[27] keycloak + oauth 2.0 적용 및 회원 가입 수정

build.gradle

@@ -58,6 +58,12 @@ dependencies {
     implementation 'org.flywaydb:flyway-mysql'
     implementation 'org.flywaydb:flyway-core'
 
+    // oauth 2.0
+    implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
+
+    // keycloak
+    implementation 'org.keycloak:keycloak-admin-client:25.0.5'
+
     // test dependency
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testImplementation 'org.springframework.security:spring-security-test'

src/main/java/org/example/commerce_site/application/auth/KeycloakAuthService.java

@@ -0,0 +1,45 @@
+package org.example.commerce_site.application.auth;
+
+import org.example.commerce_site.application.auth.dto.OAuthAccessTokenResponse;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Service;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.web.client.RestTemplate;
+
+import lombok.RequiredArgsConstructor;
+
+@Service
+@RequiredArgsConstructor
+public class KeycloakAuthService {
+	private final RestTemplate restTemplate = new RestTemplate();
+	@Value("${oauth.keycloak.grant-type}")
+	private String GRANT_TYPE;
+	@Value("${oauth.keycloak.credentials.client}")
+	private String CLIENT_ID;
+	@Value("${oauth.keycloak.credentials.secret}")
+	private String CLIENT_SECRET;
+	@Value("${oauth.keycloak.uri.redirect}")
+	private String REDIRECT_URI;
+	@Value("${oauth.keycloak.uri.token}")
+	private String TOKEN_URI;
+
+	public OAuthAccessTokenResponse.Keycloak getAccessToken(String code) {
+		MultiValueMap<String, String> info = new LinkedMultiValueMap<>();
+		info.add("grant_type", GRANT_TYPE);
+		info.add("client_id", CLIENT_ID);
+		info.add("client_secret", CLIENT_SECRET);
+		info.add("redirect_uri", REDIRECT_URI);
+		info.add("code", code);
+
+		final HttpHeaders headers = new HttpHeaders();
+		headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
+
+		final HttpEntity<MultiValueMap<String, String>> httpEntity = new HttpEntity<>(info, headers);
+
+		return restTemplate.postForEntity(TOKEN_URI, httpEntity, OAuthAccessTokenResponse.Keycloak.class).getBody();
+	}
+}

src/main/java/org/example/commerce_site/application/auth/dto/OAuthAccessTokenResponse.java

@@ -0,0 +1,43 @@
+package org.example.commerce_site.application.auth.dto;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+public class OAuthAccessTokenResponse {
+	@Getter
+	@Setter
+	@NoArgsConstructor
+	@JsonIgnoreProperties(ignoreUnknown = true)
+	public static class Keycloak {
+		@JsonProperty("access_token")
+		private String accessToken;
+
+		@JsonProperty("expires_in")
+		private int expiresIn;
+
+		@JsonProperty("refresh_expires_in")
+		private int refreshExpiresIn;
+
+		@JsonProperty("refresh_token")
+		private String refreshToken;
+
+		@JsonProperty("token_type")
+		private String tokenType;
+
+		@JsonProperty("id_token")
+		private String idToken;
+
+		@JsonProperty("not-before-policy")
+		private int notBeforePolicy;
+
+		@JsonProperty("session_state")
+		private String sessionState;
+
+		@JsonProperty("scope")
+		private String scope;
+	}
+}

src/main/java/org/example/commerce_site/application/user/UserService.java

@@ -1,7 +1,6 @@
 package org.example.commerce_site.application.user;
 
 import org.example.commerce_site.application.user.dto.UserRequestDto;
-import org.example.commerce_site.application.user.dto.UserResponseDto;
 import org.example.commerce_site.common.exception.CustomException;
 import org.example.commerce_site.common.exception.ErrorCode;
 import org.example.commerce_site.domain.User;
@@ -17,17 +16,16 @@
 @RequiredArgsConstructor
 public class UserService {
 	private final UserRepository userRepository;
-
-	@Transactional
-	public UserResponseDto.Create create(UserRequestDto.Create dto) {
-		// TODO : email 중복 체크
-		return UserResponseDto.Create.of(userRepository.save(UserRequestDto.Create.toEntity(dto)));
-	}
-
+
 	@Transactional(readOnly = true)
 	public User getUser(Long userId) {
 		return userRepository.findById(userId).orElseThrow(
 			() -> new CustomException(ErrorCode.USER_NOT_FOUND)
 		);
 	}
+
+	@Transactional
+	public void create(UserRequestDto.Create dto) {
+		userRepository.save(UserRequestDto.Create.toEntity(dto, dto.getId()));
+	}
 }

src/main/java/org/example/commerce_site/application/user/dto/UserRequestDto.java

@@ -12,15 +12,15 @@ public class UserRequestDto {
 	@Builder
 	@ToString
 	public static class Create {
+		private String id;
 		private String name;
 		private String email;
-		private String password;
 
