Enhance samples to call UserInfo endpoint

Closes gh-847
2022-08-16 10:11:30 -04:00
parent 2e07ce8b8f
commit ce0d1b7b1e
6 changed files with 41 additions and 5 deletions
--- a/samples/custom-consent-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
+++ b/samples/custom-consent-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
@@ -28,14 +28,17 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.InMemoryOAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ProviderSettings;
@@ -72,6 +75,7 @@ public class AuthorizationServerConfig {
 			.exceptionHandling(exceptions ->
 				exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
 			)
+			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
 			.apply(authorizationServerConfigurer);
 		return http.build();
 	}
@@ -89,6 +93,7 @@ public class AuthorizationServerConfig {
 				.redirectUri("http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc")
 				.redirectUri("http://127.0.0.1:8080/authorized")
 				.scope(OidcScopes.OPENID)
+				.scope(OidcScopes.PROFILE)
 				.scope("message.read")
 				.scope("message.write")
 				.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
@@ -104,6 +109,11 @@ public class AuthorizationServerConfig {
 		return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
 	}

+	@Bean
+	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+	}
+
 	@Bean
 	public ProviderSettings providerSettings() {
 		return ProviderSettings.builder().issuer("http://localhost:9000").build();
--- a/samples/custom-consent-authorizationserver/src/main/java/sample/web/AuthorizationConsentController.java
+++ b/samples/custom-consent-authorizationserver/src/main/java/sample/web/AuthorizationConsentController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 the original author or authors.
+ * Copyright 2020-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -23,6 +23,7 @@ import java.util.Map;
 import java.util.Set;

 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
@@ -66,6 +67,9 @@ public class AuthorizationConsentController {
 			authorizedScopes = Collections.emptySet();
 		}
 		for (String requestedScope : StringUtils.delimitedListToStringArray(scope, " ")) {
+			if (OidcScopes.OPENID.equals(requestedScope)) {
+				continue;
+			}
 			if (authorizedScopes.contains(requestedScope)) {
 				previouslyApprovedScopes.add(requestedScope);
 			} else {
@@ -95,6 +99,10 @@ public class AuthorizationConsentController {
 		private static final String DEFAULT_DESCRIPTION = "UNKNOWN SCOPE - We cannot provide information about this permission, use caution when granting this.";
 		private static final Map<String, String> scopeDescriptions = new HashMap<>();
 		static {
+			scopeDescriptions.put(
+					OidcScopes.PROFILE,
+					"This application will be able to read your profile information."
+			);
 			scopeDescriptions.put(
 					"message.read",
 					"This application will be able to read your message."
--- a/samples/custom-consent-authorizationserver/src/test/java/sample/CustomConsentAuthorizationServerTests.java
+++ b/samples/custom-consent-authorizationserver/src/test/java/sample/CustomConsentAuthorizationServerTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2021 the original author or authors.
+ * Copyright 2020-2022 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -95,7 +95,7 @@ public class CustomConsentAuthorizationServerTests {
 			assertThat(scope.isChecked()).isTrue();
 			scopeIds.add(scope.getId());
 		});
-		assertThat(scopeIds).containsExactlyInAnyOrder("openid", "message.read", "message.write");
+		assertThat(scopeIds).containsExactlyInAnyOrder("message.read", "message.write");

 		DomElement submitConsentButton = consentPage.querySelector("button[id='submit-consent']");
 		this.webClient.getOptions().setRedirectEnabled(false);
--- a/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
+++ b/samples/default-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
@@ -32,9 +32,11 @@ import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
@@ -63,7 +65,8 @@ public class AuthorizationServerConfig {
 		http
 			.exceptionHandling(exceptions ->
 				exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
-			);
+			)
+			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
 		// @formatter:on
 		return http.build();
 	}
@@ -81,6 +84,7 @@ public class AuthorizationServerConfig {
 				.redirectUri("http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc")
 				.redirectUri("http://127.0.0.1:8080/authorized")
 				.scope(OidcScopes.OPENID)
+				.scope(OidcScopes.PROFILE)
 				.scope("message.read")
 				.scope("message.write")
 				.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
@@ -111,6 +115,11 @@ public class AuthorizationServerConfig {
 		return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
 	}

+	@Bean
+	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+	}
+
 	@Bean
 	public ProviderSettings providerSettings() {
 		return ProviderSettings.builder().issuer("http://localhost:9000").build();
--- a/samples/federated-identity-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
+++ b/samples/federated-identity-authorizationserver/src/main/java/sample/config/AuthorizationServerConfig.java
@@ -34,9 +34,11 @@ import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
@@ -62,6 +64,7 @@ public class AuthorizationServerConfig {
 	@Order(Ordered.HIGHEST_PRECEDENCE)
 	public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
 		OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+		http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
 		http.apply(new FederatedIdentityConfigurer());
 		return http.build();
 	}
@@ -84,6 +87,7 @@ public class AuthorizationServerConfig {
 				.redirectUri("http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc")
 				.redirectUri("http://127.0.0.1:8080/authorized")
 				.scope(OidcScopes.OPENID)
+				.scope(OidcScopes.PROFILE)
 				.scope("message.read")
 				.scope("message.write")
 				.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
@@ -114,6 +118,11 @@ public class AuthorizationServerConfig {
 		return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
 	}

+	@Bean
+	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+	}
+
 	@Bean
 	public ProviderSettings providerSettings() {
 		return ProviderSettings.builder().issuer("http://localhost:9000").build();
--- a/samples/messages-client/src/main/resources/application.yml
+++ b/samples/messages-client/src/main/resources/application.yml
@@ -22,7 +22,7 @@ spring:
            client-secret: secret
            authorization-grant-type: authorization_code
            redirect-uri: "http://127.0.0.1:8080/login/oauth2/code/{registrationId}"
-            scope: openid
+            scope: openid, profile
            client-name: messaging-client-oidc
          messaging-client-authorization-code:
            provider: spring