fix : clarify basic token error messages and correct the postman sample

Author: patternhelloworld

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/OpaqueGrantTypeAccessTokenRequestConverter.java renamed to lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter.java

@@ -12,13 +12,14 @@
 import java.util.Map;
 
 @RequiredArgsConstructor
-public final class OpaqueGrantTypeAccessTokenRequestConverter implements AuthenticationConverter {
+public final class OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter implements AuthenticationConverter {
 
     @Override
     public Authentication convert(HttpServletRequest request) {
 
         Map<String, Object> allParameters = EasyPlusOAuth2EndpointUtils.getApiParametersContainingEasyPlusHeaders(request);
 
+        // ClientId is a must
         String clientId = allParameters.get("client_id").toString();
 
         // All token requests are "CLIENT_SECRET_BASIC"
@@ -34,11 +35,11 @@ public Authentication convert(HttpServletRequest request) {
         allParameters.put(OAuth2AuthorizationRequest.class.getName(), authorizationRequest);
 
         return new OAuth2ClientAuthenticationToken(
-                clientId,
-                clientAuthenticationMethod,
-                credentials,
-                allParameters
-        );
+                 clientId,
+                 clientAuthenticationMethod,
+                 credentials,
+                 allParameters
+         );
     }
 
 

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/OpaqueGrantTypeAuthenticationProvider.java

@@ -53,18 +53,16 @@ public Authentication authenticate(Authentication authentication)
         try {
             if (authentication instanceof OAuth2ClientAuthenticationToken token) {
 
-                // [NOTICE] If an incorrect client ID or Secret is detected, the OpaqueGrantTypeAccessTokenRequestConverter is not be invoked, which means there is NO additional parameters.
+                // [NOTICE] If an incorrect client ID or Secret is detected, the OpaqueGrantTypeAccessTokenRequestConverter is not be invoked, which means there is NO mandatory client_id header parameter.
                 // For reference, if an incorrect Basic header, such as base64(client_id:<--no secret here-->), is detected, the ClientSecretBasicAuthenticationConverter handles it directly and passes it to the AuthenticationFailureHandler.
-                if (token.getAdditionalParameters() == null || token.getAdditionalParameters().isEmpty()) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("No additional parameters found. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate an incorrect client_id.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
+                String clientId = token.getAdditionalParameters().getOrDefault("client_id", "").toString();
+                if (clientId.isEmpty()) {
+                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("Invalid Request. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate incorrect payloads.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
                 }
 
                 Map<String, Object> modifiableAdditionalParameters = new HashMap<>(token.getAdditionalParameters());
 
-                String clientId = modifiableAdditionalParameters.getOrDefault("client_id", "").toString();
-                if (clientId.isEmpty()) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("No client_id key found").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
-                }
+
                 UserDetails userDetails;
 
                 String grantType = modifiableAdditionalParameters.getOrDefault("grant_type", "").toString();

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/server/EasyPlusServerConfig.java

@@ -4,7 +4,7 @@
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.aop.DefaultSecurityPointCut;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.aop.SecurityPointCut;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.AuthorizationCodeAuthorizationRequestConverter;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.OpaqueGrantTypeAccessTokenRequestConverter;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint.IntrospectionRequestConverter;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.dao.EasyPlusAuthorizationConsentRepository;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.introspector.DefaultResourceServerTokenIntrospector;
@@ -145,7 +145,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(
                 .tokenEndpoint(tokenEndpoint ->
                         tokenEndpoint
                                 // Converter
-                                .accessTokenRequestConverter(new OpaqueGrantTypeAccessTokenRequestConverter())
+                                .accessTokenRequestConverter(new OpaqueGrantTypeClientIdMandatoryAccessTokenRequestConverter())
                                 // Provider
                                 .authenticationProvider(new OpaqueGrantTypeAuthenticationProvider(
                                         commonOAuth2AuthorizationSaver, conditionalDetailsService, oauth2AuthenticationHashCheckService,

