diff --git a/servlet/spring-boot/java/oauth2/login/README.adoc b/servlet/spring-boot/java/oauth2/login/README.adoc new file mode 100644 index 0000000..e949a7f --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/README.adoc @@ -0,0 +1,321 @@ += OAuth 2.0 Login Sample + +This guide provides instructions on setting up the sample application with OAuth 2.0 Login using an OAuth 2.0 Provider or OpenID Connect 1.0 Provider. +The sample application uses Spring Boot 2.0.0.M6 and the `spring-security-oauth2-client` module which is new in Spring Security 5.0. + +The following sections provide detailed steps for setting up OAuth 2.0 Login for these Providers: + +* <> +* <> +* <> +* <> + +[[google-login]] +== Login with Google + +This section shows how to configure the sample application using Google as the Authentication Provider and covers the following topics: + +* <> +* <> +* <> +* <> + +[[google-initial-setup]] +=== Initial setup + +To use Google's OAuth 2.0 authentication system for login, you must set up a project in the Google API Console to obtain OAuth 2.0 credentials. + +NOTE: https://developers.google.com/identity/protocols/OpenIDConnect[Google's OAuth 2.0 implementation] for authentication conforms to the + https://openid.net/connect/[OpenID Connect 1.0] specification and is https://openid.net/certification/[OpenID Certified]. + +Follow the instructions on the https://developers.google.com/identity/protocols/OpenIDConnect[OpenID Connect] page, starting in the section, "Setting up OAuth 2.0". + +After completing the "Obtain OAuth 2.0 credentials" instructions, you should have a new OAuth Client with credentials consisting of a Client ID and a Client Secret. + +[[google-redirect-uri]] +=== Setting the redirect URI + +The redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Google +and have granted access to the OAuth Client _(created in the previous step)_ on the Consent page. + +In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect URIs* field is set to `http://localhost:8080/login/oauth2/code/google`. + +TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`. + The *_registrationId_* is a unique identifier for the `ClientRegistration`. + +IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured. +Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`. + +[[google-application-config]] +=== Configure application.yml + +Now that you have a new OAuth Client with Google, you need to configure the application to use the OAuth Client for the _authentication flow_. To do so: + +. Go to `application.yml` and set the following configuration: ++ +[source,yaml] +---- +spring: + security: + oauth2: + client: + registration: <1> + google: <2> + client-id: google-client-id + client-secret: google-client-secret +---- ++ +.OAuth Client properties +==== +<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties. +<2> Following the base property prefix is the ID for the `ClientRegistration`, such as google. +==== + +. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier. + +[[google-boot-application]] +=== Boot up the application + +Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`. +You are then redirected to the default _auto-generated_ login page, which displays a link for Google. + +Click on the Google link, and you are then redirected to Google for authentication. + +After authenticating with your Google account credentials, the next page presented to you is the Consent screen. +The Consent screen asks you to either allow or deny access to the OAuth Client you created earlier. +Click *Allow* to authorize the OAuth Client to access your email address and basic profile information. + +At this point, the OAuth Client retrieves your email address and basic profile information +from the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session. + +[[github-login]] +== Login with GitHub + +This section shows how to configure the sample application using GitHub as the Authentication Provider and covers the following topics: + +* <> +* <> +* <> + +[[github-register-application]] +=== Register OAuth application + +To use GitHub's OAuth 2.0 authentication system for login, you must https://github.com/settings/applications/new[Register a new OAuth application]. + +When registering the OAuth application, ensure the *Authorization callback URL* is set to `http://localhost:8080/login/oauth2/code/github`. + +The Authorization callback URL (redirect URI) is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with GitHub +and have granted access to the OAuth application on the _Authorize application_ page. + +TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`. + The *_registrationId_* is a unique identifier for the `ClientRegistration`. + +IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured. +Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`. + +[[github-application-config]] +=== Configure application.yml + +Now that you have a new OAuth application with GitHub, you need to configure the application to use the OAuth application for the _authentication flow_. To do so: + +. Go to `application.yml` and set the following configuration: ++ +[source,yaml] +---- +spring: + security: + oauth2: + client: + registration: <1> + github: <2> + client-id: github-client-id + client-secret: github-client-secret +---- ++ +.OAuth Client properties +==== +<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties. +<2> Following the base property prefix is the ID for the `ClientRegistration`, such as github. +==== + +. