feature : PKCE module and its sample

Author: patternhelloworld

README.md

@@ -246,21 +246,15 @@ public class CommonDataSourceConfiguration {
     2. Check the login page at the "resources/templates/login.hml"
     3. Ensure the callback URL (http://localhost:8081/callback1) is properly set in the ``oauth2_registered_client`` table in the database.
 - How to use
-    1. Open the web browser by connecting to ``http://localhost:8370/oauth2/authorize?response_type=code&client_id=client_customer&state=xxx&scope=read&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fcallback1``, using the values from the ``oauth2_registered_client``  2. Now you Login with ``[email protected] / 1234 ``
+    1. Open the web browser by connecting to ``http://localhost:8370/oauth2/authorize?response_type=code&client_id=client_customer&state=xxx&scope=read&redirect_uri=http%3A%2F%2Flocalhost%3A8081%2Fcallback1&code_challenge=HVoKJYs8JruAxs7hKcG4oLpJXCP-z1jJQtXpQte6GyA&code_challenge_method=S256``, using the values from the ``oauth2_registered_client``
+        - PKCE (``code_challege, code_challege_METHOD``) is optional.
+        - PKCE adds a Code Verifier and a Code Challenge to the flow, enhancing the Authorization Code Grant Flow by preventing the issuance of an Access Token if the Authorization Code is compromised.
     2. Login with ``[email protected] / 1234 ``
     3. You will be redirected to
        ``https://localhost:8081/callback1?code=215e9539-1dcb-4843-b1ea-b2d7be0a3c44&state=xxx``
-    4. You can login with this API payload
-    ```http request
-    POST /oauth2/token HTTP/1.1
-    Host: localhost:8370
-    Accept: application/json
-    Content-Type: application/x-www-form-urlencoded
-    App-Token: aaa # You can achieve the separated and shared session using App-Token
-    Authorization: ••••••
-    Content-Length: 57
-    grant_type=code&code=ef5aaaaf-ebae-4677-aac5-abf8e8412f1e
-    ```
+       4. You can login with the API in the Postman
+        - ![img4.png](reference/docs/img.png)
+        - ``code_verifier`` sample : EAp91aanXdoMcoOc2Il55H3UDDIV909k9olEEcl6L24J6_9X
 
 ## Running this App with Docker
 * Use the following module for Blue-Green deployment:

client/src/main/resources/templates/login.html

@@ -62,7 +62,9 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                 client_id: urlParams.get('client_id'),
                 state: urlParams.get('state'),
                 scope: urlParams.get('scope'),
-                redirect_uri: urlParams.get('redirect_uri')
+                redirect_uri: urlParams.get('redirect_uri'),
+                code_challenge: urlParams.get('code_challenge'),
+                code_challenge_method: urlParams.get('code_challenge_method')
             };
         }
 
@@ -71,12 +73,24 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
             const password = passwordInput.value;
 
             // Extract query parameters from the current URL
-            const {client_id, state, scope, redirect_uri} = getQueryParameters();
+            const {client_id, state, scope, redirect_uri, code_challenge, code_challenge_method} = getQueryParameters();
 
             // Basic Auth header creation
             const clientSecret = '12345'; // Enter client secret
             const basicAuth = btoa(`${client_id}:${clientSecret}`);
 
+            const bodyParams = {
+                'username': username,
+                'password': password,
+                'grant_type': "password",
+                'response_type': "code"
+            };
+
+            if (code_challenge && code_challenge_method) {
+                bodyParams['code_challenge'] = code_challenge;
+                bodyParams['code_challenge_method'] = code_challenge_method;
+            }
+
             try {
                 // First request to obtain the authorization code
                 const tokenResponse = await fetch('/oauth2/token', {
@@ -85,12 +99,7 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                         'Content-Type': 'application/x-www-form-urlencoded',
                         'Authorization': `Basic ${basicAuth}`
                     },
-                    body: new URLSearchParams({
-                        'username': username,
-                        'password': password,
-                        'grant_type': "password",
-                        'response_type': "code"
-                    })
+                    body: new URLSearchParams(bodyParams)
                 });
 
                 if (!tokenResponse.ok) {
@@ -103,6 +112,7 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                 const authorizationCode = tokenResult.code; // Extract authorization code
 
                 console.log(tokenResult)
+                console.log("Success : login with the sample (oauth2/token (Access Token, Response Type = code) in the Postman")
 
                 // Build the dynamic authorization URL
                 const authorizeUrl = `/oauth2/authorize?response_type=code&client_id=${client_id}&code=${authorizationCode}&state=${encodeURIComponent(state)}&scope=${encodeURIComponent(scope)}&redirect_uri=${encodeURIComponent(redirect_uri)}`;

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/provider/auth/endpoint/OpaqueGrantTypeAuthenticationProvider.java

@@ -57,7 +57,7 @@ public Authentication authenticate(Authentication authentication)
                 // For reference, if an incorrect Basic header, such as base64(client_id:<--no secret here-->), is detected, the ClientSecretBasicAuthenticationConverter handles it directly and passes it to the AuthenticationFailureHandler.
                 String clientId = token.getAdditionalParameters().getOrDefault("client_id", "").toString();
                 if (clientId.isEmpty()) {
-                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("Invalid Request. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate incorrect payloads.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
+                    throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("Invalid Request. OpaqueGrantTypeAccessTokenRequestConverter was not invoked. This may indicate incorrect payloads or expired code or code_verifier.").userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR)).build());
                 }
 
                 Map<String, Object> modifiableAdditionalParameters = new HashMap<>(token.getAdditionalParameters());

postman/sc-oauth2-pji.postman_collection.json

@@ -335,7 +335,14 @@
 								},
 								{
 									"key": "code",
-									"value": "692b2017-d14a-4279-b673-371c24fb18951",
+									"value": "df330c3c-0f45-4b80-89c4-4c4a10e78e91",
+									"description": "Only one time valid",
+									"type": "text"
+								},
+								{
+									"key": "code_verifier",
+									"value": "EAp91aanXdoMcoOc2Il55H3UDDIV909k9olEEcl6L24J6_9X",
+									"description": "Only one time valid",
 									"type": "text"
 								}
 							]