feature : authorization consent module & fix : normalize scopes

Author: patternhelloworld

README.md

@@ -228,7 +228,6 @@ public class CommonDataSourceConfiguration {
 * Refer to ``client/src/docs/asciidoc/api-app.adoc``
 
 ## OAuth2 - Authorization Code
-- Beta
 - How to set it up
     1. Create your own login page with the /login route as indicated in the client project (In the future, this address will be customisable):
   ```java

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/response/CustomWebAuthenticationFailureHandlerImpl.java

@@ -17,7 +17,9 @@
 
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 @Primary
 @Qualifier("webAuthenticationFailureHandler")
@@ -47,6 +49,28 @@ public void onAuthenticationFailure(HttpServletRequest request, HttpServletRespo
                 request.getRequestDispatcher("/login").forward(request, response);
                 return;
             }
+            if(oauth2Exception.getError().getErrorCode().equals(ErrorCodeConstants.REDIRECT_TO_CONSENT)){
+                // Construct full URL
+                String fullURL = request.getRequestURL().toString();
+                if (request.getQueryString() != null) {
+                    fullURL += "?" + request.getQueryString();
+                }
+                Map<String, String> consentAttributes = new HashMap<>();
+                consentAttributes.put("clientId", request.getParameter("client_id"));
+                consentAttributes.put("redirectUri", request.getParameter("redirect_uri"));
+                consentAttributes.put("code", request.getParameter("code"));
+                consentAttributes.put("state", request.getParameter("state"));
+                consentAttributes.put("scope", request.getParameter("scope"));
+                if(request.getParameter("code_challenge") == null || request.getParameter("code_challenge_method") == null) {
+                    consentAttributes.put("codeChallenge", request.getParameter("code_challenge"));
+                    consentAttributes.put("codeChallengeMethod", request.getParameter("code_challenge_method"));
+                }
+                consentAttributes.put("consentRequestURI", fullURL);
+
+                request.setAttribute("consentAttributes", consentAttributes);
+                request.getRequestDispatcher("/consent").forward(request, response);
+                return;
+            }
         }
         request.setAttribute("errorMessage", errorMessage);
         request.setAttribute("errorDetails", errorDetails);

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/domain/common/web/LoginWeb.java renamed to client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/domain/common/web/AuthorizationCodeRequestWeb.java

@@ -6,7 +6,7 @@
 import org.springframework.web.bind.annotation.GetMapping;
 
 @Controller
-public class LoginWeb {
+public class AuthorizationCodeRequestWeb {
     @GetMapping("/login")
     public String loginPage(HttpServletRequest request, Model model) {
         Object errorMessages = request.getAttribute("errorMessages");
@@ -15,4 +15,13 @@ public String loginPage(HttpServletRequest request, Model model) {
         }
         return "login";
     }
+
+    @GetMapping("/consent")
+    public String consentPage(HttpServletRequest request, Model model) {
+        Object errorMessages = request.getAttribute("errorMessages");
+        if (errorMessages != null) {
+            model.addAttribute("errorMessages", errorMessages);
+        }
+        return "consent";
+    }
 }

client/src/main/resources/application.properties

@@ -96,3 +96,5 @@ patternhelloworld.securityhelper.oauth2.introspection.client-secret=12345
 
 patternhelloworld.securityhelper.jwt.secret=5pAq6zRyX8bC3dV2wS7gN1mK9jF0hL4tUoP6iBvE3nG8xZaQrY7cW2fA
 patternhelloworld.securityhelper.jwt.algorithm=HmacSHA256
+
+patternhelloworld.securityhelper.authorization-code.consent=Y

client/src/main/resources/templates/consent.html

@@ -7,8 +7,7 @@
 
     <script>
         function cancelConsent() {
-            document.consent_form.reset();
-            document.consent_form.submit();
+            alert("Create your own Cancel logic.")
