diff --git a/samples/boot/oauth2resourceserver-webflux/README.adoc b/samples/boot/oauth2resourceserver-webflux/README.adoc new file mode 100644 index 0000000000..1960829a03 --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/README.adoc @@ -0,0 +1,169 @@ += OAuth 2.0 Resource Server Sample + +This sample demonstrates integrations with a handful of different authorization servers. + +With it, you can run the integration tests or run the application as a stand-alone service to explore how you can +secure your own service with OAuth 2.0 Bearer Tokens using Spring Security. + +== 1. Running the tests + +To run the tests, do: + +```bash +../../../gradlew integrationTest +``` + +Or import the project into your IDE and run `OAuth2ResourceServerApplicationTests` from there. + +=== What is it doing? + +By default, the tests are pointing at a demonstration Okta instance. The test that performs a valid round trip does so +by querying the Okta Authorization Server using the client_credentials grant type to get a valid JWT token. Then, the test +makes a query to the Resource Server with that token. The Resource Server subsquently verifies with Okta and +authorizes the request, returning the phrase + +```bash +Hello, {subject}! +``` + +where subject is the value of the `sub` field in the JWT returned by the Authorization Server. + +== 2. Running the app + +To run as a stand-alone application, do: + +```bash +../../../gradlew bootRun +``` + +Or import the project into your IDE and run `OAuth2ResourceServerApplication` from there. + +Once it is up, you can retreive a valid JWT token from the authorization server, and then hit the endpoint: + +```bash +curl -H "Authorization: Bearer {token}" localhost:8081 +``` + +Which will respond with the phrase: + +```bash +Hello, {subject}! +``` + +where `subject` is the value of the `sub` field in the JWT returned by the Authorization Server. + +=== How do I obtain a valid JWT token? + +Getting a valid JWT token from an Authorization Server will vary, depending on your setup. However, it will typically +look something like this: + +```bash +curl --user {client id}:{client password} -d "grant_type=client_credentials" {auth server endpoint}/token +``` + +which will respond with a JSON payload containing the `access_token` among other things: + +```bash +{ "access_token" : "{the access token}", "token_type" : "Bearer", "expires_in" : "{an expiry}", "scope" : "{a list of scopes}" } +``` + +For example, the following can be used to hit the sample Okta endpoint for a valid JWT token: + +```bash +curl --user 0oaf5u5g4m6CW4x6z0h7:HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv -d "grant_type=client_credentials" https://dev-805262.oktapreview.com/oauth2/default/v1/token +``` + +Which will give a response similar to this (formatting mine): + +```json +{ + "access_token": "eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ", + "token_type": "Bearer", + "expires_in": 3600, + "scope": "ok" +} +``` + +Then, using that access token: + +```bash +curl -H "Authorization: Bearer eyJraWQiOiJFRjBFWDFFWHZGc1hGaDhuYkRGazNJN0hMUDBsZnJnc0JKMVdBWmkwRmI0IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULmtQSUdfMEVMQmM3NVFMN3c4ZHBMVFRtNXZFVFd3d1R2dzJ3aXNISGRMbjgiLCJpc3MiOiJodHRwczovL2Rldi04MDUyNjIub2t0YXByZXZpZXcuY29tL29hdXRoMi9kZWZhdWx0IiwiYXVkIjoicmVzb3VyY2Utc2VydmVyIiwiaWF0IjoxNTI4ODYwMTkxLCJleHAiOjE1Mjg4NjM3OTEsImNpZCI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3Iiwic2NwIjpbIm9rIl0sInN1YiI6IjBvYWY1dTVnNG02Q1c0eDZ6MGg3In0.G_F9MQ3pqCy-YwfcNhryoPG5E1q4tQ7gV8OIDizR3QouUgrqT7MQsLQCTtGGLF2Fi0qq0Pr-V-wWa2MkyvcboEAhnfYi4rd3UmMrRTrNana6pVZjVWB_uj88-mZ57lFRnoYMCFbepmCxmY6D6p354H964xXWdtY7d6fw7F88DRDWMGQE0iQjMuUDg4izptVcK9db7uMonYTT1PFvOBQfwcn1zCeDVQgZFe7gjQA71CV9M6CIAXYDrpzp_hs95xco7Q3ncN3J7ZkCebLcUL6MdJS2nVuX6D6eC9PrtmCj06mb0-ydlzBSIUCPMaMQk9EhlEM_qK3d1iimCQnwo6KsIQ" \ + localhost:8081 +``` + +I get: + +```bash +Hello, 0oaf5u5g4m6CW4x6z0h7! +``` + +== 3. Testing against other Authorization Servers + +The sample is already prepared to demonstrate integrations with a handful of other Authorization Servers. Do exercise +one, simply uncomment two commented out sections, both in the application.yml file: + +```yaml +spring: + security: + oauth2: + resourceserver: + issuer: +``` + +First, find the above section in the application.yml. Beneath it, you will see sections for each Authorization Server +already prepared with the one for Okta commented out: + +```yaml +# master: #keycloak +# issuer: http://localhost:8080/auth/realms/master +# jwk-set-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/certs + okta: + issuer: https://dev-805262.oktapreview.com/oauth2/default + jwk-set-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/keys +``` + +Comment out the `okta` section and uncomment the desired section. + +Second, find the following section, which the sample needs in order to retreive a valid token from the Authorization +Server: + +```yaml +# ### keycloak +# token-uri: http://localhost:8080/auth/realms/master/protocol/openid-connect/token +# token-body: +# grant_type: client_credentials +# client-id: service +# client-password: 9114712b-be55-4dab-b270-04734abda1c4 +# container: +# config-file-name: keycloak.config +# docker-file-name: keycloak.docker + ### okta + token-uri: https://dev-805262.oktapreview.com/oauth2/default/v1/token + token-body: + grant_type: client_credentials + client-id: 0oaf5u5g4m6CW4x6z0h7 + client-password: HR7edRoo3glhF06HTxonOKZvO4I2BWYcC_ocOHlv +``` + +Comment out the `okta` section and uncomment the desired section. + +=== How can I test with my own Authorization Server instance? + +To test with your own Okta or other Authorization Server instance, simply provide the following information: + +```yaml +spring.security.oauth2.resourceserver.issuer.name.uri: the issuer uri +spring.security.oauth2.resourceserver.issuer.name.jwk-set-uri: the jwk key uri +``` + +And indicate, using the sample.provider properties, how the sample should generate a valid JWT token: + +```yaml +sample.provider.token-uri: the token endpoint +sample.provider.token-body.grant_type: the grant to use +sample.provider.token-body.another_property: another_value +sample.provider.client-id: the client id +sample.provider.client-password: the client password, only required for confidential clients +``` + +You can provide values for any OAuth 2.0-compliant Authorization Server. diff --git a/samples/boot/oauth2resourceserver-webflux/spring-security-samples-boot-oauth2resourceserver-webflux.gradle b/samples/boot/oauth2resourceserver-webflux/spring-security-samples-boot-oauth2resourceserver-webflux.gradle new file mode 100644 index 0000000000..cf0d0d6202 --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/spring-security-samples-boot-oauth2resourceserver-webflux.gradle @@ -0,0 +1,15 @@ +apply plugin: 'io.spring.convention.spring-sample-boot' + +dependencies { + compile project(':spring-security-config') + compile project(':spring-security-oauth2-jose') + compile project(':spring-security-oauth2-client') + compile project(':spring-security-oauth2-resource-server') + + compile 'org.springframework.boot:spring-boot-starter-webflux' + + testCompile project(':spring-security-test') + testCompile 'org.springframework.boot:spring-boot-starter-test' + + testCompile 'com.squareup.okhttp3:mockwebserver' +} diff --git a/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/OAuth2ResourceServerController.java b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/OAuth2ResourceServerController.java new file mode 100644 index 0000000000..7024f39f90 --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/OAuth2ResourceServerController.java @@ -0,0 +1,33 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package