Merge branch 'normalize-grant-type'

Author: patternhelloworld

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/message/CustomSecurityUserExceptionMessage.java

@@ -27,6 +27,7 @@ public enum CustomSecurityUserExceptionMessage implements ExceptionMessageInterf
 
     // GRANT TYPE
     AUTHENTICATION_WRONG_GRANT_TYPE("1Wrong Grant Type detected."),
+    AUTHENTICATION_WRONG_COMBINATION_OF_GRANT_TYPE_RESPONSE_TYPE("1Grant Type doesn't match response type."),
 
     // OAuth2 : Authorization Code
     AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD("1Wrong Authorization Code request."),

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/response/CustomApiAuthenticationSuccessHandlerImpl.java

@@ -1,6 +1,7 @@
 package com.patternhelloworld.securityhelper.oauth2.client.config.securityimpl.response;
 
 
+import com.mysema.commons.lang.Assert;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.dto.EasyPlusErrorMessages;
@@ -41,8 +42,7 @@
 @RequiredArgsConstructor
 public class CustomApiAuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler {
 
-    private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter =
-            new OAuth2AccessTokenResponseHttpMessageConverter();
+    private final HttpMessageConverter<OAuth2AccessTokenResponse> accessTokenHttpResponseConverter = new OAuth2AccessTokenResponseHttpMessageConverter();
 
 
     private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
@@ -56,25 +56,38 @@ public void onAuthenticationSuccess(final HttpServletRequest request, final Http
         OAuth2RefreshToken refreshToken = accessTokenAuthentication.getRefreshToken();
         Map<String, Object> additionalParameters = accessTokenAuthentication.getAdditionalParameters();
 
-        if (((String) additionalParameters.get("grant_type")).equals(AuthorizationGrantType.PASSWORD.getValue())
-          || ((String) additionalParameters.get("grant_type")).equals(OAuth2ParameterNames.CODE)) {
-            OAuth2AccessTokenResponse.Builder builder = OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue())
-                    .tokenType(accessToken.getTokenType())
-                    .scopes(accessToken.getScopes());
-            if (accessToken.getExpiresAt() != null) {
-                builder.expiresIn(ChronoUnit.SECONDS.between(Instant.now(), accessToken.getExpiresAt()));
-            }
-            if (refreshToken != null) {
-                builder.refreshToken(refreshToken.getTokenValue());
+        if (((String) additionalParameters.get("grant_type")).equals(AuthorizationGrantType.PASSWORD.getValue()) || ((String) additionalParameters.get("grant_type")).equals(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())) {
+
+            if (AuthorizationGrantType.PASSWORD.getValue().equals(additionalParameters.get("grant_type")) &&
+                    OAuth2ParameterNames.CODE.equals(additionalParameters.get("response_type"))) {
+
+                String code = (String) additionalParameters.get("code");
+
+                Assert.notNull(code, "code is required");
+
+                String jsonResponse = String.format("{\"code\":\"%s\"}", code);
+
+                response.setContentType("application/json");
+                response.setCharacterEncoding("UTF-8");
+                response.getWriter().write(jsonResponse);
+
+            } else {
+
+                OAuth2AccessTokenResponse.Builder builder = OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue()).tokenType(accessToken.getTokenType()).scopes(accessToken.getScopes());
+                if (accessToken.getExpiresAt() != null) {
+                    builder.expiresIn(ChronoUnit.SECONDS.between(Instant.now(), accessToken.getExpiresAt()));
+                }
+                if (refreshToken != null) {
+                    builder.refreshToken(refreshToken.getTokenValue());
+                }
+                OAuth2AccessTokenResponse accessTokenResponse = builder.build();
+                ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
+                this.accessTokenHttpResponseConverter.write(accessTokenResponse, null, httpResponse);
+
             }
-            OAuth2AccessTokenResponse accessTokenResponse = builder.build();
-            ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
-            this.accessTokenHttpResponseConverter.write(accessTokenResponse, null, httpResponse);
 
         } else if (((String) additionalParameters.get("grant_type")).equals(AuthorizationGrantType.REFRESH_TOKEN.getValue())) {
-            OAuth2AccessTokenResponse.Builder builder = OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue())
-                    .tokenType(accessToken.getTokenType())
-                    .scopes(accessToken.getScopes());
+            OAuth2AccessTokenResponse.Builder builder = OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue()).tokenType(accessToken.getTokenType()).scopes(accessToken.getScopes());
             if (refreshToken.getExpiresAt() != null) {
                 builder.expiresIn(ChronoUnit.SECONDS.between(Instant.now(), refreshToken.getExpiresAt()));
             }
@@ -85,23 +98,8 @@ public void onAuthenticationSuccess(final HttpServletRequest request, final Http
             ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
             this.accessTokenHttpResponseConverter.write(accessTokenResponse, null, httpResponse);
 