         }
     </script>
 </head>
@@ -21,17 +20,17 @@ <h1 class="text-center text-primary">App permissions</h1>
         <div class="col text-center">
             <p>
                 The application
-                <span class="fw-bold text-primary" th:text="${clientId}"></span>
+                <span class="fw-bold text-primary" th:if="${clientId}" th:text="${clientId}">[client_id]</span>
                 wants to access your account
-                <span class="fw-bold" th:text="${principalName}"></span>
+                <span class="fw-bold" th:if="${principalName}" th:text="${principalName}">[principal_name]</span>
             </p>
         </div>
     </div>
     <div th:if="${userCode}" class="row">
         <div class="col text-center">
             <p class="alert alert-warning">
                 You have provided the code
-                <span class="fw-bold" th:text="${userCode}"></span>.
+                <span class="fw-bold" th:text="${userCode}">[user_code]</span>.
                 Verify that this code matches what is shown on your device.
             </p>
         </div>
@@ -46,35 +45,15 @@ <h1 class="text-center text-primary">App permissions</h1>
     </div>
     <div class="row">
         <div class="col text-center">
-            <form name="consent_form" method="post" th:action="${consentRequestURI}">
-                <input type="hidden" name="client_id" th:value="${clientId}">
-                <input type="hidden" name="redirect_uri" th:value="${redirectUri}">
-                <input type="hidden" name="code" th:value="${code}">
-
-                <div th:each="scope: ${scopes}" class="form-check py-1">
-                    <input class="form-check-input"
-                           style="float: none"
-                           type="checkbox"
-                           name="scope"
-                           th:value="${scope.scope}"
-                           th:id="${scope.scope}">
-                    <label class="form-check-label fw-bold px-2" th:for="${scope.scope}" th:text="${scope.scope}"></label>
-                    <p class="text-primary" th:text="${scope.description}"></p>
-                </div>
-
-                <p th:if="${not #lists.isEmpty(previouslyApprovedScopes)}">
-                    You have already granted the following permissions to the above app:
-                </p>
-                <div th:each="scope: ${previouslyApprovedScopes}" class="form-check py-1">
-                    <input class="form-check-input"
-                           style="float: none"
-                           type="checkbox"
-                           th:id="${scope.scope}"
-                           disabled
-                           checked>
-                    <label class="form-check-label fw-bold px-2" th:for="${scope.scope}" th:text="${scope.scope}"></label>
-                    <p class="text-primary" th:text="${scope.description}"></p>
-                </div>
+            <form name="consent_form" method="post" action="/oauth2/authorize">
+                <input type="hidden" name="client_id" th:value="${consentAttributes.clientId}">
+                <input type="hidden" name="redirect_uri" th:value="${consentAttributes.redirectUri}">
+                <input type="hidden" name="code" th:value="${consentAttributes.code}">
+                <input type="hidden" name="state" th:value="${consentAttributes.state}">
+                <input type="hidden" name="scope" th:value="${consentAttributes.scope}">
+                <input type="hidden" name="consentRequestURI" th:value="${consentAttributes.consentRequestURI}">
+                <input type="hidden" name="code_challenge" th:if="${consentAttributes.codeChallenge}" th:value="${consentAttributes.codeChallenge}">
+                <input type="hidden" name="code_challenge_method" th:if="${consentAttributes.codeChallengeMethod}" th:value="${consentAttributes.codeChallengeMethod}">
 
                 <div class="pt-3">
                     <button class="btn btn-primary btn-lg" type="submit" id="submit-consent">

client/src/main/resources/templates/login.html

@@ -83,7 +83,8 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                 'username': username,
                 'password': password,
                 'grant_type': "password",
-                'response_type': "code"
+                'response_type': "code",
+                'scope': scope
             };
 
             if (code_challenge && code_challenge_method) {

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthorizationRequestConverter.java

@@ -1,6 +1,7 @@
 package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint;
 
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.dao.EasyPlusAuthorizationConsentRepository;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.entity.EasyPlusAuthorizationConsent;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.dto.EasyPlusErrorMessages;
@@ -10,13 +11,16 @@
