JDBC device_code authorization
Issue gh-1156
This commit is contained in:
committed by
Steve Riesenberg
parent
8e04da773d
commit
cf7ecc161d
@@ -47,10 +47,7 @@ import org.springframework.jdbc.support.lob.LobCreator;
|
||||
import org.springframework.jdbc.support.lob.LobHandler;
|
||||
import org.springframework.lang.Nullable;
|
||||
import org.springframework.security.jackson2.SecurityJackson2Modules;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2Token;
|
||||
import org.springframework.security.oauth2.core.*;
|
||||
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
|
||||
import org.springframework.security.oauth2.core.oidc.OidcIdToken;
|
||||
import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
|
||||
@@ -106,20 +103,31 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
+ "refresh_token_value,"
|
||||
+ "refresh_token_issued_at,"
|
||||
+ "refresh_token_expires_at,"
|
||||
+ "refresh_token_metadata";
|
||||
+ "refresh_token_metadata,"
|
||||
+ "user_code_value,"
|
||||
+ "user_code_issued_at,"
|
||||
+ "user_code_expires_at,"
|
||||
+ "user_code_metadata,"
|
||||
+ "device_code_value,"
|
||||
+ "device_code_issued_at,"
|
||||
+ "device_code_expires_at,"
|
||||
+ "device_code_metadata";
|
||||
// @formatter:on
|
||||
|
||||
private static final String TABLE_NAME = "oauth2_authorization";
|
||||
|
||||
private static final String PK_FILTER = "id = ?";
|
||||
private static final String UNKNOWN_TOKEN_TYPE_FILTER = "state = ? OR authorization_code_value = ? OR " +
|
||||
"access_token_value = ? OR oidc_id_token_value = ? OR refresh_token_value = ?";
|
||||
private static final String UNKNOWN_TOKEN_TYPE_FILTER = "state = ? OR authorization_code_value = ? OR "
|
||||
+ "access_token_value = ? OR oidc_id_token_value = ? OR refresh_token_value = ? OR "
|
||||
+ "user_code_value = ? OR device_code_value = ?";
|
||||
|
||||
private static final String STATE_FILTER = "state = ?";
|
||||
private static final String AUTHORIZATION_CODE_FILTER = "authorization_code_value = ?";
|
||||
private static final String ACCESS_TOKEN_FILTER = "access_token_value = ?";
|
||||
private static final String ID_TOKEN_FILTER = "oidc_id_token_value = ?";
|
||||
private static final String REFRESH_TOKEN_FILTER = "refresh_token_value = ?";
|
||||
private static final String USER_CODE_FILTER = "user_code_value = ?";
|
||||
private static final String DEVICE_CODE_FILTER = "device_code_value = ?";
|
||||
|
||||
// @formatter:off
|
||||
private static final String LOAD_AUTHORIZATION_SQL = "SELECT " + COLUMN_NAMES
|
||||
@@ -129,7 +137,7 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
|
||||
// @formatter:off
|
||||
private static final String SAVE_AUTHORIZATION_SQL = "INSERT INTO " + TABLE_NAME
|
||||
+ " (" + COLUMN_NAMES + ") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
|
||||
+ " (" + COLUMN_NAMES + ") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
|
||||
// @formatter:on
|
||||
|
||||
// @formatter:off
|
||||
@@ -138,7 +146,9 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
+ " authorization_code_value = ?, authorization_code_issued_at = ?, authorization_code_expires_at = ?, authorization_code_metadata = ?,"
|
||||
+ " access_token_value = ?, access_token_issued_at = ?, access_token_expires_at = ?, access_token_metadata = ?, access_token_type = ?, access_token_scopes = ?,"
|
||||
+ " oidc_id_token_value = ?, oidc_id_token_issued_at = ?, oidc_id_token_expires_at = ?, oidc_id_token_metadata = ?,"
|
||||
+ " refresh_token_value = ?, refresh_token_issued_at = ?, refresh_token_expires_at = ?, refresh_token_metadata = ?"
