CwbiAUthTokenProviderBase now extends OidcAuthTokenProvider.

Removed previous DiscoveryProvider as all configuration discovery is now
handled within OidcAuthTokenProvider.

Author: MikeNeilson

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/AuthCodePkceTokenRequestBuilder.java

@@ -32,17 +32,17 @@
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.URI;
+import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.util.Base64;
+import java.util.UUID;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
-import java.util.concurrent.atomic.AtomicReference;
-import java.awt.Desktop;
-import java.awt.Desktop.Action;
+import java.util.logging.Logger;
 
 import com.sun.net.httpserver.HttpExchange;
 import com.sun.net.httpserver.HttpHandler;
@@ -55,20 +55,21 @@
  * To complete the additional requirements.
  */
 public final class AuthCodePkceTokenRequestBuilder extends TokenRequestBuilder<AuthCodePkceTokenRequestBuilder> {
-
+    private static final Logger LOGGER = Logger.getLogger(AuthCodePkceTokenRequestBuilder.class.getName());
     @Override
     OAuth2Token retrieveToken() throws IOException {
 
         OAuth2Token retVal = null;
         // https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
         try {
-            byte[] verifierBytes = new byte[128];
+            byte[] verifierBytes = new byte[64];
             SecureRandom.getInstanceStrong().nextBytes(verifierBytes);
             Base64.Encoder b64encoder = Base64.getUrlEncoder().withoutPadding();
             final String verifier = b64encoder.encodeToString(verifierBytes);
+            final String originalState = UUID.randomUUID().toString();
 
             MessageDigest md = MessageDigest.getInstance("SHA-256");
-            final String challenge = b64encoder.encodeToString(md.digest(verifierBytes));
+            final String challenge = b64encoder.encodeToString(md.digest(verifier.getBytes(StandardCharsets.US_ASCII)));
             HttpServer server = HttpServer.create(new InetSocketAddress("localhost", 0), 0);            
             int port = server.getAddress().getPort();
             String host = server.getAddress().getHostName();
@@ -82,7 +83,7 @@ public void handle(HttpExchange exchange) throws IOException {
                     Result ret = null;
 
                     final String query = exchange.getRequestURI().getQuery();
-                    System.out.println("Got auth server response." + query);
+                    LOGGER.finest("Got auth server response." + query);
                     final QueryParameters parameters = QueryParameters.parse(query);
                     if (!parameters.get("error").isEmpty()) {
                         String error = parameters.get("error").get(0);
@@ -91,9 +92,10 @@ public void handle(HttpExchange exchange) throws IOException {
                     } else {
                         String code = parameters.get("code").get(0);
                         String state = parameters.get("state").get(0);
-                        ret = Result.success(code ,state);
+                        String session_state = parameters.get("session_state").get(0);
+                        ret = Result.success(code ,state, session_state);
                     }
-                    System.out.println("Finishing");
+                    LOGGER.finest("Returning result back to thread.");
                     server.stop(0);
                     future.complete(ret);
                 }
@@ -108,25 +110,30 @@ public void handle(HttpExchange exchange) throws IOException {
                 .set("code_challenge_method", "S256")
                 .set("code_challenge", challenge)
                 .set("redirect_uri", redirectUri)
-                .set("kc_idp_hint", "login.gov");
+                .set("state", originalState);
             String urlStr= String.format("%s?%s", getAuthUrl().getApiRoot(), authParameters.encode());
             // start server to listen
             server.start();
-            System.out.println(urlStr);
+            LOGGER.info("Handling Auth Request");
+            LOGGER.finer("Auth Request URL: " + urlStr);
             this.authCallBack.accept(URI.create(urlStr));
 