postman/sc-oauth2-pji.postman_collection.json

@@ -175,17 +175,6 @@
 									"key": "grant_type",
 									"value": "password",
 									"type": "text"
-								},
-								{
-									"key": "otp_value",
-									"value": "555555",
-									"type": "text"
-								},
-								{
-									"key": "",
-									"value": "aaab",
-									"type": "text",
-									"disabled": true
 								}
 							]
 						},
@@ -204,7 +193,7 @@
 					"response": []
 				},
 				{
-					"name": "oauth2/token (Authorization code)",
+					"name": "oauth2/token (Access Token, Response Type = code)",
 					"protocolProfileBehavior": {
 						"disabledSystemHeaders": {
 							"accept-encoding": true,
@@ -256,29 +245,97 @@
 								{
 									"key": "username",
 									"value": "[email protected]",
-									"type": "text",
-									"disabled": true
+									"type": "text"
 								},
 								{
 									"key": "password",
 									"value": "1234",
-									"type": "text",
-									"disabled": true
+									"type": "text"
 								},
 								{
 									"key": "grant_type",
+									"value": "password",
+									"type": "text"
+								},
+								{
+									"key": "response_type",
 									"value": "code",
 									"type": "text"
+								}
+							]
+						},
+						"url": {
+							"raw": "{{PROTOCOL}}://{{HOST}}/oauth2/token",
+							"protocol": "{{PROTOCOL}}",
+							"host": [
+								"{{HOST}}"
+							],
+							"path": [
+								"oauth2",
+								"token"
+							]
+						}
+					},
+					"response": []
+				},
+				{
+					"name": "oauth2/token (Authorization code)",
+					"protocolProfileBehavior": {
+						"disabledSystemHeaders": {
+							"accept-encoding": true,
+							"content-type": true,
+							"accept": true,
+							"connection": true
+						}
+					},
+					"request": {
+						"auth": {
+							"type": "basic",
+							"basic": [
+								{
+									"key": "username",
+									"value": "client_customer",
+									"type": "string"
 								},
 								{
-									"key": "otp_value",
-									"value": "555555",
-									"type": "text",
-									"disabled": true
+									"key": "password",
+									"value": "12345",
+									"type": "string"
+								}
+							]
+						},
+						"method": "POST",
+						"header": [
+							{
+								"key": "Accept",
+								"value": "application/json"
+							},
+							{
+								"key": "X-Requested-With",
+								"value": "XMLHttpRequest",
+								"disabled": true
+							},
+							{
+								"key": "Content-Type",
+								"value": "application/x-www-form-urlencoded"
+							},
+							{
+								"key": "App-Token",
+								"value": "aaa",
+								"type": "text"
+							}
+						],
+						"body": {
+							"mode": "urlencoded",
+							"urlencoded": [
+								{
+									"key": "grant_type",
+									"value": "authorization_code",
+									"type": "text"
 								},
 								{
 									"key": "code",
-									"value": "dab73d72-e27d-4018-88f2-36e4f342221d",
+									"value": "692b2017-d14a-4279-b673-371c24fb18951",
 									"type": "text"
 								}
 							]
@@ -342,33 +399,9 @@
 						"body": {
 							"mode": "urlencoded",
 							"urlencoded": [
-								{
-									"key": "username",
-									"value": "[email protected]",
-									"type": "text",
-									"disabled": true
-								},
-								{
-									"key": "password",
-									"value": "ged22sgesA",
-									"type": "text",
-									"disabled": true
-								},
-								{
-									"key": "grant_type",
-									"value": "password",
-									"type": "text",
-									"disabled": true
-								},
-								{
-									"key": "otp_value",
-									"value": "555555",
-									"type": "text",
-									"disabled": true
-								},
 								{
 									"key": "token",
-									"value": "rVI-3U176t2RfP5U0fqmJrCjaWPYg1loD25rKsrcT2rfG2cpfhJYjloapw9MGVbGNTYWN_U_8uPG9nlFrt_96DFb2SKhRIzxTQqieh7xQxNzs1SkBLZuxZ4YlobASwfC",
+									"value": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJjaWNkQHRlc3QuY29tIiwiYXVkIjoiY2xpZW50X2N1c3RvbWVyIiwibmJmIjoxNzM2NTY3NjI4LCJzY29wZSI6WyJyZWFkIiwib3BlbmlkIiwicHJvZmlsZSIsIndyaXRlIl0sImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODM3MCIsImV4cCI6MTczNjU2ODIyOCwiaWF0IjoxNzM2NTY3NjI4LCJqdGkiOiJiZTg1MmVmNi00OWU1LTQ1NDMtYjMyOC00MDQ2OWI2MzVmZTUiLCJjbGllbnRfaWQiOiJjbGllbnRfY3VzdG9tZXIiLCJ1c2VybmFtZSI6ImNpY2RAdGVzdC5jb20ifQ.D2NfJuDDcBqP_zp7AbYdwxdP033h18Pu-oVm72RR8to1",
 									"type": "text"
 								}
 							]
@@ -437,22 +470,10 @@
 									"value": "e1f3f851-30a2-491c-8c7e-040350029061",
 									"type": "text"
 								},
-								{
-									"key": "password",
-									"value": "#ys350791A",
-									"type": "text",
-									"disabled": true
-								},
 								{
 									"key": "grant_type",
 									"value": "refresh_token",
 									"type": "text"
-								},
-								{
-									"key": "otp_value",
-									"value": "555555",
-									"type": "text",
-									"disabled": true
 								}
 							]
 						},
@@ -502,11 +523,6 @@
 								"key": "Accept",
 								"value": "application/json"
 							},
-							{
-								"key": "X-Requested-With",
-								"value": "XMLHttpRequest",
-								"disabled": true
-							},
 							{
 								"key": "Content-Type",
 								"value": "application/x-www-form-urlencoded"
@@ -520,22 +536,10 @@
 									"value": "e1f3f851-30a2-491c-8c7e-040350029061",
 									"type": "text"
 								},
-								{
-									"key": "password",
-									"value": "#ys350791A",
-									"type": "text",
-									"disabled": true
-								},
 								{
 									"key": "grant_type",
 									"value": "refresh_token",
 									"type": "text"
-								},
-								{
-									"key": "otp_value",
-									"value": "555555",
-									"type": "text",
-									"disabled": true
 								}
 							]
 						},