils.hasText(tokenTypeHint) && parameters.get(OAuth2ParameterNames.TOKEN_TYPE_HINT).size() != 1) {
+            throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.TOKEN_TYPE_HINT);
+        }
+
+        Map<String, Object> additionalParameters = new HashMap<>();
+        parameters.forEach((key, value) -> {
+            if (!key.equals(OAuth2ParameterNames.TOKEN) && !key.equals(OAuth2ParameterNames.TOKEN_TYPE_HINT)) {
+                additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
+            }
+        });
+
+        return new OAuth2TokenIntrospectionAuthenticationToken(token, clientPrincipal, tokenTypeHint,
+                additionalParameters);
+    }
+
+    private static void throwError(String errorCode, String parameterName) {
+        OAuth2Error error = new OAuth2Error(errorCode, "OAuth 2.0 Token Introspection Parameter: " + parameterName,
+                "https://datatracker.ietf.org/doc/html/rfc7662#section-2.1");
+        throw new OAuth2AuthenticationException(error);
+    }
+
+}