-            Result result = future.get(1, TimeUnit.MINUTES); // The user is now required to perform manual operations.
-            System.out.println("Next steps.");
+            Result result = future.get(3, TimeUnit.MINUTES); // The user is now required to perform manual operations.
+            LOGGER.info("Retrieving Token.");
             if (result.error != null) {
                 throw new IOException(String.format("Unable to login. %s : %s", result.error, result.errorDescription));
             }
+            if (!result.state.equals(originalState)) {
+                throw new IOException("Unable to continue login sequence, incorrect state value returned.");
+            }
             final UrlEncodedFormData formData = new UrlEncodedFormData();
             formData.addClientId(getClientId())
                     .addGrantType("authorization_code")
                     .addParameter("code_verifier", verifier)
                     .addScopes("openid", "profile")
                     .addParameter("redirect_uri", redirectUri)
-                    .addParameter("session_state", result.state)
+                    .addParameter("state", result.state)
+                    .addParameter("session_state", result.session_state)
                     .addParameter("code", result.code)
                     .addParameter("response_mode", "fragment")
                     .addParameter("response_type", "id_token token");
@@ -153,23 +160,25 @@ public void handle(HttpExchange exchange) throws IOException {
     private static class Result {
         public final String code;
         public final String state;
+        public final String session_state;
 
         public final String error;
         public final String errorDescription;
 
-        private Result(String code, String state, String error, String errorDescription) {
+        private Result(String code, String state, String session_state, String error, String errorDescription) {
             this.code = code;
             this.state = state;
+            this.session_state = session_state;
             this.error = error;
             this.errorDescription = errorDescription;
         }
 
-        public static Result success(String code, String state) {
-            return new Result(code, state, null, null);
+        public static Result success(String code, String state, String session_state) {
+            return new Result(code, state, session_state, null, null);
         }
 
         public static Result failure(String error, String errorDescription) {
-            return new Result(null, null, error, errorDescription);
+            return new Result(null, null, null, error, errorDescription);
         }
     };
 }

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/CwbiAuthTokenProvider.java

@@ -33,24 +33,22 @@
 public final class CwbiAuthTokenProvider extends CwbiAuthTokenProviderBase {
 
     private final SSLSocketFactory sslSocketFactory;
-    private final String url;
 
     /**
      * Provider for OAuth2Tokens.
      *
-     * @param tokenUrl - URL we are fetching token from
+     * @param wellKnownUrl - URL we are retrieving configuration from
      * @param clientId - client name
      * @param sslSocketFactory - ssl socket factory
      */
-    public CwbiAuthTokenProvider(String tokenUrl, String clientId, SSLSocketFactory sslSocketFactory) {
-        super(clientId);
+    public CwbiAuthTokenProvider(String wellKnownUrl, String clientId, SSLSocketFactory sslSocketFactory) {
+        super(clientId, wellKnownUrl);
         this.sslSocketFactory = Objects.requireNonNull(sslSocketFactory, "Missing required sslSocketFactory");
-        this.url = Objects.requireNonNull(tokenUrl, "Missing required tokenUrl");
     }
 
     @Override
     ApiConnectionInfo getUrl() {
-        return new ApiConnectionInfoBuilder(url)
+        return new ApiConnectionInfoBuilder(this.wellKnownUrl)
                 .withSslSocketData(new SslSocketData(sslSocketFactory, CwbiAuthTrustManager.getTrustManager()))
                 .build();
     }

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/CwbiAuthTokenProviderBase.java

@@ -24,51 +24,43 @@
 package hec.army.usace.hec.cwbi.auth.http.client;
 
 import java.io.IOException;
-import java.util.Objects;
 
 import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
-import mil.army.usace.hec.cwms.http.client.auth.OAuth2TokenProvider;
 
-abstract class CwbiAuthTokenProviderBase implements OAuth2TokenProvider {
-    protected OAuth2Token oauth2Token;
-    protected final String clientId;
+abstract class CwbiAuthTokenProviderBase extends OidcAuthTokenProvider {
 
-    protected CwbiAuthTokenProviderBase(String clientId) {
-        this.clientId = Objects.requireNonNull(clientId, "Missing required clientId");
+    protected CwbiAuthTokenProviderBase(String clientId, String wellKnownUrl) {
+        super(clientId, wellKnownUrl);
     }
 
     abstract ApiConnectionInfo getUrl() throws IOException;
 
