Merge pull request #633 from overture-stack/rc/5.2.0

release 5.2.0

use spring authorization server instead of legacy spring oauth2
remove legacy spring oauth2 libs

Author: blabadi

pom.xml

@@ -5,7 +5,7 @@
 
     <groupId>bio.overture</groupId>
     <artifactId>ego</artifactId>
-    <version>5.1.0</version>
+    <version>5.2.0</version>
 
     <name>ego</name>
     <description>OAuth 2.0 Authorization service that supports multiple OpenID Connect Providers</description>
@@ -34,16 +34,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.springframework.security.oauth</groupId>
-            <artifactId>spring-security-oauth2</artifactId>
-            <version>2.5.0.RELEASE</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.security.oauth.boot</groupId>
-            <artifactId>spring-security-oauth2-autoconfigure</artifactId>
-            <version>2.4.4</version>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
@@ -60,6 +50,12 @@
             <artifactId>spring-boot-starter-oauth2-client</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-authorization-server</artifactId>
+            <version>0.2.1</version>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-jdbc</artifactId>

src/main/java/bio/overture/ego/config/AuthConfig.java

@@ -0,0 +1,54 @@
+package bio.overture.ego.config;
+
+import bio.overture.ego.token.signer.TokenSigner;
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.UUID;
+import lombok.val;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+
+@Configuration
+public class AuthorizationServerConfig {
+
+  // Soruce of this method :
+  // https://github.com/spring-projects/spring-security-samples/blob/main/servlet/spring-boot/java/oauth2/authorization-server/src/main/java/example/OAuth2AuthorizationServerSecurityConfiguration.java
+  @Bean
+  public JWKSource<SecurityContext> jwkSource(@Autowired TokenSigner tokenSigner) {
+    val keyPair =
+        tokenSigner.getKeyPair().orElseThrow(() -> new RuntimeException("no key pair found"));
+    RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
+    RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
+    // @formatter:off
+    RSAKey rsaKey =
+        new RSAKey.Builder(publicKey)
+            .privateKey(privateKey)
+            .keyID(UUID.randomUUID().toString())
+            .build();
+    // @formatter:on
+    JWKSet jwkSet = new JWKSet(rsaKey);
+    return new ImmutableJWKSet<>(jwkSet);
+  }
+
+  @Bean
+  public JwtDecoder jwtDecoder(@Autowired TokenSigner tokenSigner) {
+    val keyPair =
+        tokenSigner.getKeyPair().orElseThrow(() -> new RuntimeException("no key pair found"));
+    return NimbusJwtDecoder.withPublicKey((RSAPublicKey) keyPair.getPublic()).build();
+  }
+
+  @Bean
+  public ProviderSettings providerSettings(@Value("${token.issuer}") String issuer) {
+    return ProviderSettings.builder().tokenEndpoint("/oauth/token").issuer(issuer).build();
+  }
+}

src/main/java/bio/overture/ego/config/AuthorizationServerConfig.java

@@ -19,6 +19,7 @@
 import bio.overture.ego.model.exceptions.SSOAuthenticationFailureHandler;
 import bio.overture.ego.security.*;
 import bio.overture.ego.service.ApplicationService;
+import bio.overture.ego.service.TokenService;
 import bio.overture.ego.utils.Redirects;
 import java.io.IOException;
 import java.util.Arrays;
@@ -27,6 +28,7 @@
 import javax.servlet.http.HttpServletResponse;
 import lombok.SneakyThrows;
 import lombok.val;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.*;
@@ -36,6 +38,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
@@ -178,20 +181,27 @@ protected void configure(HttpSecurity http) throws Exception {
     }
   }
 
+  @Bean
+  @SneakyThrows
+  public JWTAuthorizationFilter authorizationFilter(
+      TokenService tokenService, ApplicationService applicationService) {
+    return new JWTAuthorizationFilter(PUBLIC_ENDPOINTS, tokenService, applicationService);
+  }
+
   @Configuration
   @Order(SecurityProperties.BASIC_AUTH_ORDER + 3)
   public class AppConfigurerAdapter extends WebSecurityConfigurerAdapter {
 
