From 496241dd0fddb003a9bb7a93628f4b389d8d9a23 Mon Sep 17 00:00:00 2001 From: David Polach Date: Mon, 16 Sep 2024 22:40:32 +0200 Subject: [PATCH] SUB in ID token is memberId --- .../LoginPageSecurityConfiguration.java | 2 - .../config/authserver/TokenConfiguration.java | 94 ++++++++++--------- backend/src/main/resources/application.yml | 5 +- 3 files changed, 52 insertions(+), 49 deletions(-) diff --git a/backend/src/main/java/club/klabis/config/authserver/LoginPageSecurityConfiguration.java b/backend/src/main/java/club/klabis/config/authserver/LoginPageSecurityConfiguration.java index 9ec12d0..5fb3146 100644 --- a/backend/src/main/java/club/klabis/config/authserver/LoginPageSecurityConfiguration.java +++ b/backend/src/main/java/club/klabis/config/authserver/LoginPageSecurityConfiguration.java @@ -13,8 +13,6 @@ import org.springframework.security.web.util.matcher.OrRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; -import static org.springframework.security.config.Customizer.withDefaults; - @EnableWebSecurity @Configuration(proxyBeanMethods = false) public class LoginPageSecurityConfiguration { diff --git a/backend/src/main/java/club/klabis/config/authserver/TokenConfiguration.java b/backend/src/main/java/club/klabis/config/authserver/TokenConfiguration.java index 99f5ada..f19ef81 100644 --- a/backend/src/main/java/club/klabis/config/authserver/TokenConfiguration.java +++ b/backend/src/main/java/club/klabis/config/authserver/TokenConfiguration.java @@ -1,6 +1,9 @@ package club.klabis.config.authserver; import club.klabis.config.authserver.generatejwtkeys.JKWKeyGenerator; +import club.klabis.domain.appusers.ApplicationUser; +import club.klabis.domain.appusers.ApplicationUsersRepository; +import club.klabis.domain.members.MembersRepository; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.source.ImmutableJWKSet; import com.nimbusds.jose.jwk.source.JWKSource; @@ -8,16 +11,13 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.io.ClassPathResource; -import org.springframework.security.authentication.AbstractAuthenticationToken; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken; -import org.springframework.security.oauth2.server.authorization.token.*; -import org.springframework.util.StringUtils; +import org.springframework.security.oauth2.core.oidc.StandardClaimNames; +import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames; +import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext; +import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer; import java.io.IOException; import java.text.ParseException; -import java.util.stream.Collectors; @Configuration(proxyBeanMethods = false) public class TokenConfiguration { @@ -29,47 +29,51 @@ public JWKSource jwkSource() throws IOException, ParseException System.out.println(jwkSet.toString()); return new ImmutableJWKSet<>(jwkSet); } -// -// @Bean -// public OAuth2TokenGenerator tokenGenerator( -// OAuth2TokenCustomizer accessTokenCustomizer, JwtGenerator jwtgenerator -// ) { -// OAuth2AccessTokenGenerator accessTokenGenerator = new OAuth2AccessTokenGenerator(); -// accessTokenGenerator.setAccessTokenCustomizer(accessTokenCustomizer); -// OAuth2RefreshTokenGenerator refreshTokenGenerator = new OAuth2RefreshTokenGenerator(); -// -// return new DelegatingOAuth2TokenGenerator( -// jwtgenerator, accessTokenGenerator, refreshTokenGenerator -// ); -// } @Bean - public OAuth2TokenCustomizer accessTokenCustomizer() { - return context -> { - UserDetails userDetails = null; - - if (context.getPrincipal() instanceof OAuth2ClientAuthenticationToken) { - userDetails = (UserDetails) context.getPrincipal().getDetails(); - } else if (context.getPrincipal() instanceof AbstractAuthenticationToken) { - userDetails = (UserDetails) context.getPrincipal().getPrincipal(); - } else { - throw new IllegalStateException("Unexpected token type"); - } - - if (!StringUtils.hasText(userDetails.getUsername())) { - throw new IllegalStateException("Bad UserDetails, username is empty"); + public OAuth2TokenCustomizer jwtTokenCustomizer( + ApplicationUsersRepository appusersRepository, MembersRepository membersRepository) { + return (context) -> { + if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) { + appusersRepository.findByUserName(context.getPrincipal().getName()).flatMap(ApplicationUser::getMemberId).ifPresent(memberId -> { + context.getClaims().claim(StandardClaimNames.PREFERRED_USERNAME, context.getPrincipal().getName()); + context.getClaims().claim(StandardClaimNames.SUB, memberId); + membersRepository.findById(memberId).ifPresent(existingMember -> { + context.getClaims().claim(StandardClaimNames.GIVEN_NAME, existingMember.getFirstName()); + context.getClaims().claim(StandardClaimNames.FAMILY_NAME, existingMember.getLastName()); + }); + }); } - - context.getClaims() - .claim( - "authorities", - userDetails.getAuthorities().stream() - .map(GrantedAuthority::getAuthority) - .collect(Collectors.toSet()) - ) - .claim( - "username", userDetails.getUsername() - ); }; } + +// @Bean +// public OAuth2TokenCustomizer opaqueTokenCustomizer() { +// return context -> { +// UserDetails userDetails = null; +// +// if (context.getPrincipal() instanceof OAuth2ClientAuthenticationToken) { +// userDetails = (UserDetails) context.getPrincipal().getDetails(); +// } else if (context.getPrincipal() instanceof AbstractAuthenticationToken) { +// userDetails = (UserDetails) context.getPrincipal().getPrincipal(); +// } else { +// throw new IllegalStateException("Unexpected token type"); +// } +// +// if (!StringUtils.hasText(userDetails.getUsername())) { +// throw new IllegalStateException("Bad UserDetails, username is empty"); +// } +// +// context.getClaims() +// .claim( +// "authorities", +// userDetails.getAuthorities().stream() +// .map(GrantedAuthority::getAuthority) +// .collect(Collectors.toSet()) +// ) +// .claim( +// "username", userDetails.getUsername() +// ); +// }; +// } } \ No newline at end of file diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml index c3a04c1..e714b9c 100644 --- a/backend/src/main/resources/application.yml +++ b/backend/src/main/resources/application.yml @@ -120,8 +120,9 @@ spring: client-secret: ${GOOGLE_CLIENT_SECRET} scope: - openid - - profile - - email + # - profile + # - email + # facebook: # client-id: # client-secret: 6fb95f47d2e27faf28fff9ac93d28184