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier. + +[[github-boot-application]] +=== Boot up the application + +Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`. +You are then redirected to the default _auto-generated_ login page, which displays a link for GitHub. + +Click on the GitHub link, and you are then redirected to GitHub for authentication. + +After authenticating with your GitHub credentials, the next page presented to you is "Authorize application". +This page will ask you to *Authorize* the application you created in the previous step. +Click _Authorize application_ to allow the OAuth application to access your personal user data information. + +At this point, the OAuth Client retrieves your personal user information +from the UserInfo Endpoint and establishes an authenticated session. + +[TIP] +For detailed information returned from the UserInfo Endpoint, see the API documentation +for https://developer.github.com/v3/users/#get-the-authenticated-user["Get the authenticated user"]. + +[[facebook-login]] +== Login with Facebook + +This section shows how to configure the sample application using Facebook as the Authentication Provider and covers the following topics: + +* <> +* <> +* <> + +[[facebook-register-application]] +=== Add a New App + +To use Facebook's OAuth 2.0 authentication system for login, you must first https://developers.facebook.com/apps[Add a New App]. + +Select "Create a New App" and then the "Create a New App ID" page is presented. Enter the Display Name, Contact Email, Category and then click "Create App ID". + +NOTE: The selection for the _Category_ field is not relevant but it's a required field - select "Local". + +The next page presented is "Product Setup". Click the "Get Started" button for the *Facebook Login* product. +In the left sidebar, under _Products -> Facebook Login_, select _Settings_. + +For the field *Valid OAuth redirect URIs*, enter `http://localhost:8080/login/oauth2/code/facebook` then click _Save Changes_. + +The OAuth redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Facebook +and have granted access to the application on the _Authorize application_ page. + +TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`. + The *_registrationId_* is a unique identifier for the `ClientRegistration`. + +IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured. +Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`. + +[[facebook-application-config]] +=== Configure application.yml + +Now that you have created a new application with Facebook, you need to configure the sample application to use the application for the _authentication flow_. To do so: + +. Go to `application.yml` and set the following configuration: ++ +[source,yaml] +---- +spring: + security: + oauth2: + client: + registration: <1> + facebook: <2> + client-id: facebook-client-id + client-secret: facebook-client-secret +---- ++ +.OAuth Client properties +==== +<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties. +<2> Following the base property prefix is the ID for the `ClientRegistration`, such as facebook. +==== + +. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier. + +[[facebook-boot-application]] +=== Boot up the application + +Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`. +You are then redirected to the default _auto-generated_ login page, which displays a link for Facebook. + +Click on the Facebook link, and you are then redirected to Facebook for authentication. + +After authenticating with your Facebook credentials, the next page presented to you is "Authorize application". +This page will ask you to *Authorize* the application you created in the previous step. +Click _Authorize application_ to allow the OAuth application to access your _public profile_ and _email address_ information. + +At this point, the OAuth Client retrieves your personal user information +from the UserInfo Endpoint and establishes an authenticated session. + +[[okta-login]] +== Login with Okta + +This section shows how to configure the sample application using Okta as the Authentication Provider and covers the following topics: + +* <> +* <> +* <> +* <> + +[[okta-register-application]] +=== Add Application + +To use Okta's OAuth 2.0 authentication system for login, you must first https://www.okta.com/developer/signup[create a developer account]. + +Sign in to your account sub-domain and navigate to _Applications -> Applications_ and then select the "Add Application" button. +From the "Add Application" page, select the "Create New App" button and enter the following: + +* *Platform:* Web +* *Sign on method:* OpenID Connect + +Select the _Create_ button. +On the "General Settings" page, enter the Application Name (for example, "Spring Security Okta Login") and then select the _Next_ button. +On the "Configure OpenID Connect" page, enter `http://localhost:8080/login/oauth2/code/okta` for the field *Redirect URIs* and then select _Finish_. + +The redirect URI is the path in the application that the end-user's user-agent is redirected back to after they have