-		public static User toEntity(UserRequestDto.Create dto) {
+		public static User toEntity(UserRequestDto.Create dto, String authId) {
 			return User.builder()
+				.authId(authId)
 				.name(dto.getName())
 				.email(dto.getEmail())
-				.password(dto.getPassword())
 				.status(UserStatus.ACTIVE)
 				.build();
 		}

src/main/java/org/example/commerce_site/common/exception/ErrorCode.java

@@ -24,6 +24,9 @@ public enum ErrorCode {
 
 	//user
 	USER_NOT_FOUND(HttpStatus.NOT_FOUND, 404, "회원 정보를 찾을 수 없습니다."),
+	EMAIL_ALREADY_EXISTED(HttpStatus.NOT_FOUND, 400, "이미 존재하는 이메일입니다."),
+	CREATE_KEYCLOAK_USER_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, 500, "인가 서버 유저 등록에 실패했습니다."),
+	ADD_USER_ERROR(HttpStatus.INTERNAL_SERVER_ERROR, 500, "API 서버 유저 등록에 실패했습니다."),
 
 	//partner
 	PARTNER_NOT_FOUND(HttpStatus.NOT_FOUND, 404, "파트너 회원 정보를 찾을 수 없습니다."),

src/main/java/org/example/commerce_site/config/KeycloakConfig.java

@@ -0,0 +1,34 @@
+package org.example.commerce_site.config;
+
+import org.keycloak.OAuth2Constants;
+import org.keycloak.admin.client.Keycloak;
+import org.keycloak.admin.client.KeycloakBuilder;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class KeycloakConfig {
+	@Value("${oauth.keycloak.realm}")
+	private String REALM;
+
+	@Value("${oauth.keycloak.auth-server-url}")
+	private String AUTH_SERVER_URL;
+
+	@Value("${oauth.keycloak.credentials.client}")
+	private String CLIENT;
+
+	@Value("${oauth.keycloak.credentials.secret}")
+	private String CLIENT_SECRET;
+
+	@Bean
+	public Keycloak keycloak() {
+		return KeycloakBuilder.builder()
+			.serverUrl(AUTH_SERVER_URL)
+			.realm(REALM)
+			.grantType(OAuth2Constants.CLIENT_CREDENTIALS)
+			.clientId(CLIENT)
+			.clientSecret(CLIENT_SECRET)
+			.build();
+	}
+}

src/main/java/org/example/commerce_site/config/SecurityConfig.java

@@ -0,0 +1,48 @@
+package org.example.commerce_site.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+	private static final String[] AUTH_EXCLUDE_POST_API_LIST = {"/user/keycloak/webhook"};
+	private static final String[] AUTH_EXCLUDE_GET_API_LIST = {"/auth/**"};
+	private static final String[] AUTH_EXCLUDE_WEB_LIST = {"/swagger-ui/**", "/api-docs/**"};
+
+	@Bean
+	protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+		return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
+
+		http
+			.csrf(AbstractHttpConfigurer::disable)
+			.cors(Customizer.withDefaults())
+			.authorizeHttpRequests(requests -> requests
+				.requestMatchers(HttpMethod.POST, AUTH_EXCLUDE_POST_API_LIST).permitAll()
+				.requestMatchers(HttpMethod.GET, AUTH_EXCLUDE_GET_API_LIST).permitAll()
+				.requestMatchers(AUTH_EXCLUDE_WEB_LIST).permitAll()
+				.anyRequest().authenticated()
+			)
+			.oauth2ResourceServer(
+				oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(jwtAuthenticationConverter)))
+			.headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));
+
+		return http.build();
+	}
+}

src/main/java/org/example/commerce_site/domain/User.java

@@ -19,9 +19,9 @@
 @AllArgsConstructor
 @Table(name = "users")
 public class User extends BaseTimeEntity {
+	private String authId;
 	private String name;
 	private String email;
-	private String password;
 	@Enumerated(EnumType.STRING)
 	private UserStatus status;
 }

src/main/java/org/example/commerce_site/infrastructure/user/UserRepository.java

@@ -1,9 +1,12 @@
 package org.example.commerce_site.infrastructure.user;
 
