Refactor: Authorization Code Flow

Use customized error messages.
Utilize error code constants.

Author: patternhelloworld

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/message/CustomSecurityUserExceptionMessage.java

@@ -26,7 +26,15 @@ public enum CustomSecurityUserExceptionMessage implements ExceptionMessageInterf
     AUTHENTICATION_WRONG_CLIENT_ID_SECRET("1Client information is not verified."),
 
     // GRANT TYPE
-    AUTHENTICATION_WRONG_GRANT_TYPE("1Wrong Grant Type detected.");
+    AUTHENTICATION_WRONG_GRANT_TYPE("1Wrong Grant Type detected."),
+
+    // OAuth2 : Authorization Code
+    AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD("1Wrong Authorization Code request."),
+    AUTHENTICATION_CLIENT_ID_MISSING("1Client ID is missing."),
+    AUTHENTICATION_REDIRECT_URI_MISSING("1Redirect URI is missing."),
+    AUTHENTICATION_STATE_MISSING("1State is missing."),
+    AUTHENTICATION_REGISTERED_CLIENT_NOT_FOUND("1Registered client is missing or invalid"),
+    AUTHENTICATION_AUTHORIZATION_CODE_MISSING("1Authorization Code is missing.");
 
     private String message;
 

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/response/CustomWebAuthenticationFailureHandlerImpl.java

@@ -1,8 +1,8 @@
 package com.patternhelloworld.securityhelper.oauth2.client.config.securityimpl.response;
 
-
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.exception.EasyPlusOauth2AuthenticationException;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.ErrorCodeConstants;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -36,21 +36,22 @@ public void onAuthenticationFailure(HttpServletRequest request, HttpServletRespo
 
         String errorMessage = "An unexpected error occurred.";
         List<String> errorDetails = new ArrayList<>();
+
+        EasyPlusOauth2AuthenticationException oauth2Exception;
         // Extract error messages if the exception is of type EasyPlusOauth2AuthenticationException
         if (exception instanceof EasyPlusOauth2AuthenticationException) {
-            EasyPlusOauth2AuthenticationException oauth2Exception = (EasyPlusOauth2AuthenticationException) exception;
+            oauth2Exception = (EasyPlusOauth2AuthenticationException) exception;
             errorMessage = oauth2Exception.getErrorMessages().getUserMessage();
-        }
 
-        if(errorMessage.equals("Authorization code missing in GET request")){
-            request.getRequestDispatcher("/login").forward(request, response);
-        }else {
+            if(oauth2Exception.getError().getErrorCode().equals(ErrorCodeConstants.REDIRECT_TO_LOGIN)){
+                request.getRequestDispatcher("/login").forward(request, response);
+                return;
+            }
+        }
+        request.setAttribute("errorMessage", errorMessage);
+        request.setAttribute("errorDetails", errorDetails);
 
-            // Redirect to /error with query parameters
-            request.setAttribute("errorMessage", errorMessage);
-            request.setAttribute("errorDetails", errorDetails);
+        request.getRequestDispatcher("/error").forward(request, response);
 
-            request.getRequestDispatcher("/error").forward(request, response);
-        }
     }
 }

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthorizationRequestConverter.java

@@ -1,21 +1,29 @@
 package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint;
 
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.dao.EasyPlusAuthorizationConsentRepository;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.dto.EasyPlusErrorMessages;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.exception.EasyPlusOauth2AuthenticationException;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.RequestOAuth2Distiller;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusOAuth2EndpointUtils;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.ErrorCodeConstants;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
-import org.springframework.lang.Nullable;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.web.authentication.AuthenticationConverter;
+import org.springframework.security.web.util.matcher.AndRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 
@@ -28,98 +36,116 @@ public final class AuthorizationCodeAuthorizationRequestConverter implements Aut
     private final EasyPlusAuthorizationConsentRepository easyPlusAuthorizationConsentRepository;
     private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
 
-    public void setClientAuthenticationContext(String clientId) {
-        RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
-        if (registeredClient == null) {
-            throw new IllegalArgumentException("Invalid client ID");
-        }
+    private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
 
-        OAuth2ClientAuthenticationToken clientAuthenticationToken = new OAuth2ClientAuthenticationToken(
-                registeredClient,
-                ClientAuthenticationMethod.CLIENT_SECRET_BASIC,
-                null
-        );
 
-        SecurityContextHolder.getContext().setAuthentication(clientAuthenticationToken);
-    }
+    private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous",
+            "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
+
+    private static final RequestMatcher OIDC_REQUEST_MATCHER = createOidcRequestMatcher();
 
