authorization code module (in development - 3)

Author: patternhelloworld

README.md

@@ -193,7 +193,7 @@ public class CommonDataSourceConfiguration {
 * Refer to ``client/src/docs/asciidoc/api-app.adoc``
 
 ## OAuth2 - Authorization Code
-* Open the web browser by connecting to ``http://localhost:8370/oauth2/authorization?code=32132&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1``
+* Open the web browser by connecting to ``http://localhost:8370/oauth2/authorization?code=32132&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1``, using the values from the ``oauth2_registered_client``
 * Login with ``[email protected] / 1234 ``
 
 ## Running this App with Docker

client/src/main/java/com/patternknife/securityhelper/oauth2/client/config/logger/module/ResponseErrorLogConfig.java

@@ -21,7 +21,7 @@ public class ResponseErrorLogConfig {
     private static final Logger logger = LoggerFactory.getLogger(ResponseErrorLogConfig.class);
 
 
-    @AfterReturning(pointcut = ("within(com.patternknife.securityhelper.oauth2.client.config.response.error..*)"),
+    @AfterReturning(pointcut = ("within(com.patternknife.securityhelper.oauth2.client.config.response.error..*) || within(io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.handler..*)"),
             returning = "returnValue")
     public void endpointAfterExceptionReturning(JoinPoint p, Object returnValue) {
 

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/KnifeAuthorizationCodeRequestConverterController.java

@@ -50,28 +50,28 @@ public KnifeAuthorizationCodeRequestConverterController(RegisteredClientReposito
 
 
     @PostMapping("/oauth2/authorization")
-    public String authorize(@RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId,
-                            @RequestParam(OAuth2ParameterNames.STATE) String state,
-                            @RequestParam(OAuth2ParameterNames.SCOPE) Set<String> scopes,
-                            @RequestParam(name = OAuth2ParameterNames.CODE, required = false) String authorizationCode,
-                            @RequestParam(name = "consent_action", required = false) String consentAction,
-                            Model model) {
+    public String authorize(Model model, @RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId,
+                            @RequestParam(OAuth2ParameterNames.REDIRECT_URI) String redirectUri,
+                            @RequestParam(name = OAuth2ParameterNames.CODE) String authorizationCode) {
         // 예시: 클라이언트의 등록된 콜백 URL 가져오기
         RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
-        String redirectUri = registeredClient.getRedirectUris().iterator().next();
-
-        // 승인된 스코프를 바탕으로 Authorization Code 생성 로직
-        // Authorization Code를 생성하여 저장하고 해당 코드를 콜백 URL로 리다이렉트합니다.
-        if ("approve".equals(consentAction)) {
-            // 실제로는 이곳에서 OAuth2Authorization 객체를 생성하고 저장하는 로직 필요
-             authorizationCode = "generated-authorization-code"; // 실제 생성된 코드로 교체
-
-            // 콜백 URL로 리다이렉트하며 Authorization Code를 전달
-            return "redirect:" + redirectUri + "?code=" + authorizationCode + "&state=" + state;
-        } else {
-            // 거부한 경우 에러 페이지 혹은 다시 로그인 페이지로 리다이렉트
-            return "redirect:/login?error=access_denied";
+        if (!registeredClient.getRedirectUris().contains(redirectUri)) {
+            logger.error("message (Invalid redirect URI when consenting): "
+                    + "authorizationCode=" + authorizationCode + ", "
+                    + "clientId=" + clientId + ", "
+                    + "redirectUri=" + redirectUri + ", "
+                    + "registeredRedirectUris=" + registeredClient.getRedirectUris().toString());
+            model.addAttribute("userMessage", iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI));
+            return "error";
         }
+
+        OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByToken(authorizationCode, new OAuth2TokenType("authorization_code"));
+        if(oAuth2Authorization == null){
+            return "login";
+        }
+        String principalName = oAuth2Authorization.getPrincipalName();
+
+        return "redirect:" + redirectUri + "?code=" + authorizationCode;
     }
 
 
@@ -143,7 +143,7 @@ public String consent(Model model,
             return "redirect:" + redirectUri + "?code=" + authorizationCode;
         }else{
 
-            Set<String> authorizedScopes = currentAuthorizationConsent.getScopes();
+            Set<String> authorizedScopes = registeredClient.getScopes();
 
             Set<String> requestedScopes = StringUtils.commaDelimitedListToSet(scope);
 
