feature : io.github.patternknife.securityhelper.oauth2.no-app-token-same-access-token

Author: patternhelloworld

README.md

@@ -1,13 +1,13 @@
 # Spring Security Oauth2 Password JPA Implementation
 
-> One OAuth2 ROPC POC built to grow with Spring Boot and ORM
+> App-Token based OAuth2 ROPC POC built to grow with Spring Boot and ORM
 
 ## Quick Start
 ```xml
 <dependency>
     <groupId>io.github.patternknife.securityhelper.oauth2.api</groupId>
     <artifactId>spring-security-oauth2-password-jpa-implementation</artifactId>
-    <version>3.0.1</version>
+    <version>3.1.0</version>
 </dependency>
 ```
 For v2, using the database tables from Spring Security 5 (only the database tables; follow the dependencies as above):
@@ -52,6 +52,23 @@ For v2, using the database tables from Spring Security 5 (only the database tabl
 
 * Authentication management based on a combination of username, client ID, and App-Token
   * What is an App-Token? An App-Token is a new access token generated each time the same account logs in. If the token values are the same, the same access token is shared.
+
+| App-Token Status       | Access Token Behavior      |
+|------------------------|----------------------------|
+| same for the same user | Access-Token is shared     |
+| different for the same user              | Access-Token is NOT shared |
+
+  * Set this in your ``application.properties``. 
+    * App-Token Behavior Based on `io.github.patternknife.securityhelper.oauth2.no-app-token-same-access-token`
+
+| `no-app-token-same-access-token` Value | App-Token Status                          | Access Token Sharing Behavior                                                                                     |
+|------------------------------------------------------------|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|
+| `true`                                                     | App-Token is `null` for the same user     | Same user with a `null` App-Token shares the same access token across multiple logins.                             |
+| `false`                                                    | App-Token is `null` for the same user                       | Even if the App-Token is `null`, the same user will receive a new access token for each login.                     |
+| `-`                                                        | App-Token is shared for the same user     | Access tokens will not be shared. A new access token is generated for each unique App-Token, even for the same user.|
+| `-`                                                        | App-Token is NOT shared for the same user | Each unique App-Token generates a new access token for the same user.                                              |
+
+
 * Separated UserDetails implementation for Admin and Customer roles as an example. (This can be extended as desired by implementing ``UserDetailsServiceFactory``)
 * For versions greater than or equal to v3, including the latest version (Spring Security 6), provide MySQL DDL, which consists of ``oauth2_authorization`` and ``oauth2_registered_client``.
 * For v2 (Spring Security 5), provide MySQL DDL, which consists of ``oauth_access_token, oauth_refresh_token and oauth_client_details``, which are tables in Security 5. As I meant to migrate current security system to Security 6 back then, I hadn't changed them to the ``oauth2_authorization`` table indicated in https://github.com/spring-projects/spring-authorization-server.

client/pom.xml

@@ -7,7 +7,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.patternknife.securityhelper.oauth2.client</groupId>
     <artifactId>spring-security-oauth2-password-jpa-implementation-client</artifactId>
-    <version>3.0.1</version>
+    <version>3.1.0</version>
     <packaging>jar</packaging>
 
     <properties>
@@ -48,7 +48,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
         <dependency>
             <groupId>io.github.patternknife.securityhelper.oauth2.api</groupId>
             <artifactId>spring-security-oauth2-password-jpa-implementation</artifactId>
-            <version>3.0.1</version>
+            <version>3.1.0</version>
         </dependency>
 
         <!-- DB -->

client/src/main/resources/application.properties

@@ -67,3 +67,5 @@ spring.servlet.multipart.maxRequestSize=10MB
 
 management.endpoints.web.exposure.include=*
 app.timezone=Asia/Seoul
+
+io.github.patternknife.securityhelper.oauth2.no-app-token-same-access-token=false

pom.xml

@@ -8,7 +8,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
     <groupId>io.github.patternknife.securityhelper.oauth2.api</groupId>
     <artifactId>spring-security-oauth2-password-jpa-implementation</artifactId>
-    <version>3.0.1</version>
+    <version>3.1.0</version>
     <name>spring-security-oauth2-password-jpa-implementation</name>
     <description>The implementation of Spring Security 6 Spring Authorization Server for stateful OAuth2 Password Grant</description>
     <packaging>jar</packaging>
@@ -362,7 +362,7 @@ http://maven.apache.org/xsd/maven-4.0.0.xsd">
 <!--          <plugin>
                             <groupId>org.apache.maven.plugins</groupId>
                             <artifactId>maven-gpg-plugin</artifactId>
-                            <version>3.0.1</version>
+                            <version>3.1.0</version>
                             <executions>
                                 <execution>
                                     <id>sign-artifacts</id>

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/dao/KnifeAuthorizationRepository.java

@@ -99,6 +99,15 @@ Optional<KnifeAuthorization> findValidAuthorizationByPrincipalNameAndClientIdAnd
             @Param("accessTokenAppToken") String accessTokenAppToken
     );
 
+    @Query("SELECT o FROM KnifeAuthorization o WHERE o.principalName = :principalName AND o.registeredClientId = :registeredClientId AND " +
+            "(o.accessTokenAppToken = :accessTokenAppToken OR (o.accessTokenAppToken IS NULL AND :accessTokenAppToken IS NULL)) " +
+            "AND o.accessTokenExpiresAt > CURRENT_TIMESTAMP")
+    Optional<KnifeAuthorization> findValidAuthorizationByPrincipalNameAndClientIdAndNullableAppToken(
+            @Param("principalName") String principalName,
+            @Param("registeredClientId") String registeredClientId,
+            @Param("accessTokenAppToken") String accessTokenAppToken
+    );
+
 
