feature : add the validator to the authorization code

Author: patternhelloworld

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/response/CustomWebAuthenticationFailureHandlerImpl.java

@@ -2,7 +2,7 @@
 
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.message.ISecurityUserExceptionMessageService;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.exception.EasyPlusOauth2AuthenticationException;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.ErrorCodeConstants;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusErrorCodeConstants;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -43,13 +43,13 @@ public void onAuthenticationFailure(HttpServletRequest request, HttpServletRespo
         // Extract error messages if the exception is of type EasyPlusOauth2AuthenticationException
         if (exception instanceof EasyPlusOauth2AuthenticationException) {
             oauth2Exception = (EasyPlusOauth2AuthenticationException) exception;
-            errorMessage = oauth2Exception.getErrorMessages().getUserMessage();
+            errorMessage = oauth2Exception.getErrorMessages().getUserMessage() + "(" + oauth2Exception.getErrorMessages().getErrorCode() + ")";
 
-            if(oauth2Exception.getError().getErrorCode().equals(ErrorCodeConstants.REDIRECT_TO_LOGIN)){
+            if(oauth2Exception.getError().getErrorCode().equals(EasyPlusErrorCodeConstants.REDIRECT_TO_LOGIN)){
                 request.getRequestDispatcher("/login").forward(request, response);
                 return;
             }
-            if(oauth2Exception.getError().getErrorCode().equals(ErrorCodeConstants.REDIRECT_TO_CONSENT)){
+            if(oauth2Exception.getError().getErrorCode().equals(EasyPlusErrorCodeConstants.REDIRECT_TO_CONSENT)){
                 // Construct full URL
                 String fullURL = request.getRequestURL().toString();
                 if (request.getQueryString() != null) {

client/src/main/java/com/patternhelloworld/securityhelper/oauth2/client/config/securityimpl/response/CustomWebAuthenticationSuccessHandlerImpl.java

@@ -6,11 +6,14 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.RequiredArgsConstructor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
 import java.io.IOException;
@@ -21,16 +24,25 @@
 @RequiredArgsConstructor
 public class CustomWebAuthenticationSuccessHandlerImpl implements AuthenticationSuccessHandler {
 
+    private static final Logger logger = LoggerFactory.getLogger(CustomWebAuthenticationSuccessHandlerImpl.class);
+
     private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
 
     @Override
     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
-        OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
-
-        String redirectUri = oAuth2AuthorizationCodeAuthenticationToken.getRedirectUri();
-        String authorizationCode = oAuth2AuthorizationCodeAuthenticationToken.getCode();
-        String state = oAuth2AuthorizationCodeAuthenticationToken.getAdditionalParameters().get("state").toString();
-
-        response.sendRedirect(redirectUri+"?code="+authorizationCode+"&state="+state);
+        if(authentication instanceof OAuth2AuthorizationCodeRequestAuthenticationToken) {
+            request.getRequestDispatcher("/login").forward(request, response);
+        }else if(authentication instanceof OAuth2AuthorizationCodeAuthenticationToken) {
+            OAuth2AuthorizationCodeAuthenticationToken oAuth2AuthorizationCodeAuthenticationToken = (OAuth2AuthorizationCodeAuthenticationToken) authentication;
+
+            String redirectUri = oAuth2AuthorizationCodeAuthenticationToken.getRedirectUri();
+            String authorizationCode = oAuth2AuthorizationCodeAuthenticationToken.getCode();
+            String state = oAuth2AuthorizationCodeAuthenticationToken.getAdditionalParameters().get("state").toString();
+
+            response.sendRedirect(redirectUri+"?code="+authorizationCode+"&state="+state);
+        }else{
+            logger.error("Wrong Authentication Type : {}", authentication.getClass());
+            request.getRequestDispatcher("/login").forward(request, response);
+        }
     }
 }

client/src/main/resources/templates/login.html

@@ -73,7 +73,7 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
             const password = passwordInput.value;
 