@@ -174,7 +174,8 @@ public String consent(Model model,
         model.addAttribute("clientId", clientId);
         model.addAttribute("scopes", withDescription(approvedScopes));
         model.addAttribute("principalName", principalName);
-        model.addAttribute("requestURI", "/oauth2/authorization");
+        model.addAttribute("redirectUri", redirectUri);
+        model.addAttribute("consentRequestURI", "/oauth2/authorization");
 
         return "consent";
     }

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationServiceImpl.java

@@ -88,47 +88,47 @@ public void save(OAuth2Authorization shouldBeNewAuthorization) {
         }else{
             // ROPC
             knifeAuthorization.setRegisteredClientId(shouldBeNewAuthorization.getAttribute("client_id"));
-        }
 
-        if(shouldBeNewAuthorization.getAccessToken() != null) {
-            knifeAuthorization.hashSetAccessTokenValue(shouldBeNewAuthorization.getAccessToken().getToken().getTokenValue());
-        }
-        if(shouldBeNewAuthorization.getRefreshToken() != null) {
-            knifeAuthorization.hashSetRefreshTokenValue(shouldBeNewAuthorization.getRefreshToken().getToken().getTokenValue());
-        }
+            if(shouldBeNewAuthorization.getAccessToken() != null) {
+                knifeAuthorization.hashSetAccessTokenValue(shouldBeNewAuthorization.getAccessToken().getToken().getTokenValue());
+            }
+            if(shouldBeNewAuthorization.getRefreshToken() != null) {
+                knifeAuthorization.hashSetRefreshTokenValue(shouldBeNewAuthorization.getRefreshToken().getToken().getTokenValue());
+            }
 
-        String appTokenValue = shouldBeNewAuthorization.getAttribute(KnifeHttpHeaders.APP_TOKEN);
-        if (appTokenValue != null) {
-            knifeAuthorization.setAccessTokenAppToken(appTokenValue);
-        }
+            String appTokenValue = shouldBeNewAuthorization.getAttribute(KnifeHttpHeaders.APP_TOKEN);
+            if (appTokenValue != null) {
+                knifeAuthorization.setAccessTokenAppToken(appTokenValue);
+            }
 
-        String userAgentValue = shouldBeNewAuthorization.getAttribute(KnifeHttpHeaders.USER_AGENT);
-        if (!StringUtils.isEmpty(userAgentValue)) {
-            knifeAuthorization.setAccessTokenUserAgent(userAgentValue);
-        }
+            String userAgentValue = shouldBeNewAuthorization.getAttribute(KnifeHttpHeaders.USER_AGENT);
+            if (!StringUtils.isEmpty(userAgentValue)) {
+                knifeAuthorization.setAccessTokenUserAgent(userAgentValue);
+            }
 
-        String remoteIp = shouldBeNewAuthorization.getAttribute(KnifeHttpHeaders.X_Forwarded_For);
-        if (remoteIp != null) {
-            knifeAuthorization.setAccessTokenRemoteIp(remoteIp);
-        }
+            String remoteIp = shouldBeNewAuthorization.getAttribute(KnifeHttpHeaders.X_Forwarded_For);
+            if (remoteIp != null) {
+                knifeAuthorization.setAccessTokenRemoteIp(remoteIp);
+            }
 
-        knifeAuthorization.setAttributes(shouldBeNewAuthorization);
-        knifeAuthorization.setAccessTokenType(shouldBeNewAuthorization.getAuthorizationGrantType().getValue());
-        knifeAuthorization.setAccessTokenScopes(String.join(",", shouldBeNewAuthorization.getAuthorizedScopes()));
+            knifeAuthorization.setAccessTokenType(shouldBeNewAuthorization.getAuthorizationGrantType().getValue());
+            knifeAuthorization.setAccessTokenScopes(String.join(",", shouldBeNewAuthorization.getAuthorizedScopes()));
 
-        // Token Expiration
-        knifeAuthorization.setAccessTokenIssuedAt(LocalDateTime.ofInstant(Instant.now(), ZoneId.systemDefault()));
-        if (shouldBeNewAuthorization.getAccessToken() != null && shouldBeNewAuthorization.getAccessToken().getToken().getExpiresAt() != null) {
-            knifeAuthorization.setAccessTokenExpiresAt(LocalDateTime.ofInstant(shouldBeNewAuthorization.getAccessToken().getToken().getExpiresAt(), ZoneId.systemDefault()));
-        }
+            // Token Expiration
+            knifeAuthorization.setAccessTokenIssuedAt(LocalDateTime.ofInstant(Instant.now(), ZoneId.systemDefault()));
+            if (shouldBeNewAuthorization.getAccessToken() != null && shouldBeNewAuthorization.getAccessToken().getToken().getExpiresAt() != null) {
+                knifeAuthorization.setAccessTokenExpiresAt(LocalDateTime.ofInstant(shouldBeNewAuthorization.getAccessToken().getToken().getExpiresAt(), ZoneId.systemDefault()));
+            }
 