+    /*
+     * Why is the validation check done here?
+     * - Because if an OAuth2AuthenticationException is thrown in the CustomizedProvider,
+     *   Spring retries the process by replacing the CustomizedProvider with the OAuth2AuthorizationCodeRequestAuthenticationProvider.
+     *
+     * Where is OAuth2AuthorizationCodeRequestAuthenticationToken implemented?
+     * - It is handled by "EasyPlusGrantAuthenticationToken" when calling "/oauth2/token"
+     */
     @Override
-    @Nullable
     public Authentication convert(HttpServletRequest request) {
-        if ("POST".equalsIgnoreCase(request.getMethod())) {
-            // TODO:  Authorization Consent
-        } else if ("GET".equalsIgnoreCase(request.getMethod())) {
-            MultiValueMap<String, String> parameters = RequestOAuth2Distiller.getAuthorizationCodeSecurityAdditionalParameters(request);
 
+        if (!"GET".equals(request.getMethod()) && !OIDC_REQUEST_MATCHER.matches(request)) {
+            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD));
+        }
 
+        MultiValueMap<String, String> parameters = EasyPlusOAuth2EndpointUtils.getWebParameters(request);
 
-            String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
-            if (!StringUtils.hasText(clientId)) {
-                throw new EasyPlusOauth2AuthenticationException("client_id missing");
-            }
-            String redirectUri = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
-            if (!StringUtils.hasText(redirectUri)) {
-                throw new EasyPlusOauth2AuthenticationException("redirect_uri missing");
-            }
+        String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
+        if (!StringUtils.hasText(clientId)) {
+            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_CLIENT_ID_MISSING));
+        }
+        String redirectUri = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
+        if (!StringUtils.hasText(redirectUri)) {
+            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_REDIRECT_URI_MISSING));
+        }
 
-            // setClientAuthenticationContext from the client_id param
-            setClientAuthenticationContext(clientId);
-            Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+        Map<String, Object> additionalParameters = new HashMap<>();
 
+        parameters.forEach((key, value) -> {
+            additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
+        });
 
-            RegisteredClient registeredClient = ((OAuth2ClientAuthenticationToken) clientPrincipal).getRegisteredClient();
 
-            // Check if the registered client is null
-            if (registeredClient == null) {
-                throw new EasyPlusOauth2AuthenticationException("Registered client is missing or invalid");
-            }
-            // Check if the redirectUri is not in the registered redirect URIs
-            if (!registeredClient.getRedirectUris().contains(redirectUri)) {
-                throw new EasyPlusOauth2AuthenticationException("Invalid redirect_uri: " + redirectUri);
-            }
+        String state = parameters.getFirst(OAuth2ParameterNames.STATE);
+        if (!StringUtils.hasText(state)) {
+            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_STATE_MISSING));
+        }
 
+        Set<String> requestedScopes = new HashSet<>(parameters.getOrDefault(OAuth2ParameterNames.SCOPE, Collections.emptyList()));
 
-            Set<String> requestedScopes = new HashSet<>(parameters.getOrDefault(OAuth2ParameterNames.SCOPE, Collections.emptyList()));
-             // Scopes from the request
-            Set<String> registeredScopes = registeredClient.getScopes(); // Scopes from the RegisteredClient
+        Authentication principal = SecurityContextHolder.getContext().getAuthentication();
+        if (principal == null) {
+            setClientAuthenticationContext(clientId);
+            principal = SecurityContextHolder.getContext().getAuthentication();
+        }
 
-            if (!registeredScopes.containsAll(requestedScopes)) {
-                throw new EasyPlusOauth2AuthenticationException("Invalid scopes: " + requestedScopes + ". Allowed scopes: " + registeredScopes);
-            }
+        RegisteredClient registeredClient = ((OAuth2ClientAuthenticationToken) principal).getRegisteredClient();
 
-            Map<String, Object> additionalParameters = new HashMap<>();
+        if (registeredClient == null) {
+            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_REGISTERED_CLIENT_NOT_FOUND));
+        }
 
-            parameters.forEach((key, value) -> {
-                additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
-            });
+        if (!registeredClient.getRedirectUris().contains(redirectUri)) {
+            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI));
+        }
 
-            String code = parameters.getFirst(OAuth2ParameterNames.CODE);
-            if (!StringUtils.hasText(code)) {
-                throw new EasyPlusOauth2AuthenticationException("Authorization code missing in GET request");
-            }
+        Set<String> registeredScopes = registeredClient.getScopes(); // Scopes from the RegisteredClient
 
-            return new OAuth2AuthorizationCodeAuthenticationToken(
-                    code,
-                    clientPrincipal,
-                    redirectUri,
-                    additionalParameters
-            );
+        if (!registeredScopes.containsAll(requestedScopes)) {
+            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI))
+                    .message("Invalid scopes: " + requestedScopes + ". Allowed scopes: " + registeredScopes).build());
+        }
 