             // Extract query parameters from the current URL
-            const {client_id, state, scope, redirect_uri, code_challenge, code_challenge_method} = getQueryParameters();
+            const {client_id, response_type, state, scope, redirect_uri, code_challenge, code_challenge_method} = getQueryParameters();
 
             // Basic Auth header creation
             const clientSecret = '12345'; // Enter client secret
@@ -83,7 +83,7 @@ <h1 class="h3 mb-3 fw-normal">Please sign in</h1>
                 'username': username,
                 'password': password,
                 'grant_type': "password",
-                'response_type': "code",
+                'response_type': response_type,
                 'scope': scope
             };
 

lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/AuthorizationCodeAuthorizationRequestConverter.java renamed to lib/src/main/java/io/github/patternhelloworld/securityhelper/oauth2/api/config/security/converter/auth/endpoint/CodeAuthorizationConditionalConverter.java

@@ -7,48 +7,45 @@
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.dto.EasyPlusErrorMessages;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.response.error.exception.EasyPlusOauth2AuthenticationException;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.serivce.persistence.authorization.OAuth2AuthorizationServiceImpl;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.security.validator.endpoint.authorization.CodeValidationResult;
+import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusErrorCodeConstants;
 import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.EasyPlusOAuth2EndpointUtils;
-import io.github.patternhelloworld.securityhelper.oauth2.api.config.util.ErrorCodeConstants;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
-import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.web.authentication.AuthenticationConverter;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
+import org.springframework.util.Assert;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 
-import java.util.*;
+import java.util.Map;
+import java.util.function.Function;
 
 @RequiredArgsConstructor
-public final class AuthorizationCodeAuthorizationRequestConverter implements AuthenticationConverter {
+public final class CodeAuthorizationConditionalConverter implements AuthenticationConverter {
+
+    private Function<MultiValueMap<String, String>, CodeValidationResult> authenticationValidator;
 
-    private final RegisteredClientRepository registeredClientRepository;
     private final EasyPlusAuthorizationConsentRepository easyPlusAuthorizationConsentRepository;
     private final OAuth2AuthorizationServiceImpl oAuth2AuthorizationService;
 
     private final ISecurityUserExceptionMessageService iSecurityUserExceptionMessageService;
 
     private final String consentYN;
 
-    private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken("anonymous",
-            "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
-
-    private static final RequestMatcher OIDC_REQUEST_MATCHER = createOidcRequestMatcher();
-
     /*
      * Why is the validation check done here?
      * - Because if an OAuth2AuthenticationException is thrown in the CustomizedProvider,
@@ -62,56 +59,19 @@ public Authentication convert(HttpServletRequest request) {
 
         MultiValueMap<String, String> parameters = EasyPlusOAuth2EndpointUtils.getWebParametersContainingEasyPlusHeaders(request);
 
-        String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
-        if (!StringUtils.hasText(clientId)) {
-            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_CLIENT_ID_MISSING));
-        }
-        String redirectUri = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
-        if (!StringUtils.hasText(redirectUri)) {
-            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_REDIRECT_URI_MISSING));
-        }
-
-        Map<String, Object> additionalParameters = new HashMap<>();
+        CodeValidationResult codeValidationResult = this.authenticationValidator.apply(parameters);
 
-        parameters.forEach((key, value) -> {
-            additionalParameters.put(key, (value.size() == 1) ? value.get(0) : value.toArray(new String[0]));
-        });
-
-
-        String state = parameters.getFirst(OAuth2ParameterNames.STATE);
-        if (!StringUtils.hasText(state)) {
-            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_STATE_MISSING));
-        }
-
-        Set<String> requestedScopes = new HashSet<>(parameters.getOrDefault(OAuth2ParameterNames.SCOPE, Collections.emptyList()));
+        Map<String, Object> additionalParameters = EasyPlusOAuth2EndpointUtils.convertMultiValueMapToMap(parameters);
 
         Authentication principal = SecurityContextHolder.getContext().getAuthentication();
         if (principal == null) {
-            setClientAuthenticationContext(clientId);
+            setClientAuthenticationContext(codeValidationResult.getRegisteredClient());
             principal = SecurityContextHolder.getContext().getAuthentication();
         }
 
-        RegisteredClient registeredClient = ((OAuth2ClientAuthenticationToken) principal).getRegisteredClient();
-
-        if (registeredClient == null) {
-            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_REGISTERED_CLIENT_NOT_FOUND));
-        }
-
-        if (!registeredClient.getRedirectUris().contains(redirectUri)) {
-            throw new EasyPlusOauth2AuthenticationException(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_INVALID_REDIRECT_URI));
-        }
-
-        Set<String> registeredScopes = registeredClient.getScopes(); // Scopes from the RegisteredClient
-
-        if (!registeredScopes.containsAll(requestedScopes)) {
-            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_LOGIN_ERROR))
-                    .message("Invalid scopes: " + requestedScopes + ". Allowed scopes: " + registeredScopes).build());
-        }
-
         String code = parameters.getFirst(OAuth2ParameterNames.CODE);
         if (!StringUtils.hasText(code)) {
-            throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_MISSING))
-                    .errorCode(ErrorCodeConstants.REDIRECT_TO_LOGIN).build());
+            return new OAuth2AuthorizationCodeRequestAuthenticationToken(request.getRequestURL().toString(), codeValidationResult.getClientId(), principal, codeValidationResult.getRedirectUri(), codeValidationResult.getState(), codeValidationResult.getScope(), additionalParameters);
         }
 
         // Check Consent
@@ -129,15 +89,15 @@ public Authentication convert(HttpServletRequest request) {
                 } else {
                     // This means the user should check authorization consent OK
                     throw new EasyPlusOauth2AuthenticationException(EasyPlusErrorMessages.builder().userMessage(iSecurityUserExceptionMessageService.getUserMessage(DefaultSecurityUserExceptionMessage.AUTHENTICATION_AUTHORIZATION_CODE_MISSING))
-                            .errorCode(ErrorCodeConstants.REDIRECT_TO_CONSENT).build());
+                            .errorCode(EasyPlusErrorCodeConstants.REDIRECT_TO_CONSENT).build());
                 }
             }
         }
 
         return new OAuth2AuthorizationCodeAuthenticationToken(
                 code,
                 principal,
-                redirectUri,
+                codeValidationResult.getRedirectUri(),
                 additionalParameters
         );
     }
@@ -153,12 +113,7 @@ private static RequestMatcher createOidcRequestMatcher() {
         return new AndRequestMatcher(postMethodMatcher, responseTypeParameterMatcher, openidScopeMatcher);
     }
 
-    public void setClientAuthenticationContext(String clientId) {
-        RegisteredClient registeredClient = registeredClientRepository.findByClientId(clientId);
-        if (registeredClient == null) {
-            throw new IllegalArgumentException("Invalid client ID");
-        }
-
+    public void setClientAuthenticationContext(RegisteredClient registeredClient) {
         OAuth2ClientAuthenticationToken clientAuthenticationToken = new OAuth2ClientAuthenticationToken(
                 registeredClient,
                 ClientAuthenticationMethod.CLIENT_SECRET_BASIC,
@@ -168,5 +123,9 @@ public void setClientAuthenticationContext(String clientId) {
         SecurityContextHolder.getContext().setAuthentication(clientAuthenticationToken);
     }
 
+    public void setAuthenticationValidator(Function<MultiValueMap<String, String>, CodeValidationResult> authenticationValidator) {
+        Assert.notNull(authenticationValidator, "authenticationValidator cannot be null");
+        this.authenticationValidator = authenticationValidator;
+    }
 }