authorization code module (in development - 2)

Author: patternhelloworld

README.md

@@ -193,7 +193,7 @@ public class CommonDataSourceConfiguration {
 * Refer to ``client/src/docs/asciidoc/api-app.adoc``
 
 ## OAuth2 - Authorization Code
-* Open the web browser by connecting to ``http://localhost:8370/oauth2/authorization?code=32132&grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256``
+* Open the web browser by connecting to ``http://localhost:8370/oauth2/authorization?code=32132&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1``
 * Login with ``cicd@test.com / 1234 ``
 
 ## Running this App with Docker

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/converter/auth/endpoint/KnifeAuthorizationCodeRequestConverterController.java

@@ -6,7 +6,11 @@
 import java.util.Map;
 import java.util.Set;
 
+import io.github.patternknife.securityhelper.oauth2.api.config.security.message.DefaultSecurityUserExceptionMessage;
+import io.github.patternknife.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
 import io.github.patternknife.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
@@ -19,79 +23,158 @@
 import org.springframework.ui.Model;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 
 /**
  * @author Daniel Garnier-Moiroux
  */
 @Controller
 public class KnifeAuthorizationCodeRequestConverterController {
+
+    private final Log logger = LogFactory.getLog(this.getClass());
+
     private final RegisteredClientRepository registeredClientRepository;
     private final OAuth2AuthorizationConsentService authorizationConsentService;
     private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
+    private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
 
     public KnifeAuthorizationCodeRequestConverterController(RegisteredClientRepository registeredClientRepository,
                                                             OAuth2AuthorizationConsentService authorizationConsentService,
-                                                            OAuth2AuthorizationServiceImpl oAuth2AuthorizationService) {
+                                                            OAuth2AuthorizationServiceImpl oAuth2AuthorizationService, ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService) {
         this.registeredClientRepository = registeredClientRepository;
         this.authorizationConsentService = authorizationConsentService;
         this.oAuth2AuthorizationService = oAuth2AuthorizationService;
+        this.iSecurityUserExceptionMessageService = iSecurityUserExceptionMessageService;
     }
 
+
+    @PostMapping("/oauth2/authorization")
+    public String authorize(@RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId,
+                            @RequestParam(OAuth2ParameterNames.STATE) String state,
+                            @RequestParam(OAuth2ParameterNames.SCOPE) Set<String> scopes,
+                            @RequestParam(name = OAuth2ParameterNames.CODE, required = false) String authorizationCode,
+                            @RequestParam(name = "consent_action", required = false) String consentAction,
+                            Model model) {
+        // 예시: 클라이언트의 등록된 콜백 URL 가져오기
+        RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
+        String redirectUri = registeredClient.getRedirectUris().iterator().next();
+
+        // 승인된 스코프를 바탕으로 Authorization Code 생성 로직
+        // Authorization Code를 생성하여 저장하고 해당 코드를 콜백 URL로 리다이렉트합니다.
+        if ("approve".equals(consentAction)) {
+            // 실제로는 이곳에서 OAuth2Authorization 객체를 생성하고 저장하는 로직 필요
+             authorizationCode = "generated-authorization-code"; // 실제 생성된 코드로 교체
+
+            // 콜백 URL로 리다이렉트하며 Authorization Code를 전달
+            return "redirect:" + redirectUri + "?code=" + authorizationCode + "&state=" + state;
+        } else {
+            // 거부한 경우 에러 페이지 혹은 다시 로그인 페이지로 리다이렉트
+            return "redirect:/login?error=access_denied";
+        }
+    }
+
+
+    /*
+    *   code, response_type, client_id, redirect_url
+    * */
     @GetMapping(value = "/oauth2/authorization")
-    public String consent( Model model,
+    public String consent(Model model,
+                          @RequestParam(name = OAuth2ParameterNames.CODE) String authorizationCode,
+                          @RequestParam(name = OAuth2ParameterNames.RESPONSE_TYPE) String responseType,
                           @RequestParam(OAuth2ParameterNames.CLIENT_ID) String clientId,
-                          @RequestParam(OAuth2ParameterNames.SCOPE) String scope,
-                          @RequestParam(OAuth2ParameterNames.STATE) String state,
-                          @RequestParam(name = OAuth2ParameterNames.CODE, required = false) String authorizationCode,
-                          @RequestParam(name = OAuth2ParameterNames.USER_CODE, required = false) String userCode) {
+                          @RequestParam(OAuth2ParameterNames.REDIRECT_URI) String redirectUri,
+                          @RequestParam(name = OAuth2ParameterNames.SCOPE, required = false) String scope) {
+
 
-        String principalName;
         if(authorizationCode == null){
             return "login";
         }
 
