feature : Once an access token is generated from an authorization code, the code should be removed for security reasons.

Author: patternhelloworld

lib/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthenticationConverter.java

@@ -28,7 +28,7 @@ public final class AuthorizationCodeAuthorizationRequestConverter implements Aut
     private final KnifeAuthorizationConsentRepository knifeAuthorizationConsentRepository;
     private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
 
-    public void setClientAuthentication(String clientId) {
+    public void setClientAuthenticationContext(String clientId) {
         RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
         if (registeredClient == null) {
             throw new IllegalArgumentException("Invalid client ID");
@@ -50,27 +50,22 @@ public Authentication convert(HttpServletRequest request) {
             // TODO:  Authorization Consent
         } else if ("GET".equalsIgnoreCase(request.getMethod())) {
             MultiValueMap<String, String> parameters = RequestOAuth2Distiller.getAuthorizationCodeSecurityAdditionalParameters(request);
-            String code = parameters.getFirst(OAuth2ParameterNames.CODE);
 
-            if (!StringUtils.hasText(code)) {
-                throw new KnifeOauth2AuthenticationException("Authorization code missing in GET request");
-            }
 
-            // 클라이언트 ID와 기타 필수 파라미터 처리
+
             String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
             if (!StringUtils.hasText(clientId)) {
                 throw new KnifeOauth2AuthenticationException("client_id missing");
             }
-
-            // 클라이언트 인증 설정
-            setClientAuthentication(clientId);
-            Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
-
             String redirectUri = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
             if (!StringUtils.hasText(redirectUri)) {
                 throw new KnifeOauth2AuthenticationException("redirect_uri missing");
             }
 
+            // setClientAuthenticationContext from the client_id param
+            setClientAuthenticationContext(clientId);
+            Authentication clientPrincipal = SecurityContextHolder.getContext().getAuthentication();
+
 
             RegisteredClient registeredClient = ((OAuth2ClientAuthenticationToken) clientPrincipal).getRegisteredClient();
 
@@ -98,6 +93,11 @@ public Authentication convert(HttpServletRequest request) {
                 additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
             });
 
+            String code = parameters.getFirst(OAuth2ParameterNames.CODE);
+            if (!StringUtils.hasText(code)) {
+                throw new KnifeOauth2AuthenticationException("Authorization code missing in GET request");
+            }
+
             return new OAuth2AuthorizationCodeAuthenticationToken(
                     code,
                     clientPrincipal,

lib/src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthorizationRequestConverter.java

@@ -31,7 +31,7 @@
  * @see OAuth2TokenIntrospectionAuthenticationToken
  * @see OAuth2TokenIntrospectionEndpointFilter
  */
-public final class KnifeOAuth2TokenIntrospectionAuthenticationConverter implements AuthenticationConverter {
+public final class IntrospectionRequestConverter implements AuthenticationConverter {
 
     /*
     * Now, this only takes "access_token".