Initial implementation of a more 'pure' OpenID Connection token provider.

Author: MikeNeilson

.gitignore

@@ -8,3 +8,4 @@ build
 **/bin
 **/.idea/
 lib/
+.vscode

buildSrc/src/main/groovy/cwms-data-api-client.java-conventions.gradle

@@ -22,6 +22,10 @@ configurations.implementation.extendsFrom(configurations.annotationProcessor)
 
 test {
     useJUnitPlatform()
+    // when passing --tests by default it needs to match all in all subjects
+    filter {
+            setFailOnNoMatchingTests(false)
+    }
 }
 
 javadoc {

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/AuthCodePkceTokenRequestBuilder.java

@@ -1,7 +1,7 @@
 /*
  * MIT License
  *
- * 
+ * Copyright (c) 2024 Hydrologic Engineering Center
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -27,22 +27,15 @@
 import mil.army.usace.hec.cwms.http.client.HttpRequestResponse;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
 import mil.army.usace.hec.cwms.http.client.request.HttpRequestExecutor;
+import mil.army.usace.hec.cwms.http.client.request.QueryParameters;
 
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.net.URI;
-import java.net.URISyntaxException;
-import java.net.URL;
-import java.net.URLDecoder;
-import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
-import java.util.ArrayList;
 import java.util.Base64;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.atomic.AtomicReference;
 import java.awt.Desktop;
@@ -52,7 +45,13 @@
 import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpServer;
 
-public final class AuthCodePkceTokenRequestBuilder extends TokenRequestBuilder {
+/**
+ * Use Authorization Code + PKCE method to retrieve initial token set.
+ * 
+ * If a desktop is available users's default Browser is opened with the given auth URL
+ * To complete the additional requirements.
+ */
+public final class AuthCodePkceTokenRequestBuilder extends TokenRequestBuilder<AuthCodePkceTokenRequestBuilder> {
 
     @Override
     OAuth2Token retrieveToken() throws IOException {
@@ -67,7 +66,7 @@ OAuth2Token retrieveToken() throws IOException {
 
             MessageDigest md = MessageDigest.getInstance("SHA-256");
             final String challenge = b64encoder.encodeToString(md.digest(verifierBytes));
-            HttpServer server = HttpServer.create(new InetSocketAddress(0), 0);
+            HttpServer server = HttpServer.create(new InetSocketAddress("localhost", 0), 0);            
             int port = server.getAddress().getPort();
             String host = server.getAddress().getHostName();
             final AtomicReference<String> code = new AtomicReference<>();
@@ -79,33 +78,27 @@ OAuth2Token retrieveToken() throws IOException {
                 @Override
                 public void handle(HttpExchange exchange) throws IOException {
                     final String query = exchange.getRequestURI().getQuery();
-                    Map<String, List<String>> parameters = new HashMap<>();
-                    for (String pair: query.split("&")) {
-                        String[] kv = pair.split("=");
-                        String parameter = URLDecoder.decode(kv[0], StandardCharsets.UTF_8);
-                        String value = kv.length > 1 ? URLDecoder.decode(kv[1], StandardCharsets.UTF_8) : null;
-                        parameters.computeIfAbsent(parameter, p -> new ArrayList<>()).add(value);
-                    }
-
+                    final QueryParameters parameters = QueryParameters.parse(query);
+                    
                     code.set(parameters.get("code").get(0));
                     state.set(parameters.get("state").get(0));
+                    System.out.println("Got code");
+                    server.stop(0);
                     future.complete(null);
                 }
 
             });
-
-            String formBody = new UrlEncodedFormData()
-                    .addPassword("")
-                    .addGrantType("code")
-                    .addScopes("openid", "profile")
-                    .addClientId(getClientId())
-                    .addUsername("")
-                    .addParameter("code_challenge_method", "S256")
-                    .addParameter("code_challenge", challenge)
-                    .addParameter("redirect_uri", String.format("http://%s:%d", host, port))
-                    .buildEncodedString();
-            String urlStr= String.format("%s/%s", getUrl().getApiRoot(), formBody);
+            final String redirectUri = String.format("http://%s:%d", host, port);
+            final QueryParameters authParameters = QueryParameters.empty()
+                .set("grant_type", "code")
+                .set("client_id", getClientId())
+                .set("scopes", "openid profile")
+                .set("code_challenge_method", "S256")
+                .set("code_challenge", challenge)
+                .set("redirect_uri", redirectUri);
+            String urlStr= String.format("%s?%s", getAuthUrl().getApiRoot(), authParameters.encode());
             // start server to listen
+            server.start();
             if (Desktop.isDesktopSupported() && Desktop.getDesktop().isSupported(Action.BROWSE)) {
                 Desktop.getDesktop().browse(URI.create(urlStr));
             } else {
@@ -115,11 +108,31 @@ public void handle(HttpExchange exchange) throws IOException {
             future.join();
             System.out.println("Next steps.");
 
-            
+            final UrlEncodedFormData formData = new UrlEncodedFormData();
+            formData.addClientId(getClientId())
+                    .addGrantType("authorization_code")
+                    .addParameter("code_verifier", verifier)
+                    .addScopes("openid", "profile")
+                    .addParameter("redirect_uri", redirectUri)
+                    .addParameter("session_state", state.get())
+                    .addParameter("code", code.get())
+                    .addParameter("response_mode", "fragment")
+                    .addParameter("response_type", "id_token token");
+
+            HttpRequestExecutor executor =
+                new HttpRequestBuilderImpl(getTokenUrl())
+                    .post()
+                    .withBody(formData.buildEncodedString())
+                    .withMediaType(MEDIA_TYPE);
+            try (HttpRequestResponse response = executor.execute()) {
+                String body = response.getBody();
+                if (body != null) {
+                    retVal = OAuth2ObjectMapper.mapJsonToObject(body, OAuth2Token.class);
+                }
+            }
+            return retVal;
         } catch (NoSuchAlgorithmException ex) {
             throw new IOException("Unable to retrieve SecureRandom or Message Digest instance to generate verifier", ex);
         }
-    
-        return retVal;
     }
 }

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/DirectGrantX509TokenRequestBuilder.java

@@ -30,7 +30,7 @@
 
 import java.io.IOException;
 
-public final class DirectGrantX509TokenRequestBuilder extends TokenRequestBuilder {
+public final class DirectGrantX509TokenRequestBuilder extends TokenRequestBuilder<DirectGrantX509TokenRequestBuilder> {
 
     @Override
     OAuth2Token retrieveToken() throws IOException {

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/OidcAuthTokenProvider.java

@@ -9,6 +9,13 @@
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2TokenProvider;
 
+/**
+ * Handle generic OIDC auth based on configuration elements in the .well-known/openid-configuration
+ * values.
+ * 
+ * Defaults to using Authorization Code + PKCE.
+ * Support should be provided to support alternative flows as a user-at-login decision point.
+ */
 public final class OidcAuthTokenProvider implements OAuth2TokenProvider {
 
     private final String clientId;
@@ -29,12 +36,15 @@ public String retrieveWellKnownEndpoint(ApiConnectionInfo apiConnectionInfo) thr
             }
 
         };
-        ApiConnectionInfo info = new ApiConnectionInfoBuilder(wellKnownUrl).build();/// this is getting really obnoxious to keep typing out.
+        ApiConnectionInfo info = new ApiConnectionInfoBuilder(wellKnownUrl).build();
+        String what = "auth";
         try {
             this.authUrl = controller.retrieveAuthUrl(info, null);
+            what = "token";
             this.tokenUrl = controller.retrieveTokenUrl(info, null);
+            // TODO: process appropriate extensions to determine things like "kc_idp_hint"
         } catch (IOException ex) {
-            throw new CompletionException("Unable to return auth or token URL", ex);
+            throw new CompletionException("Unable to return " + what + " URL", ex);
         }
     }
 
@@ -73,10 +83,13 @@ public OAuth2Token newToken() throws IOException {
         synchronized (this) {
             /**
              * It may make sense to allow something to override this usage, however that
-             * *should* be a user setting. So like additional drop down or something.
+             * *should* be a user setting. So like additional drop down or something in the gui.
+             * There are various notes about it in different sections for discussion.
              */
             token = new AuthCodePkceTokenRequestBuilder()
-                    .withUrl(authUrl)
+                    .withAuthUrl(authUrl)
+                    .withTokenUrl(tokenUrl)
+                    .buildRequest()
                     .withClientId(clientId)
                     .fetchToken();
             return token;

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/RefreshTokenRequestBuilder.java

