Fix #1568: NextStep OpenID Connect (OIDC) Support (#1570)

* Fix #1568: NextStep OpenID Connect (OIDC) Support

docs/Next-Step-Server.md

@@ -68,3 +68,21 @@ Next Step Server implements following functionality:
 REST services are available for all Next Step functionality listed above.
 
 The Next Step Server functionality is described in details in [Next Step Server REST API Reference](./Next-Step-Server-REST-API-Reference.md).
+
+
+## OpenID Connect (OIDC)
+
+You may configure OpenID Connect (OIDC) authentication.
+
+| Property                                                                                   | Default value            | Description                                                                                                                   |
+|--------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------------------------------------------------------------------------------|
+| `powerauth.nextstep.security.auth.type`                                                    |                          | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured.                                         |
+| `spring.security.oauth2.client.registration.nextstep-oidc-client.provider`                 | `nextstep-oidc-provider` | Should be `nextstep-oidc-provider`, defines the key for the `issuer-uri` property, see below.                                 |
+| `spring.security.oauth2.client.registration.nextstep-oidc-client.client-id`                |                          | Client ID for authentication to the provider.                                                                                 |
+| `spring.security.oauth2.client.registration.nextstep-oidc-client.client-secret`            |                          | Client secret for authentication to the provider.                                                                             |
+| `spring.security.oauth2.client.registration.nextstep-oidc-client.authorization-grant-type` | `authorization_code`     | Authorization grant type. Should be `authorization_code`.                                                                     |
+| `spring.security.oauth2.client.registration.nextstep-oidc-client.scope`                    | `openid`                 | Authorization scopes. Should be `openid`.                                                                                     |
+| `spring.security.oauth2.client.registration.nextstep-oidc-client.redirectUri`              |                          | Redirect URI from the provider back to the NextStep, e.g. `http://localhost:8080//powerauth-nextstep/login/oauth2/code/azure` |
+| `spring.security.oauth2.client.provider.nextstep-oidc-provider.issuer-uri`                 |                          | URL of the provider, e.g. `https://sts.windows.net/example/`                                                                  |
+
+See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details. 

powerauth-nextstep/pom.xml

@@ -59,6 +59,10 @@
             <artifactId>spring-boot-configuration-processor</artifactId>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-client</artifactId>
+        </dependency>
 
         <!-- PowerAuth Dependencies -->
         <dependency>

powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java

@@ -21,6 +21,7 @@
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.scheduling.annotation.EnableScheduling;
 
@@ -31,7 +32,7 @@
  *
  * @author Roman Strobl, [email protected]
  */
-@SpringBootApplication
+@SpringBootApplication(exclude = OAuth2ClientAutoConfiguration.class) // OAuth2Client dependency is included, but configuration is optional
 @EnableScheduling
 @ComponentScan(basePackages = {"io.getlime.security.powerauth.app.nextstep", "com.wultra.core.audit.base"})
 public class NextStepApplication {

powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java

@@ -17,12 +17,20 @@
  */
 package io.getlime.security.powerauth.app.nextstep.configuration;
 
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+import static org.springframework.security.config.Customizer.withDefaults;
 
 /**
  * Default Spring Security configuration.
@@ -31,19 +39,55 @@
  */
 @Configuration
 @EnableWebSecurity
+@Slf4j
 public class SecurityConfig {
 
+    @Value("${powerauth.nextstep.security.auth.type:NONE}")
+    private AuthType authType;
+
     /**
      * Configures HTTP security.
+     *
      * @param http HTTP security.
      * @throws Exception Thrown when configuration fails.
      */
     @Bean
     public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
+        if (authType == AuthType.OIDC) {
+            logger.info("Initializing OIDC authentication.");
+            http.authorizeHttpRequests(authorize -> authorize
+                            .requestMatchers(
+                                    new AntPathRequestMatcher("/login/oauth2/**"),
+                                    new AntPathRequestMatcher("/api/service/status"),
+                                    new AntPathRequestMatcher("/actuator/**"))
+                            .permitAll()
+                            .anyRequest()
+                            .fullyAuthenticated())
+                    .oauth2Login(withDefaults());
+        } else {
+            logger.info("No authentication configured");
+            http.httpBasic(AbstractHttpConfigurer::disable);
+        }
+
         return http
-                .httpBasic(AbstractHttpConfigurer::disable)
                 .csrf(AbstractHttpConfigurer::disable)
                 .build();
     }
 
-}
+    @Configuration
+    @ConditionalOnProperty(name = "powerauth.nextstep.security.auth.type", havingValue = "OIDC")
+    @Import(OAuth2ClientAutoConfiguration.class)
+    public static class OAuth2ClientConfiguration {
+        // no code on purpose, only config class
+    }
+
+    enum AuthType {
+        NONE,
+
+        /**
+         * OpenID Connect.
+         */
+        OIDC
+    }
+
+}

powerauth-nextstep/src/main/resources/application.properties

@@ -70,5 +70,15 @@ [email protected]@
 
 logging.config=${POWERAUTH_NEXTSTEP_LOGGING:}
 
+# OpenID Connect (OIDC) Settings
+#powerauth.nextstep.security.auth.type=OIDC
+spring.security.oauth2.client.registration.nextstep-oidc-client.provider=nextstep-oidc-provider
+spring.security.oauth2.client.registration.nextstep-oidc-client.client-id=
+spring.security.oauth2.client.registration.nextstep-oidc-client.client-secret=
+spring.security.oauth2.client.registration.nextstep-oidc-client.authorization-grant-type=authorization_code
+spring.security.oauth2.client.registration.nextstep-oidc-client.scope=openid
+spring.security.oauth2.client.registration.nextstep-oidc-client.redirectUri=
+spring.security.oauth2.client.provider.nextstep-oidc-provider.issuer-uri=
+
 # Monitoring
 management.tracing.sampling.probability=1.0

powerauth-nextstep/src/test/java/io/getlime/security/powerauth/app/nextstep/NextStepTest.java

@@ -31,7 +31,7 @@
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
 import org.springframework.lang.NonNull;
-import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.jdbc.Sql;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
@@ -44,7 +44,7 @@
  */
 @ExtendWith(SpringExtension.class)
 @SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
-@TestPropertySource(locations = "classpath:application.properties")
+@ActiveProfiles("test")
 @Sql(scripts = "/db_schema.sql")
 public class NextStepTest implements ApplicationContextAware {
 

powerauth-nextstep/src/test/resources/application-test.properties

@@ -0,0 +1,17 @@
+spring.datasource.url=jdbc:h2:mem:powerauth-nextstep;NON_KEYWORDS=value
+spring.datasource.username=sa
+spring.datasource.password=
+
+# Hibernate Configuration
+spring.jpa.hibernate.ddl-auto=create-drop
+
+# Key used for end-to-end encryption of credentials
+powerauth.nextstep.e2eEncryption.key=Qee4CK44d8GduTxoHU7JPM2lCs+KF63akIpKyaLk9+c=
+
+# Key used for database record encryption
+powerauth.nextstep.db.master.encryption.key=Bq9h3/QiGTAChopid3Xd4ZDzaJ5rkrqBuzy2vsIZcv4=
+
+# Liquibase
+spring.liquibase.enabled=false
+
+spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration