Add Opaque Token Validation Support for Servlet Web Application Type

integration-tests/oauth2/src/test/groovy/com/okta/spring/tests/oauth2/implicit/ImplicitRemoteValidationGroupIT.groovy

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2020-Present Okta, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.okta.spring.tests.oauth2.implicit
+
+import com.okta.test.mock.Scenario
+import com.okta.test.mock.application.ApplicationTestRunner
+import org.hamcrest.Matchers
+import org.testng.annotations.Test
+
+import static com.okta.test.mock.scenarios.Scenario.IMPLICIT_FLOW_REMOTE_VALIDATION
+import static io.restassured.RestAssured.given
+
+@Scenario(IMPLICIT_FLOW_REMOTE_VALIDATION)
+class ImplicitRemoteValidationGroupIT extends ApplicationTestRunner {
+
+    private final static String ERROR_401 = "401 Unauthorized"
+
+    @Test
+    void groupAccessTest() {
+        given()
+            .header("Authorization", "Bearer ${IMPLICIT_FLOW_REMOTE_VALIDATION.definition.accessTokenJwt}")
+            .redirects()
+                .follow(false)
+        .when()
+            .get("http://localhost:${applicationPort}/everyone")
+        .then()
+            .statusCode(200)
+            .body(Matchers.equalTo("Everyone has Access: [email protected]"))
+    }
+
+}

oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2Configurer.java

@@ -20,11 +20,11 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
-import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.converter.FormHttpMessageConverter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
@@ -33,14 +33,19 @@
 import org.springframework.security.oauth2.core.http.converter.OAuth2AccessTokenResponseHttpMessageConverter;
 import org.springframework.web.client.RestTemplate;
 
+import java.lang.reflect.Field;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.Arrays;
+import java.util.Optional;
 
 import static org.springframework.util.StringUtils.isEmpty;
 
 final class OktaOAuth2Configurer extends AbstractHttpConfigurer<OktaOAuth2Configurer, HttpSecurity> {
 
     private static final Logger log = LoggerFactory.getLogger(OktaOAuth2Configurer.class);
 
+    @SuppressWarnings("rawtypes")
     @Override
     public void init(HttpSecurity http) throws Exception {
 
@@ -50,6 +55,8 @@ public void init(HttpSecurity http) throws Exception {
         if (!context.getBeansOfType(OktaOAuth2Properties.class).isEmpty()) {
             OktaOAuth2Properties oktaOAuth2Properties = context.getBean(OktaOAuth2Properties.class);
 
+            // Auth Code Flow Config
+
             // if OAuth2ClientProperties bean is not available do NOT configure
             if (!context.getBeansOfType(OAuth2ClientProperties.class).isEmpty()
                 && !isEmpty(oktaOAuth2Properties.getIssuer())
@@ -61,26 +68,73 @@ public void init(HttpSecurity http) throws Exception {
                 if (!context.getBeansOfType(OidcClientInitiatedLogoutSuccessHandler.class).isEmpty()) {
                     http.logout().logoutSuccessHandler(context.getBean(OidcClientInitiatedLogoutSuccessHandler.class));
                 }
-
             } else {
                 log.debug("OAuth/OIDC Login not configured due to missing issuer, client-id, or client-secret property");
             }
 