-    @Override
-    public synchronized void clear() {
-        oauth2Token = null;
-    }
 
     @Override
     public synchronized OAuth2Token getToken() throws IOException {
-        if (oauth2Token == null) {
-            oauth2Token = newToken();
+        if (token == null) {
+            token = newToken();
         }
-        return oauth2Token;
+        return token;
     }
 
     @Override
     public OAuth2Token newToken() throws IOException {
         return new DirectGrantX509TokenRequestBuilder()
-                .withUrl(getUrl())
+                .withUrl(tokenUrl)
                 .withClientId(clientId)
                 .fetchToken();
     }
 
     @Override
     public synchronized OAuth2Token refreshToken() throws IOException {
-        OAuth2Token token = new RefreshTokenRequestBuilder()
-                .withRefreshToken(oauth2Token.getRefreshToken())
-                .withUrl(getUrl())
+        OAuth2Token newToken = new RefreshTokenRequestBuilder()
+                .withRefreshToken(token.getRefreshToken())
+                .withUrl(tokenUrl)
                 .withClientId(clientId)
                 .fetchToken();
-        oauth2Token = token;
+        token = newToken;
         return token;
     }
 

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/DiscoveredCwbiAuthTokenProvider.java

@@ -14,32 +14,32 @@
 /**
  * Handle generic OIDC auth based on configuration elements in the .well-known/openid-configuration
  * values.
- * 
+ *
  * Defaults to using Authorization Code + PKCE.
  * Support should be provided to support alternative flows as a user-at-login decision point.
  */
-public final class OidcAuthTokenProvider implements OAuth2TokenProvider {
+public class OidcAuthTokenProvider implements OAuth2TokenProvider {
 
-    private final String clientId;
-    private final String wellKnownUrl;
-    private final ApiConnectionInfo tokenUrl;
-    private final ApiConnectionInfo authUrl;
-    private OAuth2Token token = null;
+    protected final String clientId;
+    protected final String wellKnownUrl;
+    protected final ApiConnectionInfo tokenUrl;
+    protected final ApiConnectionInfo authUrl;
+    protected OAuth2Token token = null;
     // Default to open browser or print to console for usage, but allow overriding for testing and
     // other usages.
     private Consumer<URI> authCallback = TokenRequestBuilder.BROWSER_OR_CONSOLE_AUTH_CALLBACK;
 
     public OidcAuthTokenProvider(String clientId, String wellKnownUrl) {
         this.clientId = Objects.requireNonNull(clientId, "Missing required client id.");
-        this.wellKnownUrl = Objects.requireNonNull(clientId, "Missing required well known Url.");
+        this.wellKnownUrl = Objects.requireNonNull(wellKnownUrl, "Missing required well known Url.");
 
         OpenIdTokenController controller = new OpenIdTokenController() {
 
             @Override
             public String retrieveWellKnownEndpoint(ApiConnectionInfo apiConnectionInfo) throws IOException {
                 return wellKnownUrl; // we already have it.
             }
-            
+
         };
         ApiConnectionInfo info = new ApiConnectionInfoBuilder(wellKnownUrl).build();
         String what = "auth";
@@ -110,7 +110,7 @@ public OAuth2Token newToken() throws IOException {
                     .fetchToken();
             return token;
         }
-        
+
     }
-    
+
 }

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/OidcAuthTokenProvider.java

@@ -44,14 +44,14 @@ public class MockCwbiAuthTokenProvider extends CwbiAuthTokenProviderBase {
      * @param sslSocketFactory - ssl socket factory
      */
     public MockCwbiAuthTokenProvider(String url, String clientId, SSLSocketFactory sslSocketFactory) {
-        super(clientId);
+        super(clientId, url);
         this.sslSocketFactory = Objects.requireNonNull(sslSocketFactory, "Missing required sslSocketFactory");
         this.url = url;
     }
 
     //used to manually set token for testing
     void setOAuth2Token(OAuth2Token token) {
-        oauth2Token = token;
+        this.token = token;
     }
 
     @Override