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.ErrorCodeConstants;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
@@ -38,6 +42,7 @@ public final class AuthorizationCodeAuthorizationRequestConverter implements Aut
 
     private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
 
+    private final String consentYN;
 
     private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous",
             "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
@@ -55,10 +60,6 @@ public final class AuthorizationCodeAuthorizationRequestConverter implements Aut
     @Override
     public Authentication convert(HttpServletRequest request) {
 
-        if (!"GET".equals(request.getMethod()) && !OIDC_REQUEST_MATCHER.matches(request)) {
-            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD));
-        }
-
         MultiValueMap<String, String> parameters = EasyPlusOAuth2EndpointUtils.getWebParametersContainingEasyPlusHeaders(request);
 
         String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
@@ -103,7 +104,7 @@ public Authentication convert(HttpServletRequest request) {
         Set<String> registeredScopes = registeredClient.getScopes(); // Scopes from the RegisteredClient
 
         if (!registeredScopes.containsAll(requestedScopes)) {
-            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI))
+            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR))
                     .message("Invalid scopes: " + requestedScopes + ". Allowed scopes: " + registeredScopes).build());
         }
 
@@ -113,6 +114,26 @@ public Authentication convert(HttpServletRequest request) {
                     .errorCode(ErrorCodeConstants.REDIRECT_TO_LOGIN).build());
         }
 
+        // Check Consent
+        if(consentYN.equals("Y")) {
+            OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByToken(code, new OAuth2TokenType(OAuth2ParameterNames.CODE));
+            EasyPlusAuthorizationConsent easyPlusAuthorizationConsent = easyPlusAuthorizationConsentRepository.findByRegisteredClientIdAndPrincipalName(oAuth2Authorization.getRegisteredClientId(), oAuth2Authorization.getPrincipalName()).orElse(null);
+            if (easyPlusAuthorizationConsent == null) {
+                if (request.getMethod().equals(HttpMethod.POST.toString())) {
+                    // This means the user checks authorization consent OK
+                    easyPlusAuthorizationConsent = new EasyPlusAuthorizationConsent();
+                    easyPlusAuthorizationConsent.setPrincipalName(oAuth2Authorization.getPrincipalName());
+                    easyPlusAuthorizationConsent.setRegisteredClientId(oAuth2Authorization.getRegisteredClientId());
+                    easyPlusAuthorizationConsent.setAuthorities(oAuth2Authorization.getAuthorizedScopes().stream().reduce((scope1, scope2) -> scope1 + "," + scope2).orElse(""));
+                    easyPlusAuthorizationConsentRepository.save(easyPlusAuthorizationConsent);
+                } else {
+                    // This means the user should check authorization consent OK
+                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_MISSING))
+                            .errorCode(ErrorCodeConstants.REDIRECT_TO_CONSENT).build());
+                }
+            }
+        }
+
         return new OAuth2AuthorizationCodeAuthenticationToken(
                 code,
                 principal,

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/OpaqueGrantTypeAuthenticationProvider.java

@@ -27,8 +27,11 @@
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
 
 /*
  *    1) ROPC (grant_type=password, grant_type=refresh_token)
@@ -102,6 +105,19 @@ public Authentication authenticate(Authentication authentication)
                 if (registeredClient == null) {
                     throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("client_id NOT found in DB").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
                 }
+                Set<String> registeredScopes = registeredClient.getScopes();
+                Set<String> requestedScopes = Arrays.stream(
+                                modifiableAdditionalParameters.getOrDefault(OAuth2ParameterNames.SCOPE, "")
+                                        .toString()
+                                        .split(",")
+                        )
+                        .map(String::trim)
+                        .filter(scope -> !scope.isEmpty())
+                        .collect(Collectors.toSet());
+                if (!registeredScopes.containsAll(requestedScopes)) {
+                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI))
+                            .message("Invalid scopes: " + requestedScopes + ". Allowed scopes: " + registeredScopes).build());
+                }
 
                 if (responseType.equals(OAuth2ParameterNames.CODE)) {
                     // [IMPORTANT] To return the "code" not "access_token". Check "AuthenticationSuccessHandler".