@@ -19,12 +19,14 @@ public final class RefreshTokenRequestBuilder implements RefreshTokenRequestFlue
      * @return Builder for http request
      */
     @Override
-    public TokenRequestFluentBuilder withRefreshToken(String refreshToken) {
+    public <T> TokenRequestFluentBuilder<T> withRefreshToken(String refreshToken) {
         this.refreshToken = Objects.requireNonNull(refreshToken, "Missing required refresh token");
-        return new RefreshTokenRequestExecutor();
+        // NOTE: The executor clearly extends TokenRequestBuilder which implements TokenRequestFluentBuilder so
+        // I'm really confused why we need the cast.
+        return (TokenRequestFluentBuilder<T>) new RefreshTokenRequestExecutor();
     }
 
-    class RefreshTokenRequestExecutor extends TokenRequestBuilder {
+    class RefreshTokenRequestExecutor extends TokenRequestBuilder<RefreshTokenRequestExecutor> {
 
         @Override
         OAuth2Token retrieveToken() throws IOException {

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/RefreshTokenRequestFluentBuilder.java

@@ -1,5 +1,5 @@
 package hec.army.usace.hec.cwbi.auth.http.client;
 
 public interface RefreshTokenRequestFluentBuilder {
-    TokenRequestFluentBuilder withRefreshToken(String refreshToken);
+    <T> TokenRequestFluentBuilder<T> withRefreshToken(String refreshToken);
 }

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/TokenRequestBuilder.java

@@ -28,18 +28,42 @@
 import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
 import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
 
-abstract class TokenRequestBuilder implements TokenRequestFluentBuilder {
+abstract class TokenRequestBuilder<T> implements TokenRequestFluentBuilder<TokenRequestBuilder<T>> {
 
     static final String MEDIA_TYPE = "application/x-www-form-urlencoded";
     private ApiConnectionInfo url;
+    private ApiConnectionInfo authUrl;
+    private ApiConnectionInfo tokenUrl;
     private String clientId;
 
     abstract OAuth2Token retrieveToken() throws IOException;
 
+    /**
+     * Method used method the auth and token URL are the same.
+     * @return
+     * @deprecated implementations, even when they are the same, should use the individual auth/token methods.
+     */
+    @Deprecated(forRemoval = true)
     ApiConnectionInfo getUrl() {
         return url;
     }
 
+    /**
+     * Retrieve the specific Auth endpoint URL.
+     * @return
+     */
+    ApiConnectionInfo getAuthUrl() {
+        return authUrl;
+    }
+
+    /**
+     * Retrieve the specific Token endpiont URL.
+     * @return
+     */
+    ApiConnectionInfo getTokenUrl() {
+        return tokenUrl;
+    }
+
     String getClientId() {
         return clientId;
     }
@@ -50,6 +74,24 @@ public RequestClientId withUrl(ApiConnectionInfo url) {
         return new RequestClientIdImpl();
     }
 
+    @Override
+    public RequestClientId buildRequest() {
+        return new RequestClientIdImpl();
+    }
+
+    @Override
+    public TokenRequestBuilder<T> withAuthUrl(ApiConnectionInfo url) {
+        this.authUrl = url;
+        return this;
+    }
+
+    @Override
+    public TokenRequestBuilder<T> withTokenUrl(ApiConnectionInfo url) {
+        this.tokenUrl = url;
+        return this;
+    }
+
+
     private class RequestClientIdImpl implements RequestClientId {
 
         @Override

cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/TokenRequestFluentBuilder.java

@@ -25,7 +25,36 @@
 
 import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
 
-public interface TokenRequestFluentBuilder {
+public interface TokenRequestFluentBuilder<T> {
 
+    /**
+     * If given auth method uses a single URL.
+     * @param url
+     * @return
+     * @deprecated even for implementations, like direct grant/resource owner password credentials
+     *             should use the individual endpoints in the appropriate sections to avoid configuration
+     *             details that are too specific but filter up among the usage.
+     */
+    @Deprecated(forRemoval = true)
     RequestClientId withUrl(ApiConnectionInfo url);
+
+    /**
+     * Create object for next step in auth.
+     * @return
+     */
+    RequestClientId buildRequest();
+
+    /**
+     * set specific Auth URL endpoint.
+     * @param url
+     * @return
+     */
+    TokenRequestFluentBuilder<T> withAuthUrl(ApiConnectionInfo url);
+
+    /**
+     * set specific Token URL endpoint.
+     * @param url
+     * @return
+     */
+    TokenRequestFluentBuilder<T> withTokenUrl(ApiConnectionInfo url);
 }