+        if (!"code".equals(responseType)) {
+            logger.error("message (Invalid Authorization Code): "
+                    + "authorizationCode=" + authorizationCode + ", "
+                    + "responseType=" + responseType + ", "
+                    + "clientId=" + clientId + ", "
+                    + "redirectUri=" + redirectUri + ", "
+                    + "scope=" + scope);
+            model.addAttribute("userMessage", iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_RESPONSE_TYPE));
+            return "error";
+        }
+
+        RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
+        if(registeredClient == null){
+            logger.error("message (Invalid Client ID): "
+                    + "authorizationCode=" + authorizationCode + ", "
+                    + "responseType=" + responseType + ", "
+                    + "clientId=" + clientId + ", "
+                    + "redirectUri=" + redirectUri + ", "
+                    + "scope=" + scope + ", ");
+            model.addAttribute("userMessage", iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_WRONG_CLIENT_ID_SECRET));
+            return "error";
+        }
+
+        if (!registeredClient.getRedirectUris().contains(redirectUri)) {
+            logger.error("message (Invalid redirect URI): "
+                    + "authorizationCode=" + authorizationCode + ", "
+                    + "responseType=" + responseType + ", "
+                    + "clientId=" + clientId + ", "
+                    + "redirectUri=" + redirectUri + ", "
+                    + "scope=" + scope + ", "
+                    + "registeredRedirectUris=" + registeredClient.getRedirectUris().toString());
+            model.addAttribute("userMessage", iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI));
+            return "error";
+        }
+
+
+
         OAuth2Authorization oAuth2Authorization = oAuth2AuthorizationService.findByToken(authorizationCode, new OAuth2TokenType("authorization_code"));
         if(oAuth2Authorization == null){
             return "login";
         }
-        principalName = oAuth2Authorization.getPrincipalName();
+        String principalName = oAuth2Authorization.getPrincipalName();
 
 
-        // Remove scopes that were already approved
-        Set<String> scopesToApprove = new HashSet<>();
-        Set<String> previouslyApprovedScopes = new HashSet<>();
-        RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
+        Set<String> approvedScopes = new HashSet<>();
+
         OAuth2AuthorizationConsent currentAuthorizationConsent =
                 this.authorizationConsentService.findById(registeredClient.getId(), principalName);
-        Set<String> authorizedScopes;
-        if (currentAuthorizationConsent != null) {
-            authorizedScopes = currentAuthorizationConsent.getScopes();
-        } else {
-            authorizedScopes = Collections.emptySet();
-        }
-        for (String requestedScope : StringUtils.delimitedListToStringArray(scope, " ")) {
-            if (OidcScopes.OPENID.equals(requestedScope)) {
-                continue;
+        if(currentAuthorizationConsent != null){
+            return "redirect:" + redirectUri + "?code=" + authorizationCode;
+        }else{
+
+            Set<String> authorizedScopes = currentAuthorizationConsent.getScopes();
+
+            Set<String> requestedScopes = StringUtils.commaDelimitedListToSet(scope);
+
+            if (!authorizedScopes.containsAll(requestedScopes)) {
+                logger.error("message (Scopes not approved): "
+                        + "authorizationCode=" + authorizationCode + ", "
+                        + "responseType=" + responseType + ", "
+                        + "clientId=" + clientId + ", "
+                        + "redirectUri=" + redirectUri + ", "
+                        + "scope=" + scope + ", "
+                        + "authorizedScopes=" + authorizedScopes);
+                model.addAttribute("userMessage", iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_SCOPES_NOT_APPROVED));
+                return "error";
             }
-            if (authorizedScopes.contains(requestedScope)) {
-                previouslyApprovedScopes.add(requestedScope);
-            } else {
-                scopesToApprove.add(requestedScope);
+
+            for (String requestedScope : StringUtils.delimitedListToStringArray(scope, " ")) {
+                if (OidcScopes.OPENID.equals(requestedScope)) {
+                    continue;
+                }
+                if (authorizedScopes.contains(requestedScope)) {
+                    approvedScopes.add(requestedScope);
+                }
             }
         }
 
+
+        model.addAttribute("code", authorizationCode);
         model.addAttribute("clientId", clientId);
-        model.addAttribute("state", state);
-        model.addAttribute("scopes", withDescription(scopesToApprove));
-        model.addAttribute("previouslyApprovedScopes", withDescription(previouslyApprovedScopes));
+        model.addAttribute("scopes", withDescription(approvedScopes));
         model.addAttribute("principalName", principalName);
-        model.addAttribute("userCode", userCode);
-        if (StringUtils.hasText(userCode)) {
-            model.addAttribute("requestURI", "/oauth2/device_verification");
-        } else {
-            model.addAttribute("requestURI", "/oauth2/authorize");
-        }
+        model.addAttribute("requestURI", "/oauth2/authorization");
 
         return "consent";
     }
@@ -140,4 +223,5 @@ public static class ScopeWithDescription {
         }
     }
 