|
||||
+ " refresh_token_value = ?, refresh_token_issued_at = ?, refresh_token_expires_at = ?, refresh_token_metadata = ?,"
|
||||
+ " user_code_value = ?, user_code_issued_at = ?, user_code_expires_at = ?, user_code_metadata = ?,"
|
||||
+ " device_code_value = ?, device_code_issued_at = ?, device_code_expires_at = ?, device_code_metadata = ?"
|
||||
+ " WHERE " + PK_FILTER;
|
||||
// @formatter:on
|
||||
|
||||
@@ -244,6 +254,8 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
parameters.add(mapToSqlParameter("access_token_value", token));
|
||||
parameters.add(mapToSqlParameter("oidc_id_token_value", token));
|
||||
parameters.add(mapToSqlParameter("refresh_token_value", token));
|
||||
parameters.add(mapToSqlParameter("user_code_value", token));
|
||||
parameters.add(mapToSqlParameter("device_code_value", token));
|
||||
return findBy(UNKNOWN_TOKEN_TYPE_FILTER, parameters);
|
||||
} else if (OAuth2ParameterNames.STATE.equals(tokenType.getValue())) {
|
||||
parameters.add(new SqlParameterValue(Types.VARCHAR, token));
|
||||
@@ -260,6 +272,12 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
} else if (OAuth2TokenType.REFRESH_TOKEN.equals(tokenType)) {
|
||||
parameters.add(mapToSqlParameter("refresh_token_value", token));
|
||||
return findBy(REFRESH_TOKEN_FILTER, parameters);
|
||||
} else if (OAuth2TokenType.USER_CODE.equals(tokenType)) {
|
||||
parameters.add(mapToSqlParameter("user_code_value", token));
|
||||
return findBy(USER_CODE_FILTER, parameters);
|
||||
} else if (OAuth2TokenType.DEVICE_CODE.equals(tokenType)) {
|
||||
parameters.add(mapToSqlParameter("device_code_value", token));
|
||||
return findBy(DEVICE_CODE_FILTER, parameters);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
@@ -425,6 +443,35 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
refreshTokenValue, tokenIssuedAt, tokenExpiresAt);
|
||||
builder.token(refreshToken, (metadata) -> metadata.putAll(refreshTokenMetadata));
|
||||
}
|
||||
|
||||
String userCodeValue = getLobValue(rs, "user_code_value");
|
||||
if (StringUtils.hasText(userCodeValue)) {
|
||||
tokenIssuedAt = rs.getTimestamp("user_code_issued_at").toInstant();
|
||||
tokenExpiresAt = null;
|
||||
Timestamp userCodeExpiresAt = rs.getTimestamp("user_code_expires_at");
|
||||
if (userCodeExpiresAt != null) {
|
||||
tokenExpiresAt = userCodeExpiresAt.toInstant();
|
||||
}
|
||||
Map<String, Object> userCodeMetadata = parseMap(getLobValue(rs, "user_code_metadata"));
|
||||
|
||||
OAuth2UserCode userCode = new OAuth2UserCode(userCodeValue, tokenIssuedAt, tokenExpiresAt);
|
||||
builder.token(userCode, (metadata) -> metadata.putAll(userCodeMetadata));
|
||||
}
|
||||
|
||||
String deviceCodeValue = getLobValue(rs, "device_code_value");
|
||||
if (StringUtils.hasText(deviceCodeValue)) {
|
||||
tokenIssuedAt = rs.getTimestamp("device_code_issued_at").toInstant();
|
||||
tokenExpiresAt = null;
|
||||
Timestamp deviceCodeExpiresAt = rs.getTimestamp("device_code_expires_at");
|
||||
if (deviceCodeExpiresAt != null) {
|
||||
tokenExpiresAt = deviceCodeExpiresAt.toInstant();
|
||||
}
|
||||
Map<String, Object> deviceCodeMetadata = parseMap(getLobValue(rs, "device_code_metadata"));
|
||||
|
||||
OAuth2DeviceCode deviceCode = new OAuth2DeviceCode(deviceCodeValue, tokenIssuedAt, tokenExpiresAt);
|
||||
builder.token(deviceCode, (metadata) -> metadata.putAll(deviceCodeMetadata));
|
||||
}
|
||||
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
@@ -545,6 +592,17 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
List<SqlParameterValue> refreshTokenSqlParameters = toSqlParameterList(
|
||||
"refresh_token_value", "refresh_token_metadata", refreshToken);
|
||||
parameters.addAll(refreshTokenSqlParameters);
