HydrologicEngineeringCenter
diff --git a/‎cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/AuthCodePkceTokenRequestBuilder.java‎
Lines changed: 125 additions & 0 deletions b/‎cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/AuthCodePkceTokenRequestBuilder.java‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/OidcAuthTokenProvider.java‎
Lines changed: 87 additions & 0 deletions b/‎cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/OidcAuthTokenProvider.java‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/OpenIdTokenController.java‎
Lines changed: 52 additions & 9 deletions b/‎cwbi-auth-http-client/src/main/java/hec/army/usace/hec/cwbi/auth/http/client/OpenIdTokenController.java‎
Lines changed: 52 additions & 9 deletions
@@ -0,0 +1,125 @@
+/*
+ * MIT License
+ *
+ * 
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+package hec.army.usace.hec.cwbi.auth.http.client;
+
+import mil.army.usace.hec.cwms.http.client.HttpRequestBuilderImpl;
+import mil.army.usace.hec.cwms.http.client.HttpRequestResponse;
+import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
+import mil.army.usace.hec.cwms.http.client.request.HttpRequestExecutor;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.atomic.AtomicReference;
+import java.awt.Desktop;
+import java.awt.Desktop.Action;
+
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpHandler;
+import com.sun.net.httpserver.HttpServer;
+
+public final class AuthCodePkceTokenRequestBuilder extends TokenRequestBuilder {
+
+    @Override
+    OAuth2Token retrieveToken() throws IOException {
+    
+        OAuth2Token retVal = null;
+        // https://datatracker.ietf.org/doc/html/rfc7636#section-4.1
+        try {
+            byte[] verifierBytes = new byte[128];
+            SecureRandom.getInstanceStrong().nextBytes(verifierBytes);
+            Base64.Encoder b64encoder = Base64.getUrlEncoder();
+            final String verifier = b64encoder.encodeToString(verifierBytes);
+
+            MessageDigest md = MessageDigest.getInstance("SHA-256");
+            final String challenge = b64encoder.encodeToString(md.digest(verifierBytes));
+            HttpServer server = HttpServer.create(new InetSocketAddress(0), 0);
+            int port = server.getAddress().getPort();
+            String host = server.getAddress().getHostName();
+            final AtomicReference<String> code = new AtomicReference<>();
+            final AtomicReference<String> state = new AtomicReference<>();
+            final CompletableFuture<Void> future = new CompletableFuture<>();
+            
+            server.createContext("/", new HttpHandler() {
+
+                @Override
+                public void handle(HttpExchange exchange) throws IOException {
+                    final String query = exchange.getRequestURI().getQuery();
+                    Map<String, List<String>> parameters = new HashMap<>();
+                    for (String pair: query.split("&")) {
+                        String[] kv = pair.split("=");
+                        String parameter = URLDecoder.decode(kv[0], StandardCharsets.UTF_8);
+                        String value = kv.length > 1 ? URLDecoder.decode(kv[1], StandardCharsets.UTF_8) : null;
+                        parameters.computeIfAbsent(parameter, p -> new ArrayList<>()).add(value);
+                    }
+
+                    code.set(parameters.get("code").get(0));
+                    state.set(parameters.get("state").get(0));
+                    future.complete(null);
+                }
+
+            });
+
+            String formBody = new UrlEncodedFormData()
+                    .addPassword("")
+                    .addGrantType("code")
+                    .addScopes("openid", "profile")
+                    .addClientId(getClientId())
+                    .addUsername("")
+                    .addParameter("code_challenge_method", "S256")
+                    .addParameter("code_challenge", challenge)
+                    .addParameter("redirect_uri", String.format("http://%s:%d", host, port))
+                    .buildEncodedString();
+            String urlStr= String.format("%s/%s", getUrl().getApiRoot(), formBody);
+            // start server to listen
+            if (Desktop.isDesktopSupported() && Desktop.getDesktop().isSupported(Action.BROWSE)) {
+                Desktop.getDesktop().browse(URI.create(urlStr));
+            } else {
+                System.out.println(String.format("Paste the following into a browser to continue login: %s", urlStr));
+            }
+
+            future.join();
+            System.out.println("Next steps.");
+
+            
+        } catch (NoSuchAlgorithmException ex) {
+            throw new IOException("Unable to retrieve SecureRandom or Message Digest instance to generate verifier", ex);
+        }
+    
+        return retVal;
+    }
+}
@@ -0,0 +1,87 @@
+package hec.army.usace.hec.cwbi.auth.http.client;
+
+import java.io.IOException;
+import java.util.Objects;
+import java.util.concurrent.CompletionException;
+
+import mil.army.usace.hec.cwms.http.client.ApiConnectionInfo;
+import mil.army.usace.hec.cwms.http.client.ApiConnectionInfoBuilder;
+import mil.army.usace.hec.cwms.http.client.auth.OAuth2Token;
+import mil.army.usace.hec.cwms.http.client.auth.OAuth2TokenProvider;
+
+public final class OidcAuthTokenProvider implements OAuth2TokenProvider {
+
+    private final String clientId;
+    private final String wellKnownUrl;
+    private final ApiConnectionInfo tokenUrl;
+    private final ApiConnectionInfo authUrl;
+    private OAuth2Token token = null;
+
+    public OidcAuthTokenProvider(String clientId, String wellKnownUrl) {
+        this.clientId = Objects.requireNonNull(clientId, "Missing required client id.");
+        this.wellKnownUrl = Objects.requireNonNull(clientId, "Missing required well known Url.");
+
+        OpenIdTokenController controller = new OpenIdTokenController() {
+
+            @Override
+            public String retrieveWellKnownEndpoint(ApiConnectionInfo apiConnectionInfo) throws IOException {
+                return wellKnownUrl; // we already have it.