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/response/auth/authentication/DefaultWebAuthenticationFailureHandlerImpl.java

@@ -44,6 +44,10 @@ public void onAuthenticationFailure(HttpServletRequest request, HttpServletRespo
                 request.getRequestDispatcher("/login").forward(request, response);
                 return;
             }
+            if(oauth2Exception.getError().getErrorCode().equals(ErrorCodeConstants.REDIRECT_TO_CONSENT)){
+                request.getRequestDispatcher("/consent").forward(request, response);
+                return;
+            }
         }
         request.setAttribute("errorMessage", errorMessage);
         request.setAttribute("errorDetails", errorDetails);

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/serivce/authentication/OAuth2AuthorizationBuildingServiceImpl.java

@@ -1,8 +1,8 @@
 package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.authentication;
 
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.token.EasyPlusGrantAuthenticationToken;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.token.generator.CustomAccessTokenCustomizer;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.token.generator.CustomDelegatingOAuth2TokenGenerator;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.token.EasyPlusGrantAuthenticationToken;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
@@ -22,8 +22,8 @@
 
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.Map;
-import java.util.UUID;
+import java.util.*;
+import java.util.stream.Collectors;
 
 /*
 *
@@ -44,6 +44,12 @@ private OAuth2Authorization build(String clientId, UserDetails userDetails,
 
         RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
 
+        Set<String> scopeSet  = new HashSet<>();
+        if(easyPlusGrantAuthenticationToken.getAdditionalParameters().get("scope") != null) {
+            scopeSet = Arrays.stream(easyPlusGrantAuthenticationToken.getAdditionalParameters().get("scope").toString().split(","))
+                    .map(String::trim)
+                    .collect(Collectors.toSet());
+        }
         if(AuthorizationServerContextHolder.getContext() == null){
 
             // If you use "api/v1/traditional-oauth/token", "AuthorizationServerContextHolder.getContext()" is null,
@@ -82,25 +88,26 @@ public AuthorizationServerSettings getAuthorizationServerSettings() {
                 .tokenType(OAuth2TokenType.ACCESS_TOKEN)
                 .authorizationGrantType(easyPlusGrantAuthenticationToken.getGrantType())
                 .authorizationGrant(easyPlusGrantAuthenticationToken)
-                .authorizedScopes(registeredClient.getScopes())
+                .authorizedScopes(scopeSet)
                 .build());
 
-
         OAuth2Token refreshToken = shouldBePreservedRefreshToken != null ? shouldBePreservedRefreshToken : customTokenGenerator.generate(DefaultOAuth2TokenContext.builder()
                 .registeredClient(registeredClient)
                 .authorizationServerContext(AuthorizationServerContextHolder.getContext())
                 .principal(easyPlusGrantAuthenticationToken)
                 .tokenType(OAuth2TokenType.REFRESH_TOKEN)
                 .authorizationGrantType(easyPlusGrantAuthenticationToken.getGrantType())
                 .authorizationGrant(easyPlusGrantAuthenticationToken)
-                .authorizedScopes(registeredClient.getScopes())
+                .authorizedScopes(scopeSet)
                 .build());
 
 
+
         return OAuth2Authorization
                 .withRegisteredClient(registeredClient)
                 .principalName(userDetails.getUsername())
                 .authorizationGrantType(easyPlusGrantAuthenticationToken.getGrantType())
+                .authorizedScopes(scopeSet)
                 .attribute("authorities", easyPlusGrantAuthenticationToken.getAuthorities())
                 .attributes(attrs -> attrs.putAll(easyPlusGrantAuthenticationToken.getAdditionalParameters()))
                 .token(authorizationCode)