|
||||
|
||||
OAuth2Authorization.Token<OAuth2UserCode> userCode = authorization.getToken(OAuth2UserCode.class);
|
||||
List<SqlParameterValue> userCodeSqlParameters = toSqlParameterList(
|
||||
"user_code_value", "user_code_metadata", userCode);
|
||||
parameters.addAll(userCodeSqlParameters);
|
||||
|
||||
OAuth2Authorization.Token<OAuth2DeviceCode> deviceCode = authorization.getToken(OAuth2DeviceCode.class);
|
||||
List<SqlParameterValue> deviceCodeSqlParameters = toSqlParameterList(
|
||||
"device_code_value", "device_code_metadata", deviceCode);
|
||||
parameters.addAll(deviceCodeSqlParameters);
|
||||
|
||||
return parameters;
|
||||
}
|
||||
|
||||
@@ -670,6 +728,14 @@ public class JdbcOAuth2AuthorizationService implements OAuth2AuthorizationServic
|
||||
columnMetadataMap.put(columnMetadata.getColumnName(), columnMetadata);
|
||||
columnMetadata = getColumnMetadata(jdbcOperations, "refresh_token_metadata", Types.BLOB);
|
||||
columnMetadataMap.put(columnMetadata.getColumnName(), columnMetadata);
|
||||
columnMetadata = getColumnMetadata(jdbcOperations, "user_code_value", Types.BLOB);
|
||||
columnMetadataMap.put(columnMetadata.getColumnName(), columnMetadata);
|
||||
columnMetadata = getColumnMetadata(jdbcOperations, "user_code_metadata", Types.BLOB);
|
||||
columnMetadataMap.put(columnMetadata.getColumnName(), columnMetadata);
|
||||
columnMetadata = getColumnMetadata(jdbcOperations, "device_code_value", Types.BLOB);
|
||||
columnMetadataMap.put(columnMetadata.getColumnName(), columnMetadata);
|
||||
columnMetadata = getColumnMetadata(jdbcOperations, "device_code_metadata", Types.BLOB);
|
||||
columnMetadataMap.put(columnMetadata.getColumnName(), columnMetadata);
|
||||
}
|
||||
|
||||
private static ColumnMetadata getColumnMetadata(JdbcOperations jdbcOperations, String columnName, int defaultDataType) {
|
||||
|
||||
@@ -27,10 +27,7 @@ import java.util.UUID;
|
||||
import java.util.function.Consumer;
|
||||
|
||||
import org.springframework.lang.Nullable;
|
||||
import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.OAuth2AccessToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
|
||||
import org.springframework.security.oauth2.core.OAuth2Token;
|
||||
import org.springframework.security.oauth2.core.*;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.util.SpringAuthorizationServerVersion;
|
||||
import org.springframework.util.Assert;
|
||||
@@ -50,6 +47,8 @@ import org.springframework.util.StringUtils;
|
||||
* @see OAuth2Token
|
||||
* @see OAuth2AccessToken
|
||||
* @see OAuth2RefreshToken
|
||||
* @see OAuth2UserCode
|
||||
* @see OAuth2DeviceCode
|
||||
*/
|
||||
public class OAuth2Authorization implements Serializable {
|
||||
private static final long serialVersionUID = SpringAuthorizationServerVersion.SERIAL_VERSION_UID;
|
||||
@@ -129,6 +128,28 @@ public class OAuth2Authorization implements Serializable {
|
||||
return getToken(OAuth2RefreshToken.class);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link Token} of type {@link OAuth2UserCode}.
|
||||
*
|
||||
* @return the {@link Token} of type {@link OAuth2UserCode}, or {@code null} if not
|
||||
* available
|
||||
*/
|
||||
@Nullable
|
||||
public Token<OAuth2UserCode> getUserCode() {
|
||||
return getToken(OAuth2UserCode.class);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link Token} of type {@link OAuth2DeviceCode}.
|
||||
*
|
||||
* @return the {@link Token} of type {@link OAuth2DeviceCode}, or {@code null} if not
|
||||
* available
|
||||
*/
|
||||
@Nullable
|
||||
public Token<OAuth2DeviceCode> getDeviceCode() {
|
||||
return getToken(OAuth2DeviceCode.class);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link Token} of type {@code tokenType}.