 
     Optional<List<KnifeAuthorization>> findListByPrincipalNameAndRegisteredClientIdAndAccessTokenAppToken(String principalName, String registeredClientId, String accessTokenAppToken);

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/authorization/OAuth2AuthorizationServiceImpl.java

@@ -11,19 +11,20 @@
 import jakarta.validation.constraints.NotEmpty;
 import lombok.RequiredArgsConstructor;
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.oauth2.core.AuthorizationGrantType;
+
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
 import org.springframework.security.oauth2.core.OAuth2RefreshToken;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 
-import java.time.Duration;
+
 import java.time.Instant;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
-import java.util.List;
+
 import java.util.Optional;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
@@ -35,6 +36,7 @@ public class OAuth2AuthorizationServiceImpl implements OAuth2AuthorizationServic
     private final KnifeAuthorizationRepository knifeAuthorizationRepository;
     private final SecurityPointCut securityPointCut;
 
+
     /*
     *   1. C for Create
     * */
@@ -155,12 +157,24 @@ public OAuth2Authorization findByToken(@NotEmpty String tokenValue, @Nullable OA
                 .orElse(null);
 
     }
+
+
+    @Value("${io.github.patternknife.securityhelper.oauth2.no-app-token-same-access-token:true}")
+    private boolean noAppTokenSameAccessToken;
     /*
      *   [IMPORTANT] KEY = Username (principalName) + ClientId + AppToken
      *      Same ( org.springframework.security.core.userdetails : userName + spring-authorization-server : principalName )
      * */
     public @Nullable OAuth2Authorization findByUserNameAndClientIdAndAppToken(@NotEmpty String userName, @NotEmpty String clientId, @Nullable String appToken) {
-        return findOAuth2AuthorizationByAccessTokenValueSafely(() -> knifeAuthorizationRepository.findValidAuthorizationByPrincipalNameAndClientIdAndAppToken(userName, clientId, appToken).map(KnifeAuthorization::getAttributes),
+        if (noAppTokenSameAccessToken) {
+            return findAuthorization(() -> knifeAuthorizationRepository.findValidAuthorizationByPrincipalNameAndClientIdAndNullableAppToken(userName, clientId, appToken), userName, clientId, appToken);
+        } else {
+            return findAuthorization(() -> knifeAuthorizationRepository.findValidAuthorizationByPrincipalNameAndClientIdAndAppToken(userName, clientId, appToken), userName, clientId, appToken);
+        }
+    }
+
+    private @Nullable OAuth2Authorization findAuthorization(Supplier<Optional<KnifeAuthorization>> authorizationSupplier, String userName, String clientId, @Nullable String appToken) {
+        return findOAuth2AuthorizationByAccessTokenValueSafely(() -> authorizationSupplier.get().map(KnifeAuthorization::getAttributes),
                 e -> {
                     knifeAuthorizationRepository.findListByPrincipalNameAndRegisteredClientIdAndAccessTokenAppToken(userName, clientId, appToken).ifPresent(knifeAuthorizationRepository::deleteAll);
                     knifeAuthorizationRepository.deleteByPrincipalNameAndRegisteredClientIdAndAccessTokenAppToken(userName, clientId, appToken);

src/main/java/io/github/patternknife/securityhelper/oauth2/api/config/security/serivce/persistence/client/RegisteredClientRepositoryImpl.java

@@ -120,28 +120,28 @@ public void save(RegisteredClient registeredClient) {
     }
 
 
-    private RegisteredClient mapToRegisteredClient(KnifeClient detail) {
-        Set<String> scopesSet = Arrays.stream(detail.getScopes().split(","))
+    private RegisteredClient mapToRegisteredClient(KnifeClient knifeClient) {
+        Set<String> scopesSet = Arrays.stream(knifeClient.getScopes().split(","))
                 .map(String::trim)
                 .collect(Collectors.toSet());
 
-        Set<AuthorizationGrantType> grantTypesSet = Arrays.stream(detail.getAuthorizationGrantTypes().split(","))
+        Set<AuthorizationGrantType> grantTypesSet = Arrays.stream(knifeClient.getAuthorizationGrantTypes().split(","))
                 .map(String::trim)
                 .map(AuthorizationGrantType::new)
                 .collect(Collectors.toSet());
 
         // Assuming getTokenSettings() returns a map-like structure for token settings.
-        Map<String, Object> tokenSettings =  parseMap(detail.getTokenSettings());
+        Map<String, Object> tokenSettings =  parseMap(knifeClient.getTokenSettings());
 
         // Extract token time-to-live values from tokenSettings (assuming they are stored as strings or numbers)
         Duration accessTokenTimeToLive = Duration.ofSeconds(Long.parseLong(tokenSettings.get("access_token_time_to_live").toString()));
         Duration refreshTokenTimeToLive = Duration.ofSeconds(Long.parseLong(tokenSettings.get("refresh_token_time_to_live").toString()));
 
 
-        return RegisteredClient.withId(UUID.randomUUID().toString())
-                .clientId(detail.getClientId())
-                .clientSecret(detail.getClientSecret())
-                .clientName(detail.getClientId())
+        return RegisteredClient.withId(knifeClient.getId())
+                .clientId(knifeClient.getClientId())
+                .clientSecret(knifeClient.getClientSecret())
+                .clientName(knifeClient.getClientId())
                 .clientAuthenticationMethods(authenticationMethods ->
                         authenticationMethods.add(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)) // Adjust based on your entity
                 .authorizationGrantTypes(grantTypes -> grantTypes.addAll(grantTypesSet))