feature : authorization code module (in developement)

Author: patternhelloworld

README.md

@@ -189,6 +189,13 @@ public class CommonDataSourceConfiguration {
  - **Customize the verification logic for UsernamePassword and Client as desired**
     - ``IOauth2AuthenticationHashCheckService``
 
+## OAuth2 - ROPC
+* Refer to ``client/src/docs/asciidoc/api-app.adoc``
+
+## OAuth2 - Authorization Code
+* Open the web browser by connecting to ``http://localhost:8370/oauth2/authorization?code=32132&grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256``
+* Login with ``[email protected] / 1234 ``
+
 ## Running this App with Docker
 * Use the following module for Blue-Green deployment:
   * https://github.com/patternknife/docker-blue-green-runner

client/src/main/resources/application.properties

@@ -3,7 +3,7 @@ server.port=8370
 
 spring.datasource.hikari.patternknife.url=jdbc:mysql://localhost:13506/sc_oauth2_pji?useSSL=false&useUnicode=true&serverTimezone=Asia/Seoul&allowPublicKeyRetrieval=true
 spring.datasource.hikari.patternknife.username=root
-spring.datasource.hikari.patternknife.password=pJfV3Ug8Seigl9nArREG
+spring.datasource.hikari.patternknife.password=912031kdskdaaa
 
 
 spring.datasource.hikari.patternknife.hikari.auto-commit=false

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeRequestAuthenticationConverter.java

@@ -2,6 +2,8 @@
 
 
 import io.github.patternknife.securityhelper.oauth2.api.config.security.dao.KnifeAuthorizationConsentRepository;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.response.error.exception.KnifeOauth2AuthenticationException;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
 import io.github.patternknife.securityhelper.oauth2.api.config.util.RequestOAuth2Distiller;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
@@ -14,6 +16,8 @@
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 
 
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
@@ -34,6 +38,7 @@ public final class AuthorizationCodeRequestAuthenticationConverter implements Au
      * */
     private final RegisteredClientRepository registeredClientRepository;
     private final KnifeAuthorizationConsentRepository knifeAuthorizationConsentRepository;
+    private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
 
     public void setClientAuthentication(String clientId) {
 
@@ -54,10 +59,18 @@ public Authentication convert(HttpServletRequest request) {
         MultiValueMap<String, String> parameters = RequestOAuth2Distiller.getAuthorizationCodeSecurityAdditionalParameters(request);
 
         // grant_type (REQUIRED)
-        String grantType = parameters.getFirst(OAuth2ParameterNames.GRANT_TYPE);
-        if (!AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equals(grantType)) {
-         //   return null;
+
+        String authorizationCode = parameters.getFirst(OAuth2ParameterNames.CODE);
+        if (authorizationCode == null) {
+            throw new KnifeOauth2AuthenticationException("non -code");
+        }
+
+
+        OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByToken(authorizationCode, new OAuth2TokenType("authorization_code"));
+        if(oAuth2Authorization == null){
+            throw new KnifeOauth2AuthenticationException("non -code");
         }
+        String principalName = oAuth2Authorization.getPrincipalName();
 
         // 클라이언트 인증 설정
         setClientAuthentication(parameters.getFirst(OAuth2ParameterNames.CLIENT_ID));

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/server/ServerConfig.java

@@ -122,15 +122,20 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(
                 .oidc(Customizer.withDefaults())
                 /*
                  *
-                 *    http://localhost:8370/oauth2/authorize?grant_type=authorization_code&response_type=code&client_id=client_customer&scope=read%20write&state=random-state&prompt=consent&access_type=offline
-                 *    http://localhost:8370/oauth2/authorize?grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=read%20write&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256
+                 *
+                 *    http://localhost:8370/oauth2/authorization?code=32132&grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256
                  *
                  * */
                 //  https://medium.com/@itsinil/oauth-2-1-pkce-%EB%B0%A9%EC%8B%9D-%EC%95%8C%EC%95%84%EB%B3%B4%EA%B8%B0-14500950cdbf
                 .authorizationEndpoint(authorizationEndpoint ->
                         authorizationEndpoint
-
+                                // [1] User goes to the 'consentPage' below ('http://localhost:8370/oauth2/authorization?code=32132&grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256')
+                                // [2] As you see 'KnifeAuthorizationCodeRequestConverterController', if the code parameter is NOT authenticated, it redirects you to the login page.
+                                // [3] If the login (/api/v1/traditional-oauth/authorization-code) in the 'src/main/resources/templates/login.html' is successful, it retries [1].
+                                // [4] Now you are on the consent page, check READ & WRITE and then press 'Submit'.
                                 .consentPage(CUSTOM_CONSENT_PAGE_URI)
+                                // [5]
+                                .authorizationRequestConverter(new AuthorizationCodeRequestAuthenticationConverter(registeredClientRepository, knifeAuthorizationConsentRepository, authorizationService))
                     /*            .authorizationRequestConverter(new AuthorizationCodeRequestAuthenticationConverter(registeredClientRepository, knifeAuthorizationConsentRepository))
                                 .authorizationRequestConverters(conveterList -> {
                                     conveterList.add(new AuthorizationCodeAuthenticationConverter(registeredClientRepository));
@@ -165,7 +170,7 @@ public void onAuthenticationSuccess(HttpServletRequest request, HttpServletRespo
                                     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
 
                                         logger.error(exception.toString());
-                                        response.sendError(HttpServletResponse.SC_BAD_REQUEST);
+                                        response.sendRedirect("login");
                                     }
                                 })
 

client/src/main/resources/static/assets/css/signin.css renamed to src/main/resources/css/signin.css

@@ -49,6 +49,7 @@ <h1 class="text-center text-primary">App permissions</h1>
             <form name="consent_form" method="post" th:action="${requestURI}">
                 <input type="hidden" name="client_id" th:value="${clientId}">
                 <input type="hidden" name="state" th:value="${state}">
+                <input type="hidden" name="code" th:value="${code}">
                 <input th:if="${userCode}" type="hidden" name="user_code" th:value="${userCode}">
 
                 <div th:each="scope: ${scopes}" class="form-check py-1">

client/src/main/resources/templates/consent.html renamed to src/main/resources/templates/consent.html

@@ -5,7 +5,7 @@
     <meta name="viewport" content="width=device-width, initial-scale=1">
     <title>Spring Authorization Server Sample</title>
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous">
-    <link rel="stylesheet" href="/assets/css/signin.css" th:href="@{/assets/css/signin.css}" />
+    <link rel="stylesheet" href="/css.css" th:href="@{/css/signin.css}" />
 </head>
 <body>
 <div class="container">