update lab 4

Author: andifalk

intro-labs/auth-code-demo/README.md

@@ -51,6 +51,18 @@ __Important:__ You can use one of the following users to login:
 
 You may use the _username_ or _email_ in the username input field.
 
+If you stay too long on step 2 (where you have retrieved the authorization code) then you might
+get an error when proceeding to step 3 (exchanging the code for an access token).  
+This is because the authorization code timed out.
+
+According to the [OAuth2 specification](https://tools.ietf.org/html/rfc6749#section-4.1.2):
+
+<blockquote cite="https://tools.ietf.org/html/rfc6749#section-4.1.2">
+The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks.  
+A maximum authorization code lifetime of 10 minutes is RECOMMENDED. 
+The client MUST NOT use the authorization code more than once. 
+</blockquote>
+
 
 
 

intro-labs/auth-code-demo/src/main/java/com/example/authorizationcode/client/jwt/JsonWebToken.java

@@ -1,7 +1,11 @@
 package com.example.authorizationcode.client.jwt;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
 import org.apache.commons.lang3.StringUtils;
 
+import java.io.IOException;
 import java.util.Base64;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
@@ -41,7 +45,14 @@ public String getHeader() {
   }
 
   public String getPayload() {
-    return new String(Base64.getDecoder().decode(base64Payload), UTF_8);
+    String raw_json = new String(Base64.getDecoder().decode(base64Payload), UTF_8);
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.configure(SerializationFeature.INDENT_OUTPUT, true);
+    try {
+      return mapper.writerWithDefaultPrettyPrinter().writeValueAsString(mapper.readValue(raw_json, Object.class));
+    } catch (IOException e) {
+      return raw_json;
+    }
   }
 
   public String getSignature() {

intro-labs/auth-code-demo/src/main/java/com/example/authorizationcode/client/web/TokenIntrospectionController.java

@@ -1,5 +1,7 @@
 package com.example.authorizationcode.client.web;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.SerializationFeature;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
@@ -10,6 +12,7 @@
 import org.springframework.web.reactive.function.client.WebClientResponseException;
 import reactor.core.publisher.Mono;
 
+import java.io.IOException;
 import java.net.URISyntaxException;
 import java.net.URL;
 
@@ -59,7 +62,7 @@ private Mono<String> performTokenIntrospectionRequest(Model model, String tokenR
         .bodyToMono(String.class)
         .map(
             s -> {
-              model.addAttribute("introspection_response", s);
+              model.addAttribute("introspection_response", prettyJson(s));
               return "introspection";
             })
         .onErrorResume(
@@ -71,4 +74,14 @@ private Mono<String> performTokenIntrospectionRequest(Model model, String tokenR
               return Mono.just("error");
             });
   }
+
+  private String prettyJson(String raw) {
+    ObjectMapper mapper = new ObjectMapper();
+    mapper.configure(SerializationFeature.INDENT_OUTPUT, true);
+    try {
+      return mapper.writerWithDefaultPrettyPrinter().writeValueAsString(mapper.readValue(raw, Object.class));
+    } catch (IOException e) {
+      return raw;
+    }
+  }
 }

intro-labs/auth-code-demo/src/main/resources/templates/access-token.html

@@ -30,7 +30,7 @@ <h3>Access Token</h3>
         <h3>Access Token (decoded JWT)</h3>
 
         <p th:text="'JWT Header: ' + ${jwt_header}"></p>
-        <p th:text="'JWT Payload: ' + ${jwt_payload}"></p>
+        <p th:utext="'JWT Payload: ' + ${jwt_payload}"></p>
         <p th:text="'JWT Signature: ' + ${jwt_signature}"></p>
 
         <h3>Refresh Token</h3>

lab4/jwt-generator/build.gradle

@@ -17,6 +17,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'com.nimbusds:nimbus-jose-jwt:7.0.1'
+    implementation 'org.apache.commons:commons-lang3'
     runtimeOnly 'org.springframework.boot:spring-boot-devtools'
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }

lab4/jwt-generator/src/main/java/com/example/jwt/generator/JwtController.java

@@ -9,6 +9,7 @@
 import com.nimbusds.jose.crypto.RSASSASigner;
 import com.nimbusds.jose.jwk.RSAKey;
 import net.minidev.json.JSONObject;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -49,16 +50,18 @@ public String generateJwt(User user, Model model) throws JOSEException {
     Map<String, Object> payload = new HashMap<>();
 
     payload.put("iss", "test_issuer");
+    payload.put("exp", Math.abs(System.currentTimeMillis() / 1000) + (5 * 60));
     payload.put("aud", new String[] {"library-service"});
-    payload.put("sub", user.getEmail());
+    payload.put("sub", user.getEmail() != null ? user.getEmail() : "[email protected]");
     payload.put("scope", "openid email profile");
-    payload.put("groups", new String[] {"library_user"});
-    payload.put("preferred_username", user.getUsername());
-    payload.put("given_name", user.getFirstName());
-    payload.put("family_name", user.getLastName());
-    payload.put("email", user.getEmail());
+    payload.put("groups", StringUtils.isNotBlank(user.getRole()) ? new String[] {user.getRole()} : new String[] {"library_user"});
+    payload.put("preferred_username", StringUtils.isNotBlank(user.getUsername()) ? user.getUsername() : "bwayne");
+    payload.put("given_name", StringUtils.isNotBlank(user.getFirstName()) ? user.getFirstName() : "Bruce");
+    payload.put("family_name", StringUtils.isNotBlank(user.getLastName()) ? user.getLastName() : "Wayne");
+    payload.put("email", StringUtils.isNotBlank(user.getEmail()) ? user.getEmail() : "[email protected]");
     payload.put("email_verified", true);
-    payload.put("name", user.getFirstName() + " " + user.getLastName());
+    payload.put("name", StringUtils.isNotBlank(user.getFirstName())
+            && StringUtils.isNotBlank(user.getLastName()) ? user.getFirstName() + " " + user.getLastName() : "Bruce Wayne");
 
     String jwt = createJwt(payload);
     model.addAttribute("jwt", jwt);
@@ -85,6 +88,4 @@ private String createJwt(Map<String, Object> payload) throws JOSEException {
     // -jPDm5Iq0SZnjKjCNS5Q15fokXZc8u0A
     return jwsObject.serialize();
   }
-
-
 }