-            // resource server configuration
-            if (!context.getBeansOfType(OAuth2ResourceServerProperties.class).isEmpty()) {
-                OAuth2ResourceServerProperties resourceServerProperties = context.getBean(OAuth2ResourceServerProperties.class);
-                if (!isEmpty(resourceServerProperties.getJwt().getIssuerUri())) {
-                    // configure Okta specific auth converter (extracts authorities from `groupsClaim`
-                    configureResourceServer(http, oktaOAuth2Properties);
-                } else {
-                    log.debug("OAuth resource server not configured due to missing issuer property");
-                }
+            // Resource Server Config
+
+            // if issuer is root org, use opaque token validation
+            if (TokenUtil.isRootOrgIssuer(oktaOAuth2Properties.getIssuer())) {
+                log.debug("Opaque Token validation/introspection will be configured.");
+                configureResourceServerForOpaqueTokenValidation(http, oktaOAuth2Properties);
+                return;
+            }
+
+            OAuth2ResourceServerConfigurer oAuth2ResourceServerConfigurer = http.getConfigurer(OAuth2ResourceServerConfigurer.class);
+
+            if (getJwtConfigurer(oAuth2ResourceServerConfigurer).isPresent()) {
+                log.debug("JWT configurer is set in OAuth resource server configuration. " +
+                    "JWT validation will be configured.");
+                configureResourceServerForJwtValidation(http, oktaOAuth2Properties);
+            } else if (getOpaqueTokenConfigurer(oAuth2ResourceServerConfigurer).isPresent()) {
+                log.debug("Opaque Token configurer is set in OAuth resource server configuration. " +
+                    "Opaque Token validation/introspection will be configured.");
+                configureResourceServerForOpaqueTokenValidation(http, oktaOAuth2Properties);
             } else {
-                log.debug("OAuth resource server not configured due to missing OAuth2ResourceServerProperties bean");
+                log.debug("Defaulting to Okta JWT resource server configuration.");
+                configureResourceServerForJwtValidation(http, oktaOAuth2Properties);
             }
         }
     }
 
+    private Optional<OAuth2ResourceServerConfigurer<?>.JwtConfigurer> getJwtConfigurer(OAuth2ResourceServerConfigurer<?> oAuth2ResourceServerConfigurer) throws IllegalAccessException {
+        if (oAuth2ResourceServerConfigurer != null) {
+            return getFieldValue(oAuth2ResourceServerConfigurer, "jwtConfigurer");
+        }
+        return Optional.empty();
+    }
+
+    private Optional<OAuth2ResourceServerConfigurer<?>.OpaqueTokenConfigurer> getOpaqueTokenConfigurer(OAuth2ResourceServerConfigurer<?> oAuth2ResourceServerConfigurer) throws IllegalAccessException {
+        if (oAuth2ResourceServerConfigurer != null) {
+            return getFieldValue(oAuth2ResourceServerConfigurer, "opaqueTokenConfigurer");
+        }
+        return Optional.empty();
+    }
+
+    private <T> Optional<T> getFieldValue(Object source, String fieldName) throws IllegalAccessException {
+        Field field = AccessController.doPrivileged((PrivilegedAction<Field>) () -> {
+            Field result = null;
+            try {
+                result = OAuth2ResourceServerConfigurer.class.getDeclaredField(fieldName);
+                result.setAccessible(true);
+            } catch (NoSuchFieldException e) {
+                log.warn("Could not get field '" + fieldName + "' of {} via reflection",
+                    OAuth2ResourceServerConfigurer.class.getName(), e);
+            }
+            return result;
+        });
+
+        if (field == null) {
+            String errMsg = "Expected field '" + fieldName + "' was not found in OAuth resource server configuration. " +
+                            "Version incompatibility with Spring Security detected." +
+                            "Check https://github.com/okta/okta-spring-boot for project updates.";
+            throw new RuntimeException(errMsg);
+        }
+
+        return Optional.ofNullable((T) field.get(source));
+    }
+
     private void configureLogin(HttpSecurity http, OktaOAuth2Properties oktaOAuth2Properties) throws Exception {
 
         http.oauth2Login()
@@ -92,10 +146,16 @@ private void configureLogin(HttpSecurity http, OktaOAuth2Properties oktaOAuth2Pr
         }
     }
 