|
||||
*
|
||||
@@ -460,6 +481,26 @@ public class OAuth2Authorization implements Serializable {
|
||||
return token(refreshToken);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the {@link OAuth2UserCode user token}.
|
||||
*
|
||||
* @param userCode the {@link OAuth2UserCode}
|
||||
* @return the {@link Builder}
|
||||
*/
|
||||
public Builder userCode(OAuth2UserCode userCode) {
|
||||
return token(userCode);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the {@link OAuth2DeviceCode device token}.
|
||||
*
|
||||
* @param deviceCode the {@link OAuth2DeviceCode}
|
||||
* @return the {@link Builder}
|
||||
*/
|
||||
public Builder deviceCode(OAuth2DeviceCode deviceCode) {
|
||||
return token(deviceCode);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the {@link OAuth2Token token}.
|
||||
*
|
||||
|
||||
@@ -31,6 +31,8 @@ public final class OAuth2TokenType implements Serializable {
|
||||
private static final long serialVersionUID = SpringAuthorizationServerVersion.SERIAL_VERSION_UID;
|
||||
public static final OAuth2TokenType ACCESS_TOKEN = new OAuth2TokenType("access_token");
|
||||
public static final OAuth2TokenType REFRESH_TOKEN = new OAuth2TokenType("refresh_token");
|
||||
public static final OAuth2TokenType USER_CODE = new OAuth2TokenType("user_code");
|
||||
public static final OAuth2TokenType DEVICE_CODE = new OAuth2TokenType("device_code");
|
||||
private final String value;
|
||||
|
||||
/**
|
||||
|
||||
@@ -29,5 +29,13 @@ CREATE TABLE oauth2_authorization (
|
||||
refresh_token_issued_at timestamp DEFAULT NULL,
|
||||
refresh_token_expires_at timestamp DEFAULT NULL,
|
||||
refresh_token_metadata blob DEFAULT NULL,
|
||||
user_code_value blob DEFAULT NULL,
|
||||
user_code_issued_at timestamp DEFAULT NULL,
|
||||
user_code_expires_at timestamp DEFAULT NULL,
|
||||
user_code_metadata blob DEFAULT NULL,
|
||||
device_code_value blob DEFAULT NULL,
|
||||
device_code_issued_at timestamp DEFAULT NULL,
|
||||
device_code_expires_at timestamp DEFAULT NULL,
|
||||
device_code_metadata blob DEFAULT NULL,
|
||||
PRIMARY KEY (id)
|
||||
);
|
||||
|
||||
@@ -30,6 +30,10 @@ import com.nimbusds.jose.proc.SecurityContext;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.jdbc.core.JdbcTemplate;
|
||||
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
|
||||
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
|
||||
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
|
||||
import org.springframework.security.config.Customizer;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
@@ -41,6 +45,8 @@ import org.springframework.security.oauth2.core.AuthorizationGrantType;
|
||||
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
|
||||
import org.springframework.security.oauth2.core.oidc.OidcScopes;
|
||||
import org.springframework.security.oauth2.jwt.JwtDecoder;
|
||||
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
|
||||
import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
|
||||
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
|
||||
@@ -131,6 +137,12 @@ public class SecurityConfig {
|
||||
return new InMemoryRegisteredClientRepository(registeredClient);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate,
|
||||
RegisteredClientRepository registeredClientRepository) {
|
||||
return new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public JWKSource<SecurityContext> jwkSource() {
|
||||
KeyPair keyPair = generateRsaKey();
|
||||
@@ -167,4 +179,18 @@ public class SecurityConfig {
|
||||
return AuthorizationServerSettings.builder().build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
public EmbeddedDatabase embeddedDatabase() {
|
||||
// @formatter:off
|
||||
return new EmbeddedDatabaseBuilder()
|
||||
.generateUniqueName(true)
|
||||
.setType(EmbeddedDatabaseType.H2)
|
||||
.setScriptEncoding("UTF-8")
|
||||
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
|
||||
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
|
||||
.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
|
||||
.build();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user