-        } else if (((String) additionalParameters.get("grant_type")).equals(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())) {
-            // Authorization Code만 JSON으로 응답
-            String code = (String) additionalParameters.get("authorization_code");
-
-            // JSON 응답 생성 (authorization_code만 포함)
-            String jsonResponse = String.format("{\"code\":\"%s\"}", code);
-
-            // JSON 응답 전송
-            response.setContentType("application/json");
-            response.setCharacterEncoding("UTF-8");
-            response.getWriter().write(jsonResponse);
-
         } else {
-            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder()
-                    .message("Wrong grant type from Req : " + (String) additionalParameters.get("grant_type"))
-                    .userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_WRONG_GRANT_TYPE))
-                    .build());
+            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().message("Wrong grant type from Req : " + (String) additionalParameters.get("grant_type")).userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_WRONG_GRANT_TYPE)).build());
         }
     }
 

client/src/main/resources/templates/login.html

@@ -1,7 +1,7 @@
 <!DOCTYPE html>
 <html lang="en" xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org">
 <head>
-    <meta charset="utf-8" />
+    <meta charset="utf-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Spring Authorization Server Sample</title>
     <style>
@@ -11,11 +11,13 @@
             border: 1px solid transparent;
             border-radius: 4px;
         }
+
         .alert-danger {
             color: #a94442;
             background-color: #f2dede;
             border-color: #ebccd1;
         }
+
         .alert-success {
             color: #3c763d;
             background-color: #dff0d8;
@@ -69,7 +71,7 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
             const password = passwordInput.value;
 
             // Extract query parameters from the current URL
-            const { client_id, state, scope, redirect_uri } = getQueryParameters();
+            const {client_id, state, scope, redirect_uri} = getQueryParameters();
 
             // Basic Auth header creation
             const clientSecret = '12345'; // Enter client secret
@@ -86,7 +88,8 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                     body: new URLSearchParams({
                         'username': username,
                         'password': password,
-                        'grant_type': "authorization_code"
+                        'grant_type': "password",
+                        'response_type': "code"
                     })
                 });
 
@@ -99,6 +102,8 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                 const tokenResult = await tokenResponse.json();
                 const authorizationCode = tokenResult.code; // Extract authorization code
 
+                console.log(tokenResult)
+
                 // Build the dynamic authorization URL
                 const authorizeUrl = `/oauth2/authorize?response_type=code&client_id=${client_id}&code=${authorizationCode}&state=${encodeURIComponent(state)}&scope=${encodeURIComponent(scope)}&redirect_uri=${encodeURIComponent(redirect_uri)}`;
 

client/src/test/java/com/patternhelloworld/securityhelper/oauth2/client/integration/auth/CustomerIntegrationTest.java

@@ -449,12 +449,11 @@ public void test_SameAppTokensUseSameAccessToken_ORIGINAL() throws Exception {
     @Test
     public void testLoginWithInvalidCredentials_ORIGINAL() throws Exception {
 
-
         MvcResult result = mockMvc.perform(RestDocumentationRequestBuilders.post("/oauth2/token")
-                        .header(HttpHeaders.AUTHORIZATION, basicHeader)
+                        .header(HttpHeaders.AUTHORIZATION, "Basic " + DatatypeConverter.printBase64Binary((appUserClientId + "wrongcred:" + appUserClientSecret).getBytes("UTF-8")))
                         .contentType(MediaType.APPLICATION_FORM_URLENCODED)
                         .param("grant_type", "password")
-                        .param("username", testUserName + "wrongcredential")
+                        .param("username", testUserName)
                         .param("password", testUserPassword))
                 .andExpect(status().isUnauthorized()) // 401
                 .andDo(document( "{class-name}/{method-name}/oauth-access-token",
@@ -476,37 +475,7 @@ public void testLoginWithInvalidCredentials_ORIGINAL() throws Exception {
         JSONObject jsonResponse = new JSONObject(responseString);
         String userMessage = jsonResponse.getString("userMessage");
 