-    private void configureResourceServer(HttpSecurity http, OktaOAuth2Properties oktaOAuth2Properties) throws Exception {
-
+    private void configureResourceServerForJwtValidation(HttpSecurity http, OktaOAuth2Properties oktaOAuth2Properties) throws Exception {
         http.oauth2ResourceServer()
-                .jwt().jwtAuthenticationConverter(new OktaJwtAuthenticationConverter(oktaOAuth2Properties.getGroupsClaim()));
+            .jwt().jwtAuthenticationConverter(new OktaJwtAuthenticationConverter(oktaOAuth2Properties.getGroupsClaim()));
+    }
+
+    private void configureResourceServerForOpaqueTokenValidation(HttpSecurity http, OktaOAuth2Properties oktaOAuth2Properties) throws Exception {
+
+        if (!isEmpty(oktaOAuth2Properties.getClientId()) && !isEmpty(oktaOAuth2Properties.getClientSecret())) {
+            http.oauth2ResourceServer().opaqueToken();
+        }
     }
 
     private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {

oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2ResourceServerAutoConfig.java

@@ -25,13 +25,22 @@
 import org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerAutoConfiguration;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.client.support.BasicAuthenticationInterceptor;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.DefaultOAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
-import org.springframework.security.oauth2.jwt.NimbusJwtDecoderJwkSupport;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
-import org.springframework.web.client.RestOperations;
+import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
 import org.springframework.web.client.RestTemplate;
 
+import java.util.Collection;
+import java.util.Collections;
+
 @Configuration
 @AutoConfigureBefore(OAuth2ResourceServerAutoConfiguration.class)
 @ConditionalOnClass(JwtAuthenticationToken.class)
@@ -45,15 +54,39 @@ class OktaOAuth2ResourceServerAutoConfig {
     JwtDecoder jwtDecoder(OAuth2ResourceServerProperties oAuth2ResourceServerProperties,
                           OktaOAuth2Properties oktaOAuth2Properties) {
 
-            NimbusJwtDecoderJwkSupport decoder = new NimbusJwtDecoderJwkSupport(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
-            decoder.setJwtValidator(TokenUtil.jwtValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri(), oktaOAuth2Properties.getAudience()));
-            decoder.setRestOperations(restOperations());
-            return decoder;
+        NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
+        builder.restOperations(restTemplate());
+        NimbusJwtDecoder decoder = builder.build();
+        decoder.setJwtValidator(TokenUtil.jwtValidator(oktaOAuth2Properties.getIssuer(), oktaOAuth2Properties.getAudience()));
+        return decoder;
     }
 
-    private RestOperations restOperations() {
+    private RestTemplate restTemplate() {
         RestTemplate restTemplate = new RestTemplate();
         restTemplate.getInterceptors().add(new UserAgentRequestInterceptor());
         return restTemplate;
     }
+
+    @Bean
+    @Conditional(OktaOpaqueTokenIntrospectConditional.class)
+    OpaqueTokenIntrospector opaqueTokenIntrospector(OktaOAuth2Properties oktaOAuth2Properties,
+                                                    OAuth2ResourceServerProperties oAuth2ResourceServerProperties) {
+
+        RestTemplate restTemplate = restTemplate();
+        restTemplate.getInterceptors().add(new BasicAuthenticationInterceptor(
+            oAuth2ResourceServerProperties.getOpaquetoken().getClientId(),
+            oAuth2ResourceServerProperties.getOpaquetoken().getClientSecret()));
+
+        OpaqueTokenIntrospector delegate = new NimbusOpaqueTokenIntrospector(
+            oAuth2ResourceServerProperties.getOpaquetoken().getIntrospectionUri(),
+            restTemplate);
+
+        return token -> {
+            OAuth2AuthenticatedPrincipal principal = delegate.introspect(token);
+            Collection<GrantedAuthority> mappedAuthorities =
+                Collections.unmodifiableCollection(TokenUtil.tokenClaimsToAuthorities(principal.getAttributes(), oktaOAuth2Properties.getGroupsClaim()));
+            return new DefaultOAuth2AuthenticatedPrincipal(
+                principal.getName(), principal.getAttributes(), mappedAuthorities);
+        };
+    }
 }

oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOpaqueTokenIntrospectConditional.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright 2020-Present Okta, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.okta.spring.boot.oauth;
+
+import org.springframework.boot.autoconfigure.condition.AllNestedConditions;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+
+class OktaOpaqueTokenIntrospectConditional extends AllNestedConditions {
+
+    OktaOpaqueTokenIntrospectConditional() {
+        super(ConfigurationPhase.REGISTER_BEAN);
+    }
+
+    @ConditionalOnProperty(name="okta.oauth2.client-id")
+    static class ClientIdCondition { }
+
+    @ConditionalOnProperty(name="okta.oauth2.client-secret")
+    static class ClientSecretCondition { }
+
+    @ConditionalOnProperty(name="okta.oauth2.issuer")
+    static class IssuerCondition { }
+}

oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOAuth2ResourceServerAutoConfig.java

@@ -18,6 +18,7 @@
 import com.okta.spring.boot.oauth.config.OktaOAuth2Properties;
 import org.springframework.boot.autoconfigure.AutoConfigureBefore;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerAutoConfiguration;
@@ -28,6 +29,7 @@
 import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
 import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
 import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
+import org.springframework.web.reactive.function.client.WebClient;
 
 @Configuration
 @AutoConfigureBefore(ReactiveOAuth2ResourceServerAutoConfiguration.class)
@@ -38,10 +40,18 @@
 class ReactiveOktaOAuth2ResourceServerAutoConfig {
 
     @Bean
+    @ConditionalOnMissingBean
     ReactiveJwtDecoder jwtDecoder(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, OktaOAuth2Properties oktaOAuth2Properties) {
 
-        NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
-        jwtDecoder.setJwtValidator(TokenUtil.jwtValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri(), oktaOAuth2Properties.getAudience()));
-        return jwtDecoder;
+        NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder builder =
+            NimbusReactiveJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
+        builder.webClient(webClient());
+        NimbusReactiveJwtDecoder decoder = builder.build();
+        decoder.setJwtValidator(TokenUtil.jwtValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri(), oktaOAuth2Properties.getAudience()));
+        return decoder;
+    }
+
+    private WebClient webClient() {
+        return WebClientUtil.createWebClient();
     }
 }

oauth2/src/main/java/com/okta/spring/boot/oauth/TokenUtil.java

@@ -15,6 +15,7 @@
  */
 package com.okta.spring.boot.oauth;
 
+import com.okta.commons.lang.Strings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.GrantedAuthority;
@@ -31,6 +32,8 @@
 import org.springframework.util.CollectionUtils;
 import org.springframework.util.StringUtils;
 
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
@@ -90,4 +93,35 @@ static OAuth2TokenValidator<Jwt> jwtValidator(String issuer, String audience ) {
             });
         return new DelegatingOAuth2TokenValidator<>(validators);
     }
+
+    /**
+     * Check if the issuer is root/org URI.
+     *
+     * Issuer URL that does not follow the pattern '/oauth2/default' (or) '/oauth2/some_id_string' is
+     * considered root/org issuer.
+     *
+     * e.g. https://sample.okta.com (root/org url)
+     *      https://sample.okta.com/oauth2/default (non-root issuer/org url)
+     *      https://sample.okta.com/oauth2/ausar5cbq5TRRsbcJ0h7 (non-root issuer/org url)
+     *
+     * @param issuerUri
+     * @return true if root/org, false otherwise
+     */
+    static boolean isRootOrgIssuer(String issuerUri) throws MalformedURLException {
+        String uriPath = new URL(issuerUri).getPath();
+
+        if (Strings.hasText(uriPath)) {
+            String[] tokenizedUri = uriPath.substring(uriPath.indexOf("/")+1).split("/");
+
+            if (tokenizedUri.length >= 2 &&
+                "oauth2".equals(tokenizedUri[0]) &&
+                Strings.hasText(tokenizedUri[1])) {
+                log.debug("The issuer URL: '{}' is an Okta custom authorization server", issuerUri);
+                return false;
+            }
+        }
+
+        log.debug("The issuer URL: '{}' is an Okta root/org authorization server", issuerUri);
+        return true;
+    }
 }