+import java.util.Optional;
+
 import org.example.commerce_site.domain.User;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.stereotype.Repository;
 
 @Repository
 public interface UserRepository extends JpaRepository<User, Long> {
+	Optional<User> findByEmail(String email);
 }

src/main/java/org/example/commerce_site/representation/auth/AuthController.java

@@ -0,0 +1,24 @@
+package org.example.commerce_site.representation.auth;
+
+import org.example.commerce_site.application.auth.KeycloakAuthService;
+import org.example.commerce_site.application.auth.dto.OAuthAccessTokenResponse;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@RestController
+@RequiredArgsConstructor
+@RequestMapping("/auth")
+public class AuthController {
+	private final KeycloakAuthService keycloakAuthService;
+
+	@GetMapping("/callback")
+	public OAuthAccessTokenResponse.Keycloak auth(@RequestParam String code) {
+		return keycloakAuthService.getAccessToken(code);
+	}
+}

src/main/java/org/example/commerce_site/representation/user/UserController.java

@@ -1,15 +1,12 @@
 package org.example.commerce_site.representation.user;
 
 import org.example.commerce_site.application.user.UserService;
-import org.example.commerce_site.common.response.ApiSuccessResponse;
 import org.example.commerce_site.representation.user.request.UserRequest;
-import org.example.commerce_site.representation.user.response.UserResponse;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
-import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
@@ -20,9 +17,8 @@
 public class UserController {
 	private final UserService userService;
 
-	@PostMapping()
-	public ApiSuccessResponse<UserResponse.Create> createUser(@Valid @RequestBody UserRequest.Create request) {
-		return ApiSuccessResponse.success(
-			UserResponse.Create.of(userService.create(UserRequest.Create.toDTO(request))));
+	@PostMapping("/keycloak/webhook")
+	public void createUser(@RequestBody UserRequest.Create request) {
+		userService.create(UserRequest.Create.toDTO(request));
 	}
 }

src/main/java/org/example/commerce_site/representation/user/request/UserRequest.java

@@ -2,29 +2,22 @@
 
 import org.example.commerce_site.application.user.dto.UserRequestDto;
 
-import jakarta.validation.constraints.NotBlank;
 import lombok.Getter;
 import lombok.ToString;
 
 public class UserRequest {
 	@Getter
 	@ToString
 	public static class Create {
-		@NotBlank
-		private String name;
-		@NotBlank
-		//TODO email 형식 체크
+		private String id;
+		private String userName;
 		private String email;
-		@NotBlank
-		//TODO 패스워드 형식 체크 (8자리 이상 20자리 이하 영문 + 숫자)
-		private String password;
 
 		public static UserRequestDto.Create toDTO(UserRequest.Create request) {
 			return UserRequestDto.Create.builder()
-				.name(request.getName())
+				.id(request.getId())
+				.name(request.getUserName())
 				.email(request.getEmail())
-				//TODO PWD 암호화
-				.password(request.getPassword())
 				.build();
 		}
 	}

src/main/resources/application.yml

@@ -29,6 +29,12 @@ spring:
     locations: classpath:db/migration/mysql
   jackson:
     property-naming-strategy: SNAKE_CASE
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          jwk-set-uri: http://localhost:9090/realms/oauth2/protocol/openid-connect/certs
+          issuer-uri: http://localhost:9090/realms/oauth2
 server:
   port: 8080
   forward-headers-strategy: framework
@@ -39,3 +45,14 @@ springdoc:
   default-produces-media-type: application/json;charset=UTF-8
   default-consumes-media-type: application/json;charset=UTF-8
   server-url: http://localhost:8080
+oauth:
+  keycloak:
+    realm: oauth2
+    auth-server-url: http://localhost:9090
+    credentials:
+      client: oauth2-client-app
+      secret: 6buMCUOwLIjBhRE6oJ7TNklkIhPqyCl5
+    grant-type: authorization_code
+    uri:
+      redirect: http://localhost:8080/auth/callback
+      token: http://localhost:9090/realms/oauth2/protocol/openid-connect/token

src/main/resources/db/migration/mysql/V1.4__drop_password_and_add_auth_id_user.sql

@@ -0,0 +1,4 @@
+ALTER TABLE ecommerce_site.users DROP COLUMN password;
+ALTER TABLE ecommerce_site.users ADD auth_id varchar(255) NOT NULL;
+ALTER TABLE ecommerce_site.users CHANGE auth_id auth_id varchar(255) NOT NULL AFTER id;
+ALTER TABLE ecommerce_site.users ADD CONSTRAINT users_unique UNIQUE KEY (auth_id);