-    @Bean
-    @SneakyThrows
-    public JWTAuthorizationFilter authorizationFilter() {
-      return new JWTAuthorizationFilter(PUBLIC_ENDPOINTS);
-    }
+    OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
+        new OAuth2AuthorizationServerConfigurer<>();
+    @Autowired JWTAuthorizationFilter authorizationFilter;
 
     @Override
     protected void configure(HttpSecurity http) throws Exception {
       http.csrf()
           .disable()
+          .apply(authorizationServerConfigurer)
+          .and()
           .authorizeRequests()
           .antMatchers(
               "/",
@@ -211,7 +221,7 @@ protected void configure(HttpSecurity http) throws Exception {
           .anyRequest()
           .authenticated()
           .and()
-          .addFilterBefore(authorizationFilter(), BasicAuthenticationFilter.class)
+          .addFilterBefore(authorizationFilter, BasicAuthenticationFilter.class)
           .sessionManagement()
           .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
     }

src/main/java/bio/overture/ego/config/SecureServerConfig.java

@@ -34,9 +34,6 @@
 import bio.overture.ego.token.signer.TokenSigner;
 import bio.overture.ego.utils.Tokens;
 import io.swagger.annotations.Api;
-import io.swagger.annotations.ApiOperation;
-import java.security.Principal;
-import java.util.Map;
 import java.util.Objects;
 import javax.servlet.http.HttpServletResponse;
 import lombok.NonNull;
@@ -49,11 +46,7 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
-import org.springframework.security.oauth2.common.OAuth2AccessToken;
-import org.springframework.security.oauth2.core.oidc.user.OidcUser;
-import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
 import org.springframework.util.StringUtils;
-import org.springframework.web.HttpRequestMethodNotSupportedException;
 import org.springframework.web.bind.annotation.*;
 import springfox.documentation.annotations.ApiIgnore;
 
@@ -70,11 +63,9 @@ public class AuthController {
   private final GoogleTokenService googleTokenService;
   private final TokenSigner tokenSigner;
   private final RefreshContextService refreshContextService;
-  private final TokenEndpoint tokenEndpoint;
 
   @Autowired
   public AuthController(
-      @NonNull TokenEndpoint tokenEndpoint,
       @NonNull TokenService tokenService,
       @NonNull GoogleTokenService googleTokenService,
       @NonNull TokenSigner tokenSigner,
@@ -83,17 +74,6 @@ public AuthController(
     this.googleTokenService = googleTokenService;
     this.tokenSigner = tokenSigner;
     this.refreshContextService = refreshContextService;
-    this.tokenEndpoint = tokenEndpoint;
-  }
-
-  // This spring tokenEndpoint controller is proxied so that Springfox can include this in the
-  // swagger-ui under the Auth controller
-  @ApiOperation(value = POST_ACCESS_TOKEN)
-  @RequestMapping(value = "/token", method = RequestMethod.POST)
-  public ResponseEntity<OAuth2AccessToken> postAccessToken(
-      Principal principal, @RequestParam Map<String, String> parameters)
-      throws HttpRequestMethodNotSupportedException {
-    return this.tokenEndpoint.postAccessToken(principal, parameters);
   }
 
   @RequestMapping(method = GET, value = "/google/token")
@@ -111,7 +91,7 @@ public ResponseEntity<OAuth2AccessToken> postAccessToken(
   @ResponseStatus(value = OK)
   @SneakyThrows
   public @ResponseBody boolean verifyJWToken(@RequestHeader(value = "token") final String token) {
-    if (StringUtils.isEmpty(token)) {
+    if (!StringUtils.hasText(token)) {
       throw new InvalidTokenException("ScopedAccessToken is empty");
     }
 

src/main/java/bio/overture/ego/controller/AuthController.java

@@ -93,7 +93,7 @@ private Optional<Application> getAppInfo(String token) {
     val claims = tokenService.getTokenAppInfo(token);
     return claims == null
         ? Optional.empty()
-        : applicationService.findByClientId(claims.getClientId());
+        : applicationService.getClientApplication(claims.getClientId());
   }
 
   @Getter

src/main/java/bio/overture/ego/grpc/interceptor/ApplicationAuthInterceptor.java

@@ -16,7 +16,6 @@
 import lombok.val;
 import org.apache.http.client.utils.URIBuilder;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.stereotype.Component;