authenticated with Okta +and have granted access to the application on the _Authorize application_ page. + +TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`. + The *_registrationId_* is a unique identifier for the `ClientRegistration`. + +IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured. +Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`. + +[[okta-assign-application-people]] +=== Assign Application to People + +From the "General" tab of the application, select the "Assignments" tab and then select the _Assign_ button. +Select _Assign to People_ and assign your account to the application. Then select the _Save and Go Back_ button. + +[[okta-application-config]] +=== Configure application.yml + +Now that you have created a new application with Okta, you need to configure the sample application to use the application for the _authentication flow_. To do so: + +. Go to `application.yml` and set the following configuration: ++ +[source,yaml] +---- +spring: + security: + oauth2: + client: + registration: <1> + okta: <2> + client-id: okta-client-id + client-secret: okta-client-secret + provider: <3> + okta: + authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize + token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token + user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo + user-name-attribute: sub + jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys +---- ++ +.OAuth Client properties +==== +<1> `spring.security.oauth2.client.registration` is the base property prefix for OAuth Client properties. +<2> Following the base property prefix is the ID for the `ClientRegistration`, such as okta. +<3> `spring.security.oauth2.client.provider` is the base property prefix for OAuth Provider properties. +==== + +. Replace the values in the `client-id` and `client-secret` property with the OAuth 2.0 credentials you created earlier. +As well, replace `https://your-subdomain.oktapreview.com` in `authorization-uri`, `token-uri`, `user-info-uri` and `jwk-set-uri` with the sub-domain assigned to your account during the registration process. + +[[okta-boot-application]] +=== Boot up the application + +Launch the Spring Boot 2.0 sample and go to `http://localhost:8080`. +You are then redirected to the default _auto-generated_ login page, which displays a link for Okta. + +Click on the Okta link, and you are then redirected to Okta for authentication. + +After authenticating with your Okta account credentials, the OAuth Client retrieves your email address and basic profile information +from the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint] and establishes an authenticated session. diff --git a/servlet/spring-boot/java/oauth2/login/build.gradle b/servlet/spring-boot/java/oauth2/login/build.gradle new file mode 100644 index 0000000..441c11c --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/build.gradle @@ -0,0 +1,27 @@ +plugins { + id 'org.springframework.boot' version '2.2.6.RELEASE' + id 'io.spring.dependency-management' version '1.0.9.RELEASE' + id "nebula.integtest" version "7.0.9" + id 'java' +} + +repositories { + mavenCentral() + maven { url "https://repo.spring.io/snapshot" } +} + +dependencies { + implementation 'org.springframework.boot:spring-boot-starter-oauth2-client' + implementation 'org.springframework.boot:spring-boot-starter-thymeleaf' + implementation 'org.springframework.boot:spring-boot-starter-web' + implementation 'org.thymeleaf.extras:thymeleaf-extras-springsecurity5' + + testImplementation 'org.springframework.boot:spring-boot-starter-test' + testImplementation 'org.springframework.security:spring-security-test' + + integTestImplementation 'net.sourceforge.htmlunit:htmlunit' +} + +tasks.withType(Test).configureEach { + useJUnitPlatform() +} diff --git a/servlet/spring-boot/java/oauth2/login/gradle.properties b/servlet/spring-boot/java/oauth2/login/gradle.properties new file mode 100644 index 0000000..7def6a0 --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/gradle.properties @@ -0,0 +1 @@ +spring-security.version=5.4.0.BUILD-SNAPSHOT diff --git a/servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.jar b/servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..62d4c05 Binary files /dev/null and b/servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.jar differ diff --git a/servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.properties b/servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..bb8b2fc --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,5 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-6.5.1-bin.zip +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/servlet/spring-boot/java/oauth2/login/gradlew b/servlet/spring-boot/java/oauth2/login/gradlew new file mode 100755 index 0000000..fbd7c51 --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/gradlew @@ -0,0 +1,185 @@ +#!/usr/bin/env sh + +# +# Copyright 2015 the original author or authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +## +## Gradle start up script for UN*X +## +############################################################################## + +# Attempt to set APP_HOME +# Resolve links: $0 may be a link +PRG="$0" +# Need this for relative symlinks. +while [ -h "$PRG" ] ; do + ls=`ls -ld "$PRG"` + link=`expr "$ls" : '.*-> \(.