-        // Token Expiration
-        knifeAuthorization.setRefreshTokenIssuedAt(LocalDateTime.ofInstant(Instant.now(), ZoneId.systemDefault()));
-        if (shouldBeNewAuthorization.getRefreshToken() != null && shouldBeNewAuthorization.getRefreshToken().getToken().getExpiresAt() != null) {
-            knifeAuthorization.setRefreshTokenExpiresAt(LocalDateTime.ofInstant(shouldBeNewAuthorization.getRefreshToken().getToken().getExpiresAt(), ZoneId.systemDefault()));
+            // Token Expiration
+            knifeAuthorization.setRefreshTokenIssuedAt(LocalDateTime.ofInstant(Instant.now(), ZoneId.systemDefault()));
+            if (shouldBeNewAuthorization.getRefreshToken() != null && shouldBeNewAuthorization.getRefreshToken().getToken().getExpiresAt() != null) {
+                knifeAuthorization.setRefreshTokenExpiresAt(LocalDateTime.ofInstant(shouldBeNewAuthorization.getRefreshToken().getToken().getExpiresAt(), ZoneId.systemDefault()));
+            }
+            knifeAuthorization.setAuthorizationGrantType(shouldBeNewAuthorization.getAttribute("grant_type"));
         }
-        knifeAuthorization.setAuthorizationGrantType(shouldBeNewAuthorization.getAttribute("grant_type"));
 
+        knifeAuthorization.setAttributes(shouldBeNewAuthorization);
 
         knifeAuthorizationRepository.save(knifeAuthorization);
 

src/main/java/io/github/patternknife/securityhelper/oauth2/api/domain/traditionaloauth/service/TraditionalOauthService.java

@@ -75,7 +75,7 @@ public TraditionalOauthService(RegisteredClientRepositoryImpl registeredClientRe
 
 
     public SpringSecurityTraditionalOauthDTO.TokenResponse createAccessToken(SpringSecurityTraditionalOauthDTO.TokenRequest accessTokenRequest,
-                                                                             String authorizationHeader) {
+                                                                             String authorizationHeader) throws KnifeOauth2AuthenticationException {
         try {
             BasicTokenResolver.BasicCredentials basicCredentials = BasicTokenResolver.parse(authorizationHeader).orElseThrow(() -> new KnifeOauth2AuthenticationException(ErrorMessages.builder().message("Header parsing error (header : " + authorizationHeader).userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_WRONG_CLIENT_ID_SECRET)).build()));
 
@@ -113,7 +113,7 @@ public SpringSecurityTraditionalOauthDTO.TokenResponse createAccessToken(SpringS
     }
 
     public SpringSecurityTraditionalOauthDTO.TokenResponse refreshAccessToken(SpringSecurityTraditionalOauthDTO.TokenRequest refreshTokenRequest,
-                                                                              String authorizationHeader) {
+                                                                              String authorizationHeader) throws KnifeOauth2AuthenticationException {
         try {
             BasicTokenResolver.BasicCredentials basicCredentials = BasicTokenResolver.parse(authorizationHeader).orElseThrow(() -> new KnifeOauth2AuthenticationException(ErrorMessages.builder().message("Header parsing error (header : " + authorizationHeader).userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_WRONG_CLIENT_ID_SECRET)).build()));
 
@@ -156,7 +156,7 @@ public SpringSecurityTraditionalOauthDTO.TokenResponse refreshAccessToken(Spring
 
 
     public SpringSecurityTraditionalOauthDTO.AuthorizationCodeResponse createAuthorizationCode(SpringSecurityTraditionalOauthDTO.AuthorizationCodeRequest authorizationCodeRequest,
-                                                                                               String authorizationHeader) {
+                                                                                               String authorizationHeader) throws KnifeOauth2AuthenticationException {
         try {
 
             BasicTokenResolver.BasicCredentials basicCredentials = BasicTokenResolver.parse(authorizationHeader)

src/main/resources/templates/consent.html

@@ -46,9 +46,9 @@ <h1 class="text-center text-primary">App permissions</h1>
     </div>
     <div class="row">
         <div class="col text-center">
-            <form name="consent_form" method="post" th:action="${requestURI}">
+            <form name="consent_form" method="post" th:action="${consentRequestURI}">
                 <input type="hidden" name="client_id" th:value="${clientId}">
-                <input type="hidden" name="state" th:value="${state}">
+                <input type="hidden" name="redirect_uri" th:value="${redirectUri}">
                 <input type="hidden" name="code" th:value="${code}">
 
                 <div th:each="scope: ${scopes}" class="form-check py-1">