update samples with spring-security and spring-security-oauth2-authorization-server. 2.x samples fixes #49.

Author: bnasslahsen

demo-oauth2/README.md

@@ -7,16 +7,15 @@
    1. Client Id: newClient
    2. Client secret: newClientSecret
    3. Redirect Uris: 
-      - http://localhost:8081/resource-server/swagger-ui/oauth2-redirect.html
-      - http://localhost:8082/resource-server/webjars/swagger-ui/oauth2-redirect.html
+      - http://127.0.0.1:8081/resource-server/swagger-ui/oauth2-redirect.html
+      - http://127.0.0.1:8082/resource-server/webjars/swagger-ui/oauth2-redirect.html
 
-3. There are two users registered in the Authorization Server:
-    1. josh@test.com / 123
-    2. dave@test.com / pass
+3. There is a test user registered in the Authorization Server:
+  - josh@test.com / 123
 
 4. `oauth-resource-server-webmvc` is a Spring Boot WebMVC based RESTFul API, acting as a backend Application
-   swagger-ui:  http://localhost:8081/resource-server/swagger-ui.html
+   swagger-ui:  http://127.0.0.1:8081/resource-server/swagger-ui.html
 
 5. `oauth-resource-server-webflux` is a Spring Boot WebFlux based RESTFul API, acting as a backend Application
-   swagger-ui:  http://localhost:8082/resource-server/swagger-ui.html
+   swagger-ui:  http://127.0.0.1:8082/resource-server/swagger-ui.html
 

demo-oauth2/oauth-authorization-server/pom.xml

@@ -8,31 +8,27 @@
 		<version>3.1.7-SNAPSHOT</version>
 	</parent>
 	<artifactId>oauth-authorization-server</artifactId>
-
-	<dependencyManagement>
-		<dependencies>
-			<dependency>
-				<groupId>com.github.thomasdarimont.embedded-spring-boot-keycloak-server</groupId>
-				<artifactId>embedded-keycloak-server-spring-boot-parent</artifactId>
-				<version>5.0.2</version>
-				<type>pom</type>
-				<scope>import</scope>
-			</dependency>
-		</dependencies>
-	</dependencyManagement>
-
 	<dependencies>
 		<dependency>
-			<groupId>com.github.thomasdarimont.embedded-spring-boot-keycloak-server</groupId>
-			<artifactId>embedded-keycloak-server-spring-boot-starter</artifactId>
-			<version>5.0.2</version>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-authorization-server</artifactId>
+			<version>1.0.0-SNAPSHOT</version>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-jdbc</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.h2database</groupId>
+			<artifactId>h2</artifactId>
 		</dependency>
 	</dependencies>
-
-	<repositories>
-		<repository>
-			<id>jitpack.io</id>
-			<url>https://jitpack.io</url>
-		</repository>
-	</repositories>
 </project>

demo-oauth2/oauth-authorization-server/src/main/java/org/springdoc/demo/auth/AuthorizationServerApp.java

@@ -2,14 +2,11 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.boot.autoconfigure.liquibase.LiquibaseAutoConfiguration;
 
-@SpringBootApplication(exclude = LiquibaseAutoConfiguration.class)
+@SpringBootApplication
 public class AuthorizationServerApp {
 
-    public static void main(String[] args) throws Exception {
+    public static void main(String[] args) {
         SpringApplication.run(AuthorizationServerApp.class, args);
     }
-
-
 }

demo-oauth2/oauth-authorization-server/src/main/java/org/springdoc/demo/auth/DefaultSecurityConfig.java

@@ -0,0 +1,39 @@
+package org.springdoc.demo.auth;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+import static org.springframework.security.config.Customizer.withDefaults;
+
+@EnableWebSecurity
+@Configuration(proxyBeanMethods = false)
+public class DefaultSecurityConfig {
+
+	@Bean
+	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+		http
+				.authorizeHttpRequests(authorize ->
+						authorize.anyRequest().authenticated()
+				)
+				.formLogin(withDefaults());
+		return http.build();
+	}
+
+	@Bean
+	UserDetailsService users() {
+		UserDetails user = User.withDefaultPasswordEncoder()
+				.username("josh@test.com")
+				.password("123")
+				.roles("USER")
+				.build();
+		return new InMemoryUserDetailsManager(user);
+	}
+
+}

demo-oauth2/oauth-authorization-server/src/main/java/org/springdoc/demo/auth/Jwks.java

@@ -0,0 +1,24 @@
+package org.springdoc.demo.auth;
+
+import java.security.KeyPair;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.UUID;
+
+import com.nimbusds.jose.jwk.RSAKey;
+
+public final class Jwks {
+
+	private Jwks() {
+	}
+
+	public static RSAKey generateRsa() {
+		KeyPair keyPair = KeyGeneratorUtils.generateRsaKey();
+		RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
+		RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
+		return new RSAKey.Builder(publicKey)
+				.privateKey(privateKey)
+				.keyID(UUID.randomUUID().toString())
+				.build();
+	}
+}

demo-oauth2/oauth-authorization-server/src/main/java/org/springdoc/demo/auth/KeyGeneratorUtils.java