*\)$'` + if expr "$link" : '/.*' > /dev/null; then + PRG="$link" + else + PRG=`dirname "$PRG"`"/$link" + fi +done +SAVED="`pwd`" +cd "`dirname \"$PRG\"`/" >/dev/null +APP_HOME="`pwd -P`" +cd "$SAVED" >/dev/null + +APP_NAME="Gradle" +APP_BASE_NAME=`basename "$0"` + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD="maximum" + +warn () { + echo "$*" +} + +die () { + echo + echo "$*" + echo + exit 1 +} + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "`uname`" in + CYGWIN* ) + cygwin=true + ;; + Darwin* ) + darwin=true + ;; + MINGW* ) + msys=true + ;; + NONSTOP* ) + nonstop=true + ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + else + JAVACMD="$JAVA_HOME/bin/java" + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD="java" + which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." +fi + +# Increase the maximum file descriptors if we can. +if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then + MAX_FD_LIMIT=`ulimit -H -n` + if [ $? -eq 0 ] ; then + if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then + MAX_FD="$MAX_FD_LIMIT" + fi + ulimit -n $MAX_FD + if [ $? -ne 0 ] ; then + warn "Could not set maximum file descriptor limit: $MAX_FD" + fi + else + warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" + fi +fi + +# For Darwin, add options to specify how the application appears in the dock +if $darwin; then + GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" +fi + +# For Cygwin or MSYS, switch paths to Windows format before running java +if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then + APP_HOME=`cygpath --path --mixed "$APP_HOME"` + CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` + + JAVACMD=`cygpath --unix "$JAVACMD"` + + # We build the pattern for arguments to be converted via cygpath + ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` + SEP="" + for dir in $ROOTDIRSRAW ; do + ROOTDIRS="$ROOTDIRS$SEP$dir" + SEP="|" + done + OURCYGPATTERN="(^($ROOTDIRS))" + # Add a user-defined pattern to the cygpath arguments + if [ "$GRADLE_CYGPATTERN" != "" ] ; then + OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" + fi + # Now convert the arguments - kludge to limit ourselves to /bin/sh + i=0 + for arg in "$@" ; do + CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` + CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option + + if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition + eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` + else + eval `echo args$i`="\"$arg\"" + fi + i=`expr $i + 1` + done + case $i in + 0) set -- ;; + 1) set -- "$args0" ;; + 2) set -- "$args0" "$args1" ;; + 3) set -- "$args0" "$args1" "$args2" ;; + 4) set -- "$args0" "$args1" "$args2" "$args3" ;; + 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; + 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; + 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; + 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; + 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; + esac +fi + +# Escape application args +save () { + for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done + echo " " +} +APP_ARGS=`save "$@"` + +# Collect all arguments for the java command, following the shell quoting and substitution rules +eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" + +exec "$JAVACMD" "$@" diff --git a/servlet/spring-boot/java/oauth2/login/gradlew.bat b/servlet/spring-boot/java/oauth2/login/gradlew.bat new file mode 100644 index 0000000..a9f778a --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/gradlew.bat @@ -0,0 +1,104 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%" == "" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%" == "" set DIRNAME=. +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if "%ERRORLEVEL%" == "0" goto init + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto init + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:init +@rem Get command-line arguments, handling Windows variants + +if not "%OS%" == "Windows_NT" goto win9xME_args + +:win9xME_args +@rem Slurp the command line arguments. +set CMD_LINE_ARGS= +set _SKIP=2 + +:win9xME_args_slurp +if "x%~1" == "x" goto execute + +set CMD_LINE_ARGS=%* + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% + +:end +@rem End local scope for the variables with windows NT shell +if "%ERRORLEVEL%"=="0" goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 +exit /b 1 + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/servlet/spring-boot/java/oauth2/login/settings.gradle b/servlet/spring-boot/java/oauth2/login/settings.gradle new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/settings.gradle @@ -0,0 +1 @@ + diff --git a/servlet/spring-boot/java/oauth2/login/src/integTest/java/sample/OAuth2LoginApplicationTests.java b/servlet/spring-boot/java/oauth2/login/src/integTest/java/sample/OAuth2LoginApplicationTests.java new file mode 100644 index 0000000..af94ced --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/src/integTest/java/sample/OAuth2LoginApplicationTests.java @@ -0,0 +1,381 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package sample; + +import java.net.URI; +import java.net.URL; +import java.net.URLDecoder; +import java.util.Collections; +import java.util.HashMap; +import java.util.HashSet; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.Set; +import