Feature/OAuth config (#93)

Game-as-a-Service · Jun 5, 2023 · b117145 · b117145
1 parent d232f8e
commit b117145
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 61 deletions.
diff --git a/spring/pom.xml b/spring/pom.xml
@@ -54,6 +54,10 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-oauth2-client</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>

diff --git a/...tlin/tw/waterballsa/gaas/spring/configs/securities/CustomOAuthorizationRequestResolver.kt b/...tlin/tw/waterballsa/gaas/spring/configs/securities/CustomOAuthorizationRequestResolver.kt
@@ -114,7 +114,11 @@ class CustomOAuthorizationRequestResolver(
         val identityProviders = IdentityProvider.values().map { it.queryParam }
         val targetIdentityProvider = originalRequest.parameterMap["type"]?.find { it in identityProviders }
         authorizationRequestCustomizer = Consumer {
-            it.parameters { params -> params["connection"] = targetIdentityProvider ?: "google-oauth2" }
+            it.parameters { params ->
+                params["connection"] = targetIdentityProvider ?: "google-oauth2"
+                //To obtain a JWT token from Auth0, it is necessary to configure the audience for the access token.
+                params["audience"] = "https://api.gaas.waterballsa.tw"
+            }
         }
 
         return resolve(request, registrationId, redirectUriAction)!!

diff --git a/spring/src/main/kotlin/tw/waterballsa/gaas/spring/configs/securities/CustomSuccessHandler.kt b/spring/src/main/kotlin/tw/waterballsa/gaas/spring/configs/securities/CustomSuccessHandler.kt
@@ -0,0 +1,38 @@
+package tw.waterballsa.gaas.spring.configs.securities
+
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.security.core.Authentication
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
+import tw.waterballsa.gaas.application.usecases.CreateUserUseCase
+import javax.servlet.http.HttpServletRequest
+import javax.servlet.http.HttpServletResponse
+
+class CustomSuccessHandler(
+    private val authorizedClientService: OAuth2AuthorizedClientService,
+    private val createUserUseCase: CreateUserUseCase
+) : AuthenticationSuccessHandler {
+    @Value("\${frontend}")
+    private lateinit var frontendUrl: String
+
+    override fun onAuthenticationSuccess(
+        request: HttpServletRequest,
+        response: HttpServletResponse,
+        authentication: Authentication
+    ) {
+        authentication as OAuth2AuthenticationToken
+
+        val email = authentication.principal.let { it as OidcUser }.email
+        createUserUseCase.execute(CreateUserUseCase.Request(email))
+
+        val accessTokenValue = authorizedClientService.loadAuthorizedClient<OAuth2AuthorizedClient>(
+            authentication.authorizedClientRegistrationId,
+            authentication.name
+        )
+            .accessToken.tokenValue
+        response.sendRedirect("$frontendUrl/auth/token/$accessTokenValue")
+    }
+}
diff --git a/.../main/kotlin/tw/waterballsa/gaas/spring/configs/securities/IdTokenAuthenticationFilter.kt b/.../main/kotlin/tw/waterballsa/gaas/spring/configs/securities/IdTokenAuthenticationFilter.kt
diff --git a/spring/src/main/kotlin/tw/waterballsa/gaas/spring/configs/securities/SecurityConfig.kt b/spring/src/main/kotlin/tw/waterballsa/gaas/spring/configs/securities/SecurityConfig.kt
@@ -3,6 +3,7 @@ package tw.waterballsa.gaas.spring.configs.securities
 import org.springframework.context.annotation.Bean
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
@@ -11,12 +12,15 @@ import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser
 import org.springframework.security.oauth2.core.oidc.user.OidcUser
 import org.springframework.security.web.AuthenticationEntryPoint
 import org.springframework.security.web.SecurityFilterChain
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler
+import tw.waterballsa.gaas.application.usecases.CreateUserUseCase
 import javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED
 
 @EnableWebSecurity
 class SecurityConfig(
     private val clientRegistrationRepository: ClientRegistrationRepository,
+    private val authorizedClientService: OAuth2AuthorizedClientService,
+    private val createUserUseCase: CreateUserUseCase
 ) {
 
     @Bean
@@ -29,7 +33,7 @@ class SecurityConfig(
             .anyRequest().authenticated()
             .and()
             .oauth2Login()
-            .defaultSuccessUrl("/login-successfully", true)
+            .successHandler(successHandler())
             .authorizationEndpoint()
             .authorizationRequestResolver(
                 CustomOAuthorizationRequestResolver(
@@ -41,14 +45,19 @@ class SecurityConfig(
             .userInfoEndpoint().oidcUserService(oidcUserService())
             .and()
             .and()
+            .oauth2ResourceServer().jwt().and()
+            .and()
             .exceptionHandling()
             .authenticationEntryPoint(redirectToLoginEndPoint())
-            .and()
-            .addFilterBefore(IdTokenAuthenticationFilter(clientRegistrationRepository), UsernamePasswordAuthenticationFilter::class.java)
 
         return http.build()
     }
 
+    @Bean
+    fun successHandler(): AuthenticationSuccessHandler{
+        return CustomSuccessHandler(authorizedClientService, createUserUseCase);
+    }
+
     private fun oidcUserService(): OAuth2UserService<OidcUserRequest, OidcUser> {
         val userService = OidcUserService()
         return OAuth2UserService { request: OidcUserRequest? ->

diff --git a/spring/src/main/resources/application-dev.yaml b/spring/src/main/resources/application-dev.yaml
@@ -27,6 +27,9 @@ spring:
             authorization-uri: https://dev-1l0ixjw8yohsluoi.us.auth0.com/authorize
             token-uri: https://dev-1l0ixjw8yohsluoi.us.auth0.com/oauth/token
             user-info-uri: https://dev-1l0ixjw8yohsluoi.us.auth0.com/oauth/userinfo
+      resourceserver:
+        jwt:
+          issuer-uri: https://dev-1l0ixjw8yohsluoi.us.auth0.com/
 
 server:
   port: 8087

diff --git a/spring/src/main/resources/application.yaml b/spring/src/main/resources/application.yaml
@@ -19,6 +19,9 @@ spring:
           auth0:
             # trailing slash is important!
             issuer-uri: https://dev-1l0ixjw8yohsluoi.us.auth0.com/
+      resourceserver:
+        jwt:
+          issuer-uri: https://dev-1l0ixjw8yohsluoi.us.auth0.com/
 
 frontend: https://lobby.gaas.waterballsa.tw