sample; + +import org.springframework.security.core.annotation.AuthenticationPrincipal; +import org.springframework.security.oauth2.jwt.Jwt; +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RestController; + +/** + * @author Josh Cummings + */ +@RestController +public class OAuth2ResourceServerController { + + @GetMapping("/") + public String index(@AuthenticationPrincipal Jwt jwt) { + return String.format("Hello, %s!", jwt.getSubject()); + } +} diff --git a/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/SecurityConfig.java b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/SecurityConfig.java new file mode 100644 index 0000000000..f8ce3b3de0 --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/SecurityConfig.java @@ -0,0 +1,78 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package sample; + +import org.springframework.beans.factory.annotation.Value; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; +import org.springframework.context.annotation.Bean; +import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; +import org.springframework.security.config.web.server.ServerHttpSecurity; +import org.springframework.security.web.server.SecurityWebFilterChain; + +import java.math.BigInteger; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.interfaces.RSAPublicKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.RSAPublicKeySpec; + +/** + * @author Rob Winch + * @since 5.1 + */ +@EnableWebFluxSecurity +public class SecurityConfig { + private static final String JWK_SET_URI_PROP = "sample.jwk-set-uri"; + + @Bean + @ConditionalOnProperty(SecurityConfig.JWK_SET_URI_PROP) + SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http, @Value("${sample.jwk-set-uri}") String jwkSetUri) throws Exception { + http + .authorizeExchange() + .anyExchange().authenticated() + .and() + .oauth2() + .resourceServer() + .jwt() + .jwkSetUri(jwkSetUri); + return http.build(); + } + + @Bean + @ConditionalOnProperty(matchIfMissing = true, name = SecurityConfig.JWK_SET_URI_PROP) + SecurityWebFilterChain springSecurityFilterChainWithJwkSetUri(ServerHttpSecurity http) throws Exception { + http + .authorizeExchange() + .anyExchange().authenticated() + .and() + .oauth2() + .resourceServer() + .jwt() + .publicKey(publicKey()); + return http.build(); + } + + private RSAPublicKey publicKey() + throws NoSuchAlgorithmException, InvalidKeySpecException { + String modulus = "21301844740604653578042500449274548398885553541276518010855123403873267398204269788903348794459771698460057967144865511347818036788093430902099139850950702438493841101242291810362822203615900335437741117578551216365305797763072813300890517195382010982402736091906390325356368590938709762826676219814134995844721978269999358693499223506089799649124650473473086179730568497569430199548044603025675755473148289824338392487941265829853008714754732175256733090080910187256164496297277607612684421019218165083081805792835073696987599616469568512360535527950859101589894643349122454163864596223876828010734083744763850611111"; + String exponent = "65537"; + + RSAPublicKeySpec spec = new RSAPublicKeySpec(new BigInteger(modulus), new BigInteger(exponent)); + KeyFactory factory = KeyFactory.getInstance("RSA"); + return (RSAPublicKey) factory.generatePublic(spec); + } +} diff --git a/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/ServerOAuth2ResourceServerApplication.java b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/ServerOAuth2ResourceServerApplication.java new file mode 100644 index 0000000000..3061103fbc --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/src/main/java/sample/ServerOAuth2ResourceServerApplication.java @@ -0,0 +1,30 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package sample; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +/** + * @author Rob Winch + */ +@SpringBootApplication +public class ServerOAuth2ResourceServerApplication { + + public static void main(String[] args) { + SpringApplication.run(ServerOAuth2ResourceServerApplication.class, args); + } +} diff --git a/samples/boot/oauth2resourceserver-webflux/src/main/resources/application.yml b/samples/boot/oauth2resourceserver-webflux/src/main/resources/application.yml new file mode 100644 index 0000000000..cf18ae712d --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/src/main/resources/application.yml @@ -0,0 +1,11 @@ +logging: + level: + root: INFO + org.springframework.web: INFO + org.springframework.security: INFO +# org.springframework.boot.autoconfigure: DEBUG + +sample: +# By default this sample uses a hard coded public key in SecurityConfig +# To use a JWK Set URI, uncomment and change the value below +# jwk-set-uri: https://example.com/oauth2/default/v1/keys diff --git a/samples/boot/oauth2resourceserver-webflux/src/test/java/sample/ServerOauth2ResourceApplicationTests.java b/samples/boot/oauth2resourceserver-webflux/src/test/java/sample/ServerOauth2ResourceApplicationTests.java new file mode 100644 index 0000000000..7c8dce252e --- /dev/null +++ b/samples/boot/oauth2resourceserver-webflux/src/test/java/sample/ServerOauth2ResourceApplicationTests.java @@ -0,0 +1,78 @@ +/* + * Copyright 2002-2018 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package sample; + +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.autoconfigure.web.reactive.AutoConfigureWebTestClient; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.http.HttpHeaders; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; +import org.springframework.test.web.reactive.server.WebTestClient; + +import static org.springframework.security.web.http.SecurityHeaders.bearerToken; + +/** + * @author Rob Winch + * @since 5.1 + */ +@SpringBootTest +@AutoConfigureWebTestClient +@RunWith(SpringJUnit4ClassRunner.class) +public class ServerOauth2ResourceApplicationTests { + @Autowired + private WebTestClient rest; + + @Test + public void getWhenValidTokenThenIsOk() { + String token = "eyJhbGciOiJSUzI1NiJ9.eyJzY29wZSI6Im1lc3NhZ2U6cmVhZCIsImV4cCI6MzEwNjMyODEzMSwianRpIjoiOGY5ZjFiYzItOWVlMi00NTJkLThhMGEtODg3YmE4YmViYjYzIn0.CM_KulSsIrNXW1x6NFeN5VwKQiIW-LIAScJzakRFDox8Ql7o4WOb0ubY3CjWYnglwqYzBvH9McCFqVrUtzdfODY5tyEEJSxWndIGExOi2osrwRPsY3AGzNa23GMfC9I03BFP1IFCq4ZfL-L6yVcIjLke-rA40UG-r-oA7r-N_zsLc5poO7Azf29IQgQF0GSRp4AKQprYHF5Q-Nz9XkILMDz9CwPQ9cbdLCC9smvaGmEAjMUr-C1QgM-_ulb42gWtRDLorW_eArg8g-fmIP0_w82eNWCBjLTy-WaDMACnDVrrUVsUMCqx6jS6h8_uejKly2NFuhyueIHZTTySqCZoTA"; + this.rest.get().uri("/") + .headers(bearerToken(token)) + .exchange() + .expectStatus().isOk() + .expectBody(String.class).isEqualTo("Hello, null!"); + } + + @Test + public void getWhenNoTokenThenIsUnauthorized() { + this.rest.get().uri("/") + .exchange() + .expectStatus().isUnauthorized() + .expectHeader().valueEquals(HttpHeaders.WWW_AUTHENTICATE, "Bearer"); + } + + @Test + public void getWhenNone() { + String token = "ew0KICAiYWxnIjogIm5vbmUiLA0KICAidHlwIjogIkpXVCINCn0.ew0KICAic3ViIjogIjEyMzQ1Njc4OTAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJpYXQiOiAxNTE2MjM5MDIyDQp9."; + this.rest.get().uri("/") + .headers(bearerToken(token)) + .exchange() + .expectStatus().isUnauthorized() + .expectHeader().valueEquals(HttpHeaders.WWW_AUTHENTICATE, "Bearer error=\"invalid_token\", error_description=\"Unsupported algorithm of none\", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""); + } + + @Test + public void getWhenInvalidToken() { + String token = "a"; + this.rest.get().uri("/") + .headers(bearerToken(token)) + .exchange() + .expectStatus().isUnauthorized() + .expectHeader().valueEquals(HttpHeaders.WWW_AUTHENTICATE, "Bearer error=\"invalid_token\", error_description=\"An error occurred while attempting to decode the Jwt: Invalid JWT serialization: Missing dot delimiter(s)\", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""); + } +}