+            }
+            
+        };
+        ApiConnectionInfo info = new ApiConnectionInfoBuilder(wellKnownUrl).build();/// this is getting really obnoxious to keep typing out.
+        try {
+            this.authUrl = controller.retrieveAuthUrl(info, null);
+            this.tokenUrl = controller.retrieveTokenUrl(info, null);
+        } catch (IOException ex) {
+            throw new CompletionException("Unable to return auth or token URL", ex);
+        }
+    }
+
+    @Override
+    public void clear() {
+        synchronized (this) {
+            this.token = null;
+        }
+    }
+
+    @Override
+    public OAuth2Token getToken() throws IOException {
+        synchronized(this) {
+            if (token == null) {
+                token = newToken();
+            }
+            return token;
+        }
+    }
+
+    @Override
+    public OAuth2Token refreshToken() throws IOException {
+        synchronized (this) {
+            OAuth2Token newToken = new RefreshTokenRequestBuilder()
+                    .withRefreshToken(token.getRefreshToken())
+                    .withUrl(tokenUrl)
+                    .withClientId(clientId)
+                    .fetchToken();
+            token = newToken;
+            return token;
+        }
+    }
+
+    @Override
+    public OAuth2Token newToken() throws IOException {
+        synchronized (this) {
+            /**
+             * It may make sense to allow something to override this usage, however that
+             * *should* be a user setting. So like additional drop down or something.
+             */
+            token = new AuthCodePkceTokenRequestBuilder()
+                    .withUrl(authUrl)
+                    .withClientId(clientId)
+                    .fetchToken();
+            return token;
+        }
+        
+    }
+    
+}
@@ -12,20 +12,63 @@ public abstract class OpenIdTokenController {
 
     static final String ACCEPT_HEADER = "application/json";
     private static final String TOKEN_ENDPOINT_KEY = "token_endpoint";
-    protected abstract String retrieveWellKnownEndpoint(ApiConnectionInfo apiConnectionInfo) throws IOException;
+    private static final String AUTH_ENDPOINT_KEY = "authorization_endpoint";
+
+
+    private String authEndpoint = null;
+    private String tokenEndpoint = null;
+
+    /**
+     * Retrieve json text of the .wellknown/openid-configuration
+     * @param apiConnectionInfo
+     * @return
+     * @throws IOException
+     */
+    public abstract String retrieveWellKnownEndpoint(ApiConnectionInfo apiConnectionInfo) throws IOException;
+
     public final ApiConnectionInfo retrieveTokenUrl(ApiConnectionInfo apiConnectionInfo, SslSocketData sslSocketData) throws IOException {
-        String wellKnownEndpoint = retrieveWellKnownEndpoint(apiConnectionInfo);
-        ApiConnectionInfo wellKnownApiConnectionInfo = new ApiConnectionInfoBuilder(wellKnownEndpoint)
+        if (tokenEndpoint == null) {
+            String wellKnownEndpoint = retrieveWellKnownEndpoint(apiConnectionInfo)
+                        // stop gap until source of information is corrected
+                        .replace("identityc","identity");
+            
+            ApiConnectionInfo wellKnownApiConnectionInfo = new ApiConnectionInfoBuilder(wellKnownEndpoint)
+                    .withSslSocketData(sslSocketData)
+                    .build();
+            HttpRequestExecutor executor = new HttpRequestBuilderImpl(wellKnownApiConnectionInfo)
+                    .get()
+                    .withMediaType(ACCEPT_HEADER);
+            try (HttpRequestResponse response = executor.execute()) {
+                tokenEndpoint = OAuth2ObjectMapper.getValueForKey(response.getBody(), TOKEN_ENDPOINT_KEY)
+                        // stop gap until source of information is corrected
+                        .replace("identityc","identity");
+            }
+        }
+        return new ApiConnectionInfoBuilder(tokenEndpoint)
                 .withSslSocketData(sslSocketData)
                 .build();
-        HttpRequestExecutor executor = new HttpRequestBuilderImpl(wellKnownApiConnectionInfo)
-                .get()
-                .withMediaType(ACCEPT_HEADER);
-        try (HttpRequestResponse response = executor.execute()) {
-            String tokenEndpoint = OAuth2ObjectMapper.getValueForKey(response.getBody(), TOKEN_ENDPOINT_KEY);
-            return new ApiConnectionInfoBuilder(tokenEndpoint)
+    }
+
+    public final ApiConnectionInfo retrieveAuthUrl(ApiConnectionInfo apiConnectionInfo, SslSocketData sslSocketData) throws IOException {
+        
+        if (authEndpoint == null) {
+            String wellKnownEndpoint = retrieveWellKnownEndpoint(apiConnectionInfo)
+                    // stop gap until source of information is corrected
+                    .replace("identityc","identity");
+            ApiConnectionInfo wellKnownApiConnectionInfo = new ApiConnectionInfoBuilder(wellKnownEndpoint)
                     .withSslSocketData(sslSocketData)
                     .build();
+            HttpRequestExecutor executor = new HttpRequestBuilderImpl(wellKnownApiConnectionInfo)
+                    .get()
+                    .withMediaType(ACCEPT_HEADER);
+            try (HttpRequestResponse response = executor.execute()) {
+                authEndpoint = OAuth2ObjectMapper.getValueForKey(response.getBody(), AUTH_ENDPOINT_KEY)
+                                // stop gap until source of information is corrected
+                                .replace("identityc","identity");
+            }
         }
+        return new ApiConnectionInfoBuilder(authEndpoint)
+                .withSslSocketData(sslSocketData)
+                .build();
     }
 }