java.util.stream.Collectors; + +import com.gargoylesoftware.htmlunit.FailingHttpStatusCodeException; +import com.gargoylesoftware.htmlunit.WebClient; +import com.gargoylesoftware.htmlunit.WebResponse; +import com.gargoylesoftware.htmlunit.html.DomNodeList; +import com.gargoylesoftware.htmlunit.html.HtmlAnchor; +import com.gargoylesoftware.htmlunit.html.HtmlElement; +import com.gargoylesoftware.htmlunit.html.HtmlPage; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.context.annotation.Bean; +import org.springframework.http.HttpStatus; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient; +import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; +import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest; +import org.springframework.security.oauth2.client.userinfo.OAuth2UserService; +import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; +import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter; +import org.springframework.security.oauth2.core.OAuth2AccessToken; +import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponseType; +import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames; +import org.springframework.security.oauth2.core.user.DefaultOAuth2User; +import org.springframework.security.oauth2.core.user.OAuth2User; +import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; +import org.springframework.test.web.servlet.MockMvc; +import org.springframework.web.util.UriComponents; +import org.springframework.web.util.UriComponentsBuilder; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oauth2Login; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model; + +/** + * Integration tests for the OAuth 2.0 client filters + * {@link OAuth2AuthorizationRequestRedirectFilter} and + * {@link OAuth2LoginAuthenticationFilter}. These filters work together to realize OAuth + * 2.0 Login leveraging the Authorization Code Grant flow. + * + * @author Joe Grandja + * @since 5.0 + */ +@SpringBootTest(classes = { OAuth2LoginApplication.class, OAuth2LoginApplicationTests.SecurityTestConfig.class }) +@AutoConfigureMockMvc +public class OAuth2LoginApplicationTests { + + private static final String AUTHORIZATION_BASE_URI = "/oauth2/authorization"; + + private static final String AUTHORIZE_BASE_URL = "http://localhost:8080/login/oauth2/code"; + + @Autowired + private WebClient webClient; + + @Autowired + private MockMvc mvc; + + @Autowired + private ClientRegistrationRepository clientRegistrationRepository; + + @BeforeEach + void setup() { + this.webClient.getCookieManager().clearCookies(); + } + + @Test + void requestIndexPageWhenNotAuthenticatedThenDisplayLoginPage() throws Exception { + HtmlPage page = this.webClient.getPage("/"); + this.assertLoginPage(page); + } + + @Test + void requestOtherPageWhenNotAuthenticatedThenDisplayLoginPage() throws Exception { + HtmlPage page = this.webClient.getPage("/other-page"); + this.assertLoginPage(page); + } + + @Test + void requestAuthorizeGitHubClientWhenLinkClickedThenStatusRedirectForAuthorization() throws Exception { + HtmlPage page = this.webClient.getPage("/"); + + ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); + + HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); + assertThat(clientAnchorElement).isNotNull(); + + WebResponse response = this.followLinkDisableRedirects(clientAnchorElement); + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.MOVED_PERMANENTLY.value()); + + String authorizeRedirectUri = response.getResponseHeaderValue("Location"); + assertThat(authorizeRedirectUri).isNotNull(); + + UriComponents uriComponents = UriComponentsBuilder.fromUri(URI.create(authorizeRedirectUri)).build(); + + String requestUri = uriComponents.getScheme() + "://" + uriComponents.getHost() + uriComponents.getPath(); + assertThat(requestUri).isEqualTo(clientRegistration.getProviderDetails().getAuthorizationUri()); + + Map params = uriComponents.getQueryParams().toSingleValueMap(); + + assertThat(params.get(OAuth2ParameterNames.RESPONSE_TYPE)) + .isEqualTo(OAuth2AuthorizationResponseType.CODE.getValue()); + assertThat(params.get(OAuth2ParameterNames.CLIENT_ID)).isEqualTo(clientRegistration.getClientId()); + String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId(); + assertThat(URLDecoder.decode(params.get(OAuth2ParameterNames.REDIRECT_URI), "UTF-8")).isEqualTo(redirectUri); + assertThat(URLDecoder.decode(params.get(OAuth2ParameterNames.SCOPE), "UTF-8")) + .isEqualTo(clientRegistration.getScopes().stream().collect(Collectors.joining(" "))); + assertThat(params.get(OAuth2ParameterNames.STATE)).isNotNull(); + } + + @Test + void requestAuthorizeClientWhenInvalidClientThenStatusInternalServerError() throws Exception { + HtmlPage page = this.webClient.getPage("/"); + + ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); + + HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); + assertThat(clientAnchorElement).isNotNull(); + clientAnchorElement.setAttribute("href", clientAnchorElement.getHrefAttribute() + "-invalid"); + + WebResponse response = null; + try { + clientAnchorElement.click(); + } + catch (FailingHttpStatusCodeException ex) { + response = ex.getResponse(); + } + + assertThat(response.getStatusCode()).isEqualTo(HttpStatus.INTERNAL_SERVER_ERROR.value()); + } + + @Test + void