-        //assertEquals(userMessage, CustomSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_FAILURE.getMessage());
-        assertTrue(userMessage.contains("NOT Found"));
-
-
-        result = mockMvc.perform(RestDocumentationRequestBuilders.post("/oauth2/token")
-                        .header(HttpHeaders.AUTHORIZATION, "Basic " + DatatypeConverter.printBase64Binary((appUserClientId + "wrongcred:" + appUserClientSecret).getBytes("UTF-8")))
-                        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
-                        .param("grant_type", "password")
-                        .param("username", testUserName)
-                        .param("password", testUserPassword))
-                .andExpect(status().isUnauthorized()) // 401
-                .andDo(document( "{class-name}/{method-name}/oauth-access-token",
-                        preprocessRequest(new AccessTokenMaskingPreprocessor()),
-                        preprocessResponse(new AccessTokenMaskingPreprocessor(), prettyPrint()),
-                        requestHeaders(
-                                headerWithName(HttpHeaders.AUTHORIZATION).description("Connect the received client_id and client_secret with ':', use the base64 function, and write Basic at the beginning. ex) Basic base64(client_id:client_secret)"),
-                                headerWithName(EasyPlusHttpHeaders.APP_TOKEN).optional().description("Not having a value does not mean you cannot log in, but cases without an App-Token value share the same access_token. Please include it as a required value according to the device-specific session policy.")
-                        ),
-                        formParameters(
-                                parameterWithName("grant_type").description("Uses the password method among Oauth2 grant_types. Please write password."),
-                                parameterWithName("username").description("This is the user's email address."),
-                                parameterWithName("password").description("This is the user's password.")
-                        )))
-                .andReturn();
-
-
-        responseString = result.getResponse().getContentAsString(StandardCharsets.UTF_8);
-        jsonResponse = new JSONObject(responseString);
-        userMessage = jsonResponse.getString("userMessage");
-
-        assertEquals(userMessage, CustomSecurityUserExceptionMessage.AUTHENTICATION_WRONG_CLIENT_ID_SECRET.getMessage());
+        assertEquals(userMessage, CustomSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR.getMessage());
 
 
 

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthorizationRequestConverter.java

@@ -59,7 +59,7 @@ public Authentication convert(HttpServletRequest request) {
             throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD));
         }
 
-        MultiValueMap<String, String> parameters = EasyPlusOAuth2EndpointUtils.getWebParameters(request);
+        MultiValueMap<String, String> parameters = EasyPlusOAuth2EndpointUtils.getWebParametersContainingEasyPlusHeaders(request);
 
         String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
         if (!StringUtils.hasText(clientId)) {

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/OpaqueGrantTypeAccessTokenRequestConverter.java

@@ -0,0 +1,46 @@
+package io.github.patternhelloworld.securityhelper.oauth2.api.config.security.converter.auth.endpoint;
+
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusOAuth2EndpointUtils;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
+import org.springframework.security.web.authentication.AuthenticationConverter;
+
+import java.util.Map;
+
+@RequiredArgsConstructor
+public final class OpaqueGrantTypeAccessTokenRequestConverter implements AuthenticationConverter {
+
+    @Override
+    public Authentication convert(HttpServletRequest request) {
+
+        Map<String, Object> allParameters = EasyPlusOAuth2EndpointUtils.getApiParametersContainingEasyPlusHeaders(request);
+
+        String clientId = allParameters.get("client_id").toString();
+
+        // All token requests are "CLIENT_SECRET_BASIC"
+        ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
+        Object credentials = null;
+
+        OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.authorizationCode()
+                .clientId(clientId)
+                .authorizationUri(request.getRequestURL().toString())
+                .additionalParameters(allParameters)
+                .build();
+
+        allParameters.put(OAuth2AuthorizationRequest.class.getName(), authorizationRequest);
+
+        return new OAuth2ClientAuthenticationToken(
+                clientId,
+                clientAuthenticationMethod,
+                credentials,
+                allParameters
+        );
+    }
+
+
+
+}

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/PasswordAccessTokenRequestConverter.java

@@ -141,9 +141,9 @@ public class EasyPlusAuthorization {
     private String deviceCodeMetadata;
 
 
-    public void hashSetAuthorizationCodeValue(String authorizationCodeValue) {
+/*    public void hashSetAuthorizationCodeValue(String authorizationCodeValue) {
         this.authorizationCodeValue = CustomAuthenticationKeyGenerator.hashTokenValue(authorizationCodeValue);
-    }
+    }*/
     public void hashSetAccessTokenValue(String accessTokenValue) {
         this.accessTokenValue = CustomAuthenticationKeyGenerator.hashTokenValue(accessTokenValue);
     }

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/entity/EasyPlusAuthorization.java

@@ -26,6 +26,7 @@ public enum DefaultSecurityUserExceptionMessage implements ExceptionMessageInter
 
     // GRANT TYPE
     AUTHENTICATION_WRONG_GRANT_TYPE("Wrong Grant Type detected."),
+    AUTHENTICATION_WRONG_COMBINATION_OF_GRANT_TYPE_RESPONSE_TYPE("Grant Type doesn't match response type."),
 
     // OAuth2 : Authorization Code
     AUTHENTICATION_AUTHORIZATION_CODE_REQUEST_WRONG_METHOD("Wrong Authorization Code request."),