-        } else {
-            throw new IllegalStateException("Unsupported HTTP method: " + request.getMethod());
+        String code = parameters.getFirst(OAuth2ParameterNames.CODE);
+        if (!StringUtils.hasText(code)) {
+            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_MISSING))
+                    .errorCode(ErrorCodeConstants.REDIRECT_TO_LOGIN).build());
         }
 
-        return null;
-        // TODO:  Authorization Consent
-        /*        return new OAuth2AuthorizationCodeRequestAuthenticationToken(
-                parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI),
-                clientId,
-                clientPrincipal,
+        return new OAuth2AuthorizationCodeAuthenticationToken(
+                code,
+                principal,
                 redirectUri,
-                state,
-                scopes,
                 additionalParameters
-        );*/
+        );
     }
+
+    private static RequestMatcher createOidcRequestMatcher() {
+        RequestMatcher postMethodMatcher = (request) -> "POST".equals(request.getMethod());
+        RequestMatcher responseTypeParameterMatcher = (
+                request) -> request.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null;
+        RequestMatcher openidScopeMatcher = (request) -> {
+            String scope = request.getParameter(OAuth2ParameterNames.SCOPE);
+            return StringUtils.hasText(scope) && scope.contains(OidcScopes.OPENID);
+        };
+        return new AndRequestMatcher(postMethodMatcher, responseTypeParameterMatcher, openidScopeMatcher);
+    }
+
+    public void setClientAuthenticationContext(String clientId) {
+        RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
+        if (registeredClient == null) {
+            throw new IllegalArgumentException("Invalid client ID");
+        }
+
+        OAuth2ClientAuthenticationToken clientAuthenticationToken = new OAuth2ClientAuthenticationToken(
+                registeredClient,
+                ClientAuthenticationMethod.CLIENT_SECRET_BASIC,
+                null
+        );
+
+        SecurityContextHolder.getContext().setAuthentication(clientAuthenticationToken);
+    }
+
 }
 

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/PasswordAccessTokenRequestConverter.java

@@ -1,7 +1,7 @@
 package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint;
 
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.RequestOAuth2Distiller;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.token.EasyPlusGrantAuthenticationToken;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusOAuth2EndpointUtils;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.Authentication;
@@ -16,22 +16,20 @@
 public final class PasswordAccessTokenRequestConverter implements AuthenticationConverter {
     /*
     *   `
-    *      CustomGrantAuthenticationToken <- OAuth2ClientAuthenticationToken
+    *      EasyPlusGrantAuthenticationToken <- OAuth2ClientAuthenticationToken
     *
     * */
     @Override
     public Authentication convert(HttpServletRequest request) {
 
         OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
 
-        Map<String, Object> additionalParameters = RequestOAuth2Distiller.getTokenUsingSecurityAdditionalParameters(request);
+        Map<String, Object> additionalParameters = EasyPlusOAuth2EndpointUtils.getApiParameters(request);
 
+        //  additionalParameters.put(Principal.class.getName(), easyPlusGrantAuthenticationToken);
 
-        EasyPlusGrantAuthenticationToken easyPlusGrantAuthenticationToken = new EasyPlusGrantAuthenticationToken(new AuthorizationGrantType((String) additionalParameters.get("grant_type")),
+        return new EasyPlusGrantAuthenticationToken(new AuthorizationGrantType((String) additionalParameters.get("grant_type")),
                 oAuth2ClientAuthenticationToken, additionalParameters);
-      //  additionalParameters.put(Principal.class.getName(), easyPlusGrantAuthenticationToken);
-
-        return easyPlusGrantAuthenticationToken;
     }
 
 }

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/message/DefaultSecurityUserExceptionMessage.java

@@ -25,7 +25,15 @@ public enum DefaultSecurityUserExceptionMessage implements ExceptionMessageInter
     AUTHENTICATION_WRONG_CLIENT_ID_SECRET("Client information is not verified."),
 
     // GRANT TYPE
-    AUTHENTICATION_WRONG_GRANT_TYPE("Wrong Grant Type detected.");
+    AUTHENTICATION_WRONG_GRANT_TYPE("Wrong Grant Type detected."),
+
+    // OAuth2 : Authorization Code
+    AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD("Wrong Authorization Code request."),
+    AUTHENTICATION_CLIENT_ID_MISSING("Client ID is missing."),
+    AUTHENTICATION_REDIRECT_URI_MISSING("Redirect URI is missing."),
+    AUTHENTICATION_STATE_MISSING("State is missing."),
+    AUTHENTICATION_REGISTERED_CLIENT_NOT_FOUND("Registered client is missing or invalid"),
+    AUTHENTICATION_AUTHORIZATION_CODE_MISSING("Authorization Code is missing.");
 
     private String message;