+
 }

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/message/DefaultSecurityUserExceptionMessage.java

@@ -16,8 +16,10 @@ public enum DefaultSecurityUserExceptionMessage implements ExceptionMessageInter
     AUTHENTICATION_PASSWORD_FAILED_EXCEEDED("The number of password attempts has been exceeded."),
 
     // Wrong Authorization Code
-    AUTHORIZATION_CODE_NO_EXISTS("The specified Authorization code does not exist."),
-
+    AUTHENTICATION_INVALID_RESPONSE_TYPE("The specified Response Type is invalid."),
+    AUTHENTICATION_INVALID_AUTHORIZATION_CODE("The specified Authorization Code is invalid."),
+    AUTHENTICATION_INVALID_REDIRECT_URI("The specified Redirect URI is invalid."),
+    AUTHENTICATION_SCOPES_NOT_APPROVED("The specified Scopes are not approved."),
     // CLIENT ID, SECRET
     AUTHENTICATION_WRONG_CLIENT_ID_SECRET("Client information is not verified."),
 

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/provider/auth/endpoint/KnifeOauth2AuthenticationProvider.java

@@ -59,7 +59,7 @@ public Authentication authenticate(Authentication authentication)
                     );
 
                     if (oAuth2Authorization == null) {
-                        throw new KnifeOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHORIZATION_CODE_NO_EXISTS));
+                        throw new KnifeOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_AUTHORIZATION_CODE));
                     }
                     // UserDetails 로드
                     userDetails = conditionalDetailsService.loadUserByUsername(oAuth2Authorization.getPrincipalName(), clientId);

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/server/ServerConfig.java

@@ -121,15 +121,16 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(
                 .tokenGenerator(tokenGenerator)
                 .oidc(Customizer.withDefaults())
                 /*
+                 *    https://sabarada.tistory.com/248
                  *
-                 *
-                 *    http://localhost:8370/oauth2/authorization?code=32132&grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256
+                 *    code, client_id, redirect_uri
+                 *    http://localhost:8370/oauth2/authorization?code=32132&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1
                  *
                  * */
                 //  https://medium.com/@itsinil/oauth-2-1-pkce-%EB%B0%A9%EC%8B%9D-%EC%95%8C%EC%95%84%EB%B3%B4%EA%B8%B0-14500950cdbf
                 .authorizationEndpoint(authorizationEndpoint ->
                         authorizationEndpoint
-                                // [1] User goes to the 'consentPage' below ('http://localhost:8370/oauth2/authorization?code=32132&grant_type=authorization_code&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256')
+                                // [1] User goes to the 'consentPage' below ('http://localhost:8370/oauth2/authorization?code=XXXXX&response_type=code&client_id=client_customer&redirect_uri=http%3A%2F%2Flocalhost%3A8370%2Fcallback1&scope=message.read&state=random-state&prompt=consent&access_type=offline&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256')
                                 // [2] As you see 'KnifeAuthorizationCodeRequestConverterController', if the code parameter is NOT authenticated, it redirects you to the login page.
                                 // [3] If the login (/api/v1/traditional-oauth/authorization-code) in the 'src/main/resources/templates/login.html' is successful, it retries [1].
                                 // [4] Now you are on the consent page, check READ & WRITE and then press 'Submit'.

src/main/resources/templates/consent.html

@@ -50,7 +50,6 @@ <h1 class="text-center text-primary">App permissions</h1>
                 <input type="hidden" name="client_id" th:value="${clientId}">
                 <input type="hidden" name="state" th:value="${state}">
                 <input type="hidden" name="code" th:value="${code}">
-                <input th:if="${userCode}" type="hidden" name="user_code" th:value="${userCode}">
 
                 <div th:each="scope: ${scopes}" class="form-check py-1">
                     <input class="form-check-input"

src/main/resources/templates/error.html

@@ -3,15 +3,14 @@
 <head>
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <title>Spring Authorization Server sample</title>
+    <title>Spring Authorization Server Sample</title>
     <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.2.3/dist/css/bootstrap.min.css" integrity="sha384-rbsA2VBKQhggwzxH7pPCaAqO46MgnOM80zW1RWuH61DGLwZJEdK2Kadq2F9CUG65" crossorigin="anonymous">
 </head>
 <body>
 <div class="container">
     <div class="row py-5">
         <div class="col-md-6">
-            <h2 class="text-danger" th:text="${errorTitle}"></h2>
-            <p th:text="${errorMessage}"></p>
+            <p th:text="${userMessage}"></p>
         </div>
     </div>
 </div>