diff --git a/docs/Next-Step-Server.md b/docs/Next-Step-Server.md index 83eca9be0..94530a014 100644 --- a/docs/Next-Step-Server.md +++ b/docs/Next-Step-Server.md @@ -74,15 +74,10 @@ The Next Step Server functionality is described in details in [Next Step Server You may configure OpenID Connect (OIDC) authentication. -| Property | Default value | Description | -|--------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------------------------------------------------------------------------------| -| `powerauth.nextstep.security.auth.type` | | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. | -| `spring.security.oauth2.client.registration.nextstep-oidc-client.provider` | `nextstep-oidc-provider` | Should be `nextstep-oidc-provider`, defines the key for the `issuer-uri` property, see below. | -| `spring.security.oauth2.client.registration.nextstep-oidc-client.client-id` | | Client ID for authentication to the provider. | -| `spring.security.oauth2.client.registration.nextstep-oidc-client.client-secret` | | Client secret for authentication to the provider. | -| `spring.security.oauth2.client.registration.nextstep-oidc-client.authorization-grant-type` | `authorization_code` | Authorization grant type. Should be `authorization_code`. | -| `spring.security.oauth2.client.registration.nextstep-oidc-client.scope` | `openid` | Authorization scopes. Should be `openid`. | -| `spring.security.oauth2.client.registration.nextstep-oidc-client.redirectUri` | | Redirect URI from the provider back to the NextStep, e.g. `http://localhost:8080//powerauth-nextstep/login/oauth2/code/azure` | -| `spring.security.oauth2.client.provider.nextstep-oidc-provider.issuer-uri` | | URL of the provider, e.g. `https://sts.windows.net/example/` | +| Property | Default value | Description | +|---------------------------------------------------------|---------------|---------------------------------------------------------------------------------------| +| `powerauth.nextstep.security.auth.type` | | `OIDC` for OpenID Connect. If OIDC enabled, the properties bellow must be configured. | +| `spring.security.oauth2.resource-server.jwt.issuer-uri` | | URL of the provider, e.g. `https://sts.windows.net/example/` | +| `spring.security.oauth2.resource-server.jwt.audiences` | | A comma-separated list of allowed `aud` JWT claim values to be validated. | See the [Spring Security documentation](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html#oauth2-client-log-users-in) and [OpenID Connect UserInfo endpoint](https://connect2id.com/products/server/docs/api/userinfo) for details. diff --git a/powerauth-nextstep/pom.xml b/powerauth-nextstep/pom.xml index 749b7c4c6..4339794ac 100644 --- a/powerauth-nextstep/pom.xml +++ b/powerauth-nextstep/pom.xml @@ -61,7 +61,7 @@ org.springframework.boot - spring-boot-starter-oauth2-client + spring-boot-starter-oauth2-resource-server org.springframework.boot diff --git a/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java b/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java index c7eb2ccee..a3a898b2b 100644 --- a/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java +++ b/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/NextStepApplication.java @@ -21,7 +21,6 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.springframework.boot.SpringApplication; import org.springframework.boot.autoconfigure.SpringBootApplication; -import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration; import org.springframework.context.annotation.ComponentScan; import org.springframework.scheduling.annotation.EnableScheduling; @@ -32,7 +31,7 @@ * * @author Roman Strobl, roman.strobl@wultra.com */ -@SpringBootApplication(exclude = OAuth2ClientAutoConfiguration.class) // OAuth2Client dependency is included, but configuration is optional +@SpringBootApplication @EnableScheduling @ComponentScan(basePackages = {"io.getlime.security.powerauth.app.nextstep", "com.wultra.core.audit.base"}) public class NextStepApplication { diff --git a/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java b/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java index 9b3355d65..4417b80fc 100644 --- a/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java +++ b/powerauth-nextstep/src/main/java/io/getlime/security/powerauth/app/nextstep/configuration/SecurityConfig.java @@ -19,11 +19,8 @@ import lombok.extern.slf4j.Slf4j; import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; -import org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.Import; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; @@ -57,13 +54,10 @@ public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception logger.info("Initializing OIDC authentication."); http.authorizeHttpRequests(authorize -> authorize .requestMatchers( - new AntPathRequestMatcher("/login/oauth2/**"), new AntPathRequestMatcher("/api/service/status"), - new AntPathRequestMatcher("/actuator/**")) - .permitAll() - .anyRequest() - .fullyAuthenticated()) - .oauth2Login(withDefaults()); + new AntPathRequestMatcher("/actuator/**")).permitAll() + .anyRequest().fullyAuthenticated()) + .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults())); } else { logger.info("No authentication configured"); http.httpBasic(AbstractHttpConfigurer::disable); @@ -74,13 +68,6 @@ public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception .build(); } - @Configuration - @ConditionalOnProperty(name = "powerauth.nextstep.security.auth.type", havingValue = "OIDC") - @Import(OAuth2ClientAutoConfiguration.class) - public static class OAuth2ClientConfiguration { - // no code on purpose, only config class - } - enum AuthType { NONE, diff --git a/powerauth-nextstep/src/main/resources/application.properties b/powerauth-nextstep/src/main/resources/application.properties index d67645e22..9eade1abb 100644 --- a/powerauth-nextstep/src/main/resources/application.properties +++ b/powerauth-nextstep/src/main/resources/application.properties @@ -72,13 +72,8 @@ logging.config=${POWERAUTH_NEXTSTEP_LOGGING:} # OpenID Connect (OIDC) Settings #powerauth.nextstep.security.auth.type=OIDC -spring.security.oauth2.client.registration.nextstep-oidc-client.provider=nextstep-oidc-provider -spring.security.oauth2.client.registration.nextstep-oidc-client.client-id= -spring.security.oauth2.client.registration.nextstep-oidc-client.client-secret= -spring.security.oauth2.client.registration.nextstep-oidc-client.authorization-grant-type=authorization_code -spring.security.oauth2.client.registration.nextstep-oidc-client.scope=openid -spring.security.oauth2.client.registration.nextstep-oidc-client.redirectUri= -spring.security.oauth2.client.provider.nextstep-oidc-provider.issuer-uri= +spring.security.oauth2.resource-server.jwt.issuer-uri= +spring.security.oauth2.resource-server.jwt.audiences= # Monitoring management.tracing.sampling.probability=1.0 diff --git a/powerauth-nextstep/src/test/resources/application-test.properties b/powerauth-nextstep/src/test/resources/application-test.properties index a59370aef..df8164063 100644 --- a/powerauth-nextstep/src/test/resources/application-test.properties +++ b/powerauth-nextstep/src/test/resources/application-test.properties @@ -13,5 +13,3 @@ powerauth.nextstep.db.master.encryption.key=Bq9h3/QiGTAChopid3Xd4ZDzaJ5rkrqBuzy2 # Liquibase spring.liquibase.enabled=false - -spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.oauth2.client.servlet.OAuth2ClientAutoConfiguration