@@ -0,0 +1,53 @@
+package org.springdoc.demo.auth;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.spec.ECFieldFp;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.EllipticCurve;
+
+final class KeyGeneratorUtils {
+
+	private KeyGeneratorUtils() {
+	}
+
+	static KeyPair generateRsaKey() {
+		KeyPair keyPair;
+		try {
+			KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+			keyPairGenerator.initialize(2048);
+			keyPair = keyPairGenerator.generateKeyPair();
+		} catch (Exception ex) {
+			throw new IllegalStateException(ex);
+		}
+		return keyPair;
+	}
+
+	static KeyPair generateEcKey() {
+		EllipticCurve ellipticCurve = new EllipticCurve(
+				new ECFieldFp(
+						new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853951")),
+				new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853948"),
+				new BigInteger("41058363725152142129326129780047268409114441015993725554835256314039467401291"));
+		ECPoint ecPoint = new ECPoint(
+				new BigInteger("48439561293906451759052585252797914202762949526041747995844080717082404635286"),
+				new BigInteger("36134250956749795798585127919587881956611106672985015071877198253568414405109"));
+		ECParameterSpec ecParameterSpec = new ECParameterSpec(
+				ellipticCurve,
+				ecPoint,
+				new BigInteger("115792089210356248762697446949407573529996955224135760342422259061068512044369"),
+				1);
+
+		KeyPair keyPair;
+		try {
+			KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
+			keyPairGenerator.initialize(ecParameterSpec);
+			keyPair = keyPairGenerator.generateKeyPair();
+		} catch (Exception ex) {
+			throw new IllegalStateException(ex);
+		}
+		return keyPair;
+	}
+}

demo-oauth2/oauth-authorization-server/src/main/java/org/springdoc/demo/auth/SecurityConfig.java

@@ -0,0 +1,123 @@
+package org.springdoc.demo.auth;
+
+import java.util.UUID;
+
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
+import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
+import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.web.cors.CorsConfiguration;
+
+
+@Configuration(proxyBeanMethods = false)
+public class SecurityConfig {
+
+	@Bean
+	@Order(Ordered.HIGHEST_PRECEDENCE)
+	public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+		OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+		http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
+				.oidc(Customizer.withDefaults());
+		http.cors().configurationSource(request -> new CorsConfiguration().applyPermitDefaultValues())
+				.and()
+				.exceptionHandling(exceptions ->
+						exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
+				)
+				.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+		return http.build();
+	}
+
+	@Bean
+	public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
+		RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
+				.clientId("newClient")
+				.clientSecret("{noop}newClientSecret")
+				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
+				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+				.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
+				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
+				.redirectUri("http://127.0.0.1:8081/resource-server/swagger-ui/oauth2-redirect.html")
+				.redirectUri("http://127.0.0.1:8082/resource-server/webjars/swagger-ui/oauth2-redirect.html")
+				.redirectUri("http://158.101.191.70:8095/resource-server/swagger-ui/oauth2-redirect.html")
+				.redirectUri("http://158.101.191.70:8096/resource-server/webjars/swagger-ui/oauth2-redirect.html")
+				.scope(OidcScopes.OPENID)
+				.scope(OidcScopes.PROFILE)
+				.scope("springdoc.read")
+				.scope("springdoc.write")
+				.build();
+
+		// Save registered client in db as if in-memory
+		JdbcRegisteredClientRepository registeredClientRepository = new JdbcRegisteredClientRepository(jdbcTemplate);
+		registeredClientRepository.save(registeredClient);
+
+		return registeredClientRepository;
+	}
+
+	@Bean
+	public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
+		return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
+	}
+
+	@Bean
+	public OAuth2AuthorizationConsentService authorizationConsentService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
+		return new JdbcOAuth2AuthorizationConsentService(jdbcTemplate, registeredClientRepository);
+	}
+
+	@Bean
+	public JWKSource<SecurityContext> jwkSource() {
+		RSAKey rsaKey = Jwks.generateRsa();
+		JWKSet jwkSet = new JWKSet(rsaKey);
+		return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
+	}
+
+	@Bean
+	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+	}
+
+	@Bean
+	public AuthorizationServerSettings authorizationServerSettings() {
+		return AuthorizationServerSettings.builder().build();
+	}
+
+	@Bean
+	public EmbeddedDatabase embeddedDatabase() {
+		return new EmbeddedDatabaseBuilder()
+				.generateUniqueName(true)
+				.setType(EmbeddedDatabaseType.H2)
+				.setScriptEncoding("UTF-8")
+				.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
+				.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
+				.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
+				.build();
+	}
+
+}

demo-oauth2/oauth-authorization-server/src/main/resources/application.yml

@@ -12,18 +12,8 @@ server:
 
 logging:
   level:
-    org.jgroups: INFO
-    org.infinispan: INFO
-    org.keycloak: INFO
-    org.keycloak.services.managers.DefaultBruteForceProtector: DEBUG
-    org.keycloak.services.scheduled.ClusterAwareScheduledTaskRunner: DEBUG
-    org.keycloak.services.managers.UserSessionManager: DEBUG
-    org.keycloak.timer.basic: DEBUG
-
-keycloak:
-  custom:
-    server:
-      keycloak-path: "/auth"
-    migration:
-      importProvider: singleFile
-      importLocation: "file:springdoc-realm.json"
+    root: INFO
+    org.springframework.web: INFO
+    org.springframework.security: INFO
+    org.springframework.security.oauth2: INFO
+    org.springframework.boot.autoconfigure: INFO