Introspect endpoint Authorization Server support

jzheaux · jzheaux · commit c59d40593b4f · 2019-02-07T12:40:12.000-07:00
Issue: gh-5200
diff --git a/samples/boot/oauth2authorizationserver/src/main/java/sample/AuthorizationServerConfiguration.java b/samples/boot/oauth2authorizationserver/src/main/java/sample/AuthorizationServerConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2019 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,12 +21,15 @@
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.RSAPrivateKeySpec;
 import java.security.spec.RSAPublicKeySpec;
+import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
+import java.util.stream.Collectors;
 
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
 
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.authentication.AuthenticationManager;
@@ -37,18 +40,23 @@
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
 import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
 import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.endpoint.FrameworkEndpoint;
 import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
 import org.springframework.security.oauth2.provider.token.DefaultUserAuthenticationConverter;
 import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
 import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
 import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.ResponseBody;
 
 /**
@@ -66,17 +74,20 @@
  */
 @EnableAuthorizationServer
 @Configuration
-public class JwkSetConfiguration extends AuthorizationServerConfigurerAdapter {
+public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
 
 	AuthenticationManager authenticationManager;
 	KeyPair keyPair;
+	boolean jwtEnabled;
 
-	public JwkSetConfiguration(
+	public AuthorizationServerConfiguration(
 			AuthenticationConfiguration authenticationConfiguration,
-			KeyPair keyPair) throws Exception {
+			KeyPair keyPair,
+			@Value("${security.oauth2.authorizationserver.jwt.enabled:true}") boolean jwtEnabled) throws Exception {
 
 		this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
 		this.keyPair = keyPair;
+		this.jwtEnabled = jwtEnabled;
 	}
 
 	@Override
@@ -94,23 +105,37 @@ public void configure(ClientDetailsServiceConfigurer clients)
 				.authorizedGrantTypes("password")
 				.secret("{noop}secret")
 				.scopes("message:write")
+				.accessTokenValiditySeconds(600_000_000)
+				.and()
+			.withClient("noscopes")
+				.authorizedGrantTypes("password")
+				.secret("{noop}secret")
+				.scopes("none")
 				.accessTokenValiditySeconds(600_000_000);
 		// @formatter:on
 	}
 
 	@Override
-	public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
+	public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
 		// @formatter:off
 		endpoints
 			.authenticationManager(this.authenticationManager)
-			.accessTokenConverter(accessTokenConverter())
 			.tokenStore(tokenStore());
+
+		if (this.jwtEnabled) {
+			endpoints
+				.accessTokenConverter(accessTokenConverter());
+		}
 		// @formatter:on
 	}
 
 	@Bean
 	public TokenStore tokenStore() {
-		return new JwtTokenStore(accessTokenConverter());
+		if (this.jwtEnabled) {
+			return new JwtTokenStore(accessTokenConverter());
+		} else {
+			return new InMemoryTokenStore();
+		}
 	}
 
 	@Bean
@@ -137,7 +162,11 @@ protected void configure(HttpSecurity http) throws Exception {
 		http
 			.authorizeRequests()
 				.mvcMatchers("/.well-known/jwks.json").permitAll()
-				.anyRequest().authenticated();
+				.anyRequest().authenticated()
+				.and()
+			.httpBasic()
+				.and()
+			.csrf().ignoringRequestMatchers(request -> "/introspect".equals(request.getRequestURI()));
 	}
 
 	@Bean
@@ -152,6 +181,41 @@ public UserDetailsService userDetailsService() {
 	}
 }
 
+/**
+ * Legacy Authorization Server (spring-security-oauth2) does not support any
+ * Token Introspection endpoint.
+ *
+ * This class adds ad-hoc support in order to better support the other samples in the repo.
+ */
+@FrameworkEndpoint
+class IntrospectEndpoint {
+	TokenStore tokenStore;
+
+	public IntrospectEndpoint(TokenStore tokenStore) {
+		this.tokenStore = tokenStore;
+	}
+
+	@PostMapping("/introspect")
+	@ResponseBody
+	public Map<String, Object> introspect(@RequestParam("token") String token) {
+		OAuth2AccessToken accessToken = this.tokenStore.readAccessToken(token);
+		Map<String, Object> attributes = new HashMap<>();
+		if (accessToken == null || accessToken.isExpired()) {
+			attributes.put("active", false);
+			return attributes;
+		}
+
+		OAuth2Authentication authentication = this.tokenStore.readAuthentication(token);
+
+		attributes.put("active", true);
+		attributes.put("exp", accessToken.getExpiration().getTime());
+		attributes.put("scope", accessToken.getScope().stream().collect(Collectors.joining(" ")));
+		attributes.put("sub", authentication.getName());
+
+		return attributes;
+	}
+}
+
 /**
  * Legacy Authorization Server (spring-security-oauth2) does not support any
  * <a href target="_blank" href="https://tools.ietf.org/html/rfc7517#section-5">JWK Set</a> endpoint.
diff --git a/samples/boot/oauth2authorizationserver/src/main/resources/application.yml b/samples/boot/oauth2authorizationserver/src/main/resources/application.yml
@@ -1 +1,3 @@
 server.port: 8081
+
+# security.oauth2.authorizationserver.jwt.enabled: false

Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`server.port: 8081`
	`2`	`+`
	`3`	`+# security.oauth2.authorizationserver.jwt.enabled: false`