requestAuthorizationCodeGrantWhenValidAuthorizationResponseThenDisplayIndexPage() throws Exception { + HtmlPage page = this.webClient.getPage("/"); + + ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); + + HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); + assertThat(clientAnchorElement).isNotNull(); + + WebResponse response = this.followLinkDisableRedirects(clientAnchorElement); + + UriComponents authorizeRequestUriComponents = UriComponentsBuilder + .fromUri(URI.create(response.getResponseHeaderValue("Location"))).build(); + + Map params = authorizeRequestUriComponents.getQueryParams().toSingleValueMap(); + String code = "auth-code"; + String state = URLDecoder.decode(params.get(OAuth2ParameterNames.STATE), "UTF-8"); + String redirectUri = URLDecoder.decode(params.get(OAuth2ParameterNames.REDIRECT_URI), "UTF-8"); + + String authorizationResponseUri = UriComponentsBuilder.fromHttpUrl(redirectUri) + .queryParam(OAuth2ParameterNames.CODE, code).queryParam(OAuth2ParameterNames.STATE, state).build() + .encode().toUriString(); + + page = this.webClient.getPage(new URL(authorizationResponseUri)); + this.assertIndexPage(page); + } + + @Test + void requestAuthorizationCodeGrantWhenNoMatchingAuthorizationRequestThenDisplayLoginPageWithError() + throws Exception { + HtmlPage page = this.webClient.getPage("/"); + URL loginPageUrl = page.getBaseURL(); + URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error"); + + ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); + + String code = "auth-code"; + String state = "state"; + String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId(); + + String authorizationResponseUri = UriComponentsBuilder.fromHttpUrl(redirectUri) + .queryParam(OAuth2ParameterNames.CODE, code).queryParam(OAuth2ParameterNames.STATE, state).build() + .encode().toUriString(); + + // Clear session cookie will ensure the 'session-saved' + // Authorization Request (from previous request) is not found + this.webClient.getCookieManager().clearCookies(); + + page = this.webClient.getPage(new URL(authorizationResponseUri)); + assertThat(page.getBaseURL()).isEqualTo(loginErrorPageUrl); + + HtmlElement errorElement = page.getBody().getFirstByXPath("div"); + assertThat(errorElement).isNotNull(); + assertThat(errorElement.asText()).contains("authorization_request_not_found"); + } + + @Test + void requestAuthorizationCodeGrantWhenInvalidStateParamThenDisplayLoginPageWithError() throws Exception { + HtmlPage page = this.webClient.getPage("/"); + URL loginPageUrl = page.getBaseURL(); + URL loginErrorPageUrl = new URL(loginPageUrl.toString() + "?error"); + + ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); + + HtmlAnchor clientAnchorElement = this.getClientAnchorElement(page, clientRegistration); + assertThat(clientAnchorElement).isNotNull(); + this.followLinkDisableRedirects(clientAnchorElement); + + String code = "auth-code"; + String state = "invalid-state"; + String redirectUri = AUTHORIZE_BASE_URL + "/" + clientRegistration.getRegistrationId(); + + String authorizationResponseUri = UriComponentsBuilder.fromHttpUrl(redirectUri) + .queryParam(OAuth2ParameterNames.CODE, code).queryParam(OAuth2ParameterNames.STATE, state).build() + .encode().toUriString(); + + page = this.webClient.getPage(new URL(authorizationResponseUri)); + assertThat(page.getBaseURL()).isEqualTo(loginErrorPageUrl); + + HtmlElement errorElement = page.getBody().getFirstByXPath("div"); + assertThat(errorElement).isNotNull(); + assertThat(errorElement.asText()).contains("authorization_request_not_found"); + } + + @Test + void requestWhenMockOAuth2LoginThenIndex() throws Exception { + ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); + this.mvc.perform(get("/").with(oauth2Login().clientRegistration(clientRegistration))) + .andExpect(model().attribute("userName", "user")).andExpect(model().attribute("clientName", "GitHub")) + .andExpect(model().attribute("userAttributes", Collections.singletonMap("sub", "user"))); + } + + private void assertLoginPage(HtmlPage page) { + assertThat(page.getTitleText()).isEqualTo("Please sign in"); + + int expectedClients = 4; + + List clientAnchorElements = page.getAnchors(); + assertThat(clientAnchorElements.size()).isEqualTo(expectedClients); + + ClientRegistration googleClientRegistration = this.clientRegistrationRepository.findByRegistrationId("google"); + ClientRegistration githubClientRegistration = this.clientRegistrationRepository.findByRegistrationId("github"); + ClientRegistration facebookClientRegistration = this.clientRegistrationRepository + .findByRegistrationId("facebook"); + ClientRegistration oktaClientRegistration = this.clientRegistrationRepository.findByRegistrationId("okta"); + + String baseAuthorizeUri = AUTHORIZATION_BASE_URI + "/"; + String googleClientAuthorizeUri = baseAuthorizeUri + googleClientRegistration.getRegistrationId(); + String githubClientAuthorizeUri = baseAuthorizeUri + githubClientRegistration.getRegistrationId(); + String facebookClientAuthorizeUri = baseAuthorizeUri + facebookClientRegistration.getRegistrationId(); + String oktaClientAuthorizeUri = baseAuthorizeUri + oktaClientRegistration.getRegistrationId(); + + for (int i = 0; i < expectedClients; i++) { + assertThat(clientAnchorElements.get(i).getAttribute("href")).isIn(googleClientAuthorizeUri, + githubClientAuthorizeUri, facebookClientAuthorizeUri, oktaClientAuthorizeUri); + assertThat(clientAnchorElements.get(i).asText()).isIn(googleClientRegistration.getClientName(), + githubClientRegistration.getClientName(), facebookClientRegistration.getClientName(), + oktaClientRegistration.getClientName()); + } + } + + private void assertIndexPage(HtmlPage page) { + assertThat(page.getTitleText()).isEqualTo("Spring Security - OAuth 2.0 Login"); + + DomNodeList divElements = page.getBody().getElementsByTagName("div"); + assertThat(divElements.get(1).asText()).contains("User: joeg@springsecurity.io"); + assertThat(divElements.get(4).asText()).contains("You are successfully logged in joeg@springsecurity.io"); + } + + private HtmlAnchor getClientAnchorElement(HtmlPage page, ClientRegistration clientRegistration) { + Optional clientAnchorElement = page.getAnchors().stream() + .filter((e) -> e.asText().equals(clientRegistration.getClientName())).findFirst(); + + return (clientAnchorElement.orElse(null)); + } + + private WebResponse followLinkDisableRedirects(HtmlAnchor anchorElement) throws Exception { + WebResponse response = null; + try { + // Disable the automatic redirection (which will trigger + // an exception) so that we can capture the response + this.webClient.getOptions().setRedirectEnabled(false); + anchorElement.click(); + } + catch (FailingHttpStatusCodeException ex) { + response = ex.getResponse(); + this.webClient.getOptions().setRedirectEnabled(true); + } + return response; + } + + @EnableWebSecurity + public static class SecurityTestConfig extends WebSecurityConfigurerAdapter { + + // @formatter:off + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests((requests) -> requests + .anyRequest().authenticated() + ) + .oauth2Login((oauth2) -> oauth2 + .tokenEndpoint((tokens) -> tokens + .accessTokenResponseClient(this.mockAccessTokenResponseClient()) + ) + .userInfoEndpoint((userInfo) -> userInfo + .userService(this.mockUserService()) + ) + ); + } + // @formatter:on + + private OAuth2AccessTokenResponseClient mockAccessTokenResponseClient() { + OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken("access-token-1234") + .tokenType(OAuth2AccessToken.TokenType.BEARER).expiresIn(60 * 1000).build(); + + OAuth2AccessTokenResponseClient tokenResponseClient = mock(OAuth2AccessTokenResponseClient.class); + when(tokenResponseClient.getTokenResponse(any())).thenReturn(accessTokenResponse); + return tokenResponseClient; + } + + private OAuth2UserService mockUserService() { + Map attributes = new HashMap<>(); + attributes.put("id", "joeg"); + attributes.put("first-name", "Joe"); + attributes.put("last-name", "Grandja"); + attributes.put("email", "joeg@springsecurity.io"); + + GrantedAuthority authority = new OAuth2UserAuthority(attributes); + Set authorities = new HashSet<>(); + authorities.add(authority); + + DefaultOAuth2User user = new DefaultOAuth2User(authorities, attributes, "email"); + + OAuth2UserService userService = mock(OAuth2UserService.class); + when(userService.loadUser(any())).thenReturn(user); + return userService; + } + + @Bean + OAuth2AuthorizedClientRepository authorizedClientRepository() { + return new HttpSessionOAuth2AuthorizedClientRepository(); + } + + } + +} diff --git a/servlet/spring-boot/java/oauth2/login/src/main/java/sample/OAuth2LoginApplication.java b/servlet/spring-boot/java/oauth2/login/src/main/java/sample/OAuth2LoginApplication.java new file mode 100644 index 0000000..180ebae --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/src/main/java/sample/OAuth2LoginApplication.java @@ -0,0 +1,33 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package sample; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +/** + * OAuth2 Log In application. + * + * @author Joe Grandja + */ +@SpringBootApplication +public class OAuth2LoginApplication { + + public static void main(String[] args) { + SpringApplication.run(OAuth2LoginApplication.class, args); + } + +} diff --git a/servlet/spring-boot/java/oauth2/login/src/main/java/sample/web/OAuth2LoginController.java b/servlet/spring-boot/java/oauth2/login/src/main/java/sample/web/OAuth2LoginController.java new file mode 100644 index 0000000..236d740 --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/src/main/java/sample/web/OAuth2LoginController.java @@ -0,0 +1,44 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package sample.web; + +import org.springframework.security.core.annotation.AuthenticationPrincipal; +import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; +import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient; +import org.springframework.security.oauth2.core.user.OAuth2User; +import org.springframework.stereotype.Controller; +import org.springframework.ui.Model; +import org.springframework.web.bind.annotation.GetMapping; + +/** + * OAuth2 Log in controller. + * + * @author Joe Grandja + * @author Rob Winch + */ +@Controller +public class OAuth2LoginController { + + @GetMapping("/") + public String index(Model model, @RegisteredOAuth2AuthorizedClient OAuth2AuthorizedClient authorizedClient, + @AuthenticationPrincipal OAuth2User oauth2User) { + model.addAttribute("userName", oauth2User.getName()); + model.addAttribute("clientName", authorizedClient.getClientRegistration().getClientName()); + model.addAttribute("userAttributes", oauth2User.getAttributes()); + return "index"; + } + +} diff --git a/servlet/spring-boot/java/oauth2/login/src/main/resources/application.yml b/servlet/spring-boot/java/oauth2/login/src/main/resources/application.yml new file mode 100644 index 0000000..73b08fb --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/src/main/resources/application.yml @@ -0,0 +1,35 @@ +server: + port: 8080 + +logging: + level: + root: INFO + org.springframework.web: INFO + org.springframework.security: INFO +# org.springframework.boot.autoconfigure: DEBUG + +spring: + thymeleaf: + cache: false + security: + oauth2: + client: + registration: + google: + client-id: your-app-client-id + client-secret: your-app-client-secret + github: + client-id: your-app-client-id + client-secret: your-app-client-secret + facebook: + client-id: your-app-client-id + client-secret: your-app-client-secret + okta: + client-id: your-app-client-id + client-secret: your-app-client-secret + provider: + okta: + authorization-uri: https://your-subdomain.oktapreview.com/oauth2/v1/authorize + token-uri: https://your-subdomain.oktapreview.com/oauth2/v1/token + user-info-uri: https://your-subdomain.oktapreview.com/oauth2/v1/userinfo + jwk-set-uri: https://your-subdomain.oktapreview.com/oauth2/v1/keys diff --git a/servlet/spring-boot/java/oauth2/login/src/main/resources/templates/index.html b/servlet/spring-boot/java/oauth2/login/src/main/resources/templates/index.html new file mode 100644 index 0000000..629d8ac --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/src/main/resources/templates/index.html @@ -0,0 +1,34 @@ + + + + Spring Security - OAuth 2.0 Login + + + +
+
+ User: +
+
 
+
+
+ +
+
+
+

OAuth 2.0 Login with Spring Security

+
+ You are successfully logged in + via the OAuth 2.0 Client +
+
 
+
+ User Attributes: +
    +
  • + : +
  • +
+
+ + diff --git a/servlet/spring-boot/java/oauth2/login/src/test/java/sample/web/OAuth2LoginControllerTests.java b/servlet/spring-boot/java/oauth2/login/src/test/java/sample/web/OAuth2LoginControllerTests.java new file mode 100644 index 0000000..fbbcbc1 --- /dev/null +++ b/servlet/spring-boot/java/oauth2/login/src/test/java/sample/web/OAuth2LoginControllerTests.java @@ -0,0 +1,92 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package sample.web; + +import java.util.Collections; + +import org.junit.jupiter.api.Test; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest; +import org.springframework.boot.test.context.TestConfiguration; +import org.springframework.boot.test.mock.mockito.MockBean; +import org.springframework.context.annotation.Bean; +import org.springframework.security.oauth2.client.registration.ClientRegistration; +import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; +import org.springframework.security.oauth2.client.web.HttpSessionOAuth2AuthorizedClientRepository; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository; +import org.springframework.security.oauth2.core.AuthorizationGrantType; +import org.springframework.test.web.servlet.MockMvc; + +import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oauth2Login; +import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model; + +/** + * Tests for {@link OAuth2LoginController} + * + * @author Josh Cummings + */ +@WebMvcTest(OAuth2LoginController.class) +public class OAuth2LoginControllerTests { + + @Autowired + MockMvc mvc; + + @MockBean + ClientRegistrationRepository clientRegistrationRepository; + + @Test + void rootWhenAuthenticatedReturnsUserAndClient() throws Exception { + // @formatter:off + this.mvc.perform(get("/").with(oauth2Login())) + .andExpect(model().attribute("userName", "user")) + .andExpect(model().attribute("clientName", "test")) + .andExpect(model().attribute("userAttributes", Collections.singletonMap("sub", "user"))); + // @formatter:on + } + + @Test + void rootWhenOverridingClientRegistrationReturnsAccordingly() throws Exception { + // @formatter:off + ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("test") + .authorizationGrantType(AuthorizationGrantType.PASSWORD) + .clientId("my-client-id") + .clientName("my-client-name") + .tokenUri("https://token-uri.example.org") + .build(); + + this.mvc.perform(get("/").with(oauth2Login() + .clientRegistration(clientRegistration) + .attributes((a) -> a.put("sub", "spring-security")))) + .andExpect(model().attribute("userName", "spring-security")) + .andExpect(model().attribute("clientName", "my-client-name")) + .andExpect(model().attribute("userAttributes", Collections.singletonMap("sub", "spring-security"))); + // @formatter:on + } + + @TestConfiguration + static class AuthorizedClient { + + @Bean + OAuth2AuthorizedClientRepository authorizedClientRepository() { + return new HttpSessionOAuth2AuthorizedClientRepository(); + } + + } + +} diff --git a/settings.gradle b/settings.gradle index 030b877..2702dce 100644 --- a/settings.gradle +++ b/settings.gradle @@ -29,4 +29,5 @@ include ":reactive:webflux:kotlin:hello-security" include ":servlet:spring-boot:java:hello" include ":servlet:spring-boot:java:hello-security" include ":servlet:spring-boot:java:hello-security-explicit" +include ":servlet:spring-boot:java:oauth2:login" include ":servlet:spring-boot:kotlin:hello-security" \ No newline at end of file