Fix OAuth2 Autoritation Code with PKCE

Author: masseb974

knowage-core/src/main/java/it/eng/spagobi/rest/oauth2/OAuth2ClientService.java

@@ -1,35 +1,31 @@
 package it.eng.spagobi.rest.oauth2;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
-import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
 
 import org.apache.log4j.Logger;
+import org.json.JSONException;
+import org.json.JSONObject;
 
+import it.eng.spagobi.api.AbstractSpagoBIResource;
 import it.eng.spagobi.rest.oauth2.dto.OAuth2TokenDTO;
 import it.eng.spagobi.security.OAuth2.OAuth2Client;
+import it.eng.spagobi.services.rest.annotations.PublicService;
 
-import org.json.JSONException;
-import org.json.JSONObject;
-
-//@PublicService
 @Path("/oauth2clientservice")
-public class OAuth2ClientService {
+public class OAuth2ClientService extends AbstractSpagoBIResource {
 
-	@Context
-	private HttpServletRequest request;
-
-	@Context
-	private HttpServletResponse response;
-	
 	private static Logger logger = Logger.getLogger(OAuth2ClientService.class);
-	
+
 	@GET
-	public OAuth2TokenDTO getOAuth2Client(@QueryParam("code") @DefaultValue("") String code) {
+	@Produces(MediaType.APPLICATION_JSON)
+	@PublicService
+	public Response getOAuth2Client(@QueryParam("code") @DefaultValue("") String code) {
 		OAuth2Client client = new OAuth2Client();
 		String genToken = client.getAccessToken(code);
 		OAuth2TokenDTO dto = new OAuth2TokenDTO();
@@ -43,8 +39,8 @@ public OAuth2TokenDTO getOAuth2Client(@QueryParam("code") @DefaultValue("") Stri
 				logger.error("Cannot parse access token response", e);
 			}
 		}
-		return dto;
+		return Response.ok(dto).build();
 	}
-	
-	
+
+
 }

knowage-core/src/main/java/it/eng/spagobi/rest/oauth2/OAuth2ConfigService.java

@@ -1,45 +1,40 @@
 package it.eng.spagobi.rest.oauth2;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
-import javax.ws.rs.core.Context;
-
-import org.apache.log4j.Logger;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
 
+import it.eng.spagobi.api.AbstractSpagoBIResource;
 import it.eng.spagobi.rest.oauth2.dto.OAuth2ConfigDTO;
 import it.eng.spagobi.security.OAuth2.OAuth2Config;
+import it.eng.spagobi.services.rest.annotations.PublicService;
 
 
-//@PublicService
 @Path("/oauth2configservice")
-public class OAuth2ConfigService {
-	@Context
-	private HttpServletRequest request;
-
-	@Context
-	private HttpServletResponse response;
-	
-	private static Logger logger = Logger.getLogger(OAuth2ConfigService.class);
-	
+public class OAuth2ConfigService extends AbstractSpagoBIResource {
+
 	@GET
-	public OAuth2ConfigDTO getOAuth2Config() {
+	@Produces(MediaType.APPLICATION_JSON)
+	@PublicService
+	public Response getOAuth2Config() {
 		OAuth2Config oauth2Config = OAuth2Config.getInstance();
 		String authorizeUrl = oauth2Config.getAuthorizeUrl();
 		String accessTokenUrl = oauth2Config.getAccessTokenUrl();
 		String clientId = oauth2Config.getClientId();
 		String redirectUrl = oauth2Config.getRedirectUrl();
 		String scopes = oauth2Config.getScopes();
-		
+
 		OAuth2ConfigDTO dto = new OAuth2ConfigDTO();
 		dto.setAccessTokenUrl(accessTokenUrl);
 		dto.setAuthorizeUrl(authorizeUrl);
 		dto.setClientId(clientId);
 		dto.setRedirectUrl(redirectUrl);
 		dto.setScopes(scopes);
-		return dto;
+		return Response.ok(dto).build();
 	}
-	
+
+
 
 }

knowage/src/main/webapp/oauth2/pkce/flow.jsp

@@ -27,118 +27,120 @@ From https://github.com/curityio/pkce-javascript-example
     <title>OAuth2 PKCE flow</title>
   </head>
   <body>
-    <script>
-    
-    var oauth2Config = null;
-	
-    var xhrOAuth2C = new XMLHttpRequest();
-
-    xhrOAuth2C.onload = function() {
-        var response = xhrOAuth2C.response;
-
-        if (xhrOAuth2C.status == 200) {
-        	oauthConfig = response;
-        } else {
-            alert("Error: " + response.error_description + " (" + response.error + ")");
-        }
-    };
-    xhrOAuth2C.responseType = 'json';
-    xhrOAuth2C.open("GET", '/oauth2configservice', true);
-    //xhrOAuth2C.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-    xhrOAuth2C.send();
-
-    const authorizeEndpoint = oauth2Config.authorizeUrl;
-    const tokenEndpoint = oauth2Config.accessTokenUrl;
-    const clientId = oauth2Config.clientId;
-    const redirectUri = oauth2Config.redirectUrl;
-
-        if (window.location.search) {
-            var args = new URLSearchParams(window.location.search);
-            var code = args.get("code");
-            var state = args.get("state");
-            
-            if (code) {
-            	if (window.sessionStorage.getItem("state") !== state){
-            	    throw Error("Probable session hijacking attack!");
-            	}
-            	
-                var xhr = new XMLHttpRequest();
-
-                xhr.onload = function() {
-                    var response = xhr.response;
-
-                    if (xhr.status == 200) {
-                    	// storing id_token for later usage (on logout)
-                    	window.sessionStorage.setItem("id_token", response.id_token);
-                    	
-                    	var lastRedirectUri = window.location.href.split('?')[0];
-                    	var args = new URLSearchParams({
-                    		PAGE : "LoginPage",
-                    		NEW_SESSION : "TRUE",
-                            access_token: response.access_token
-                        });
-                        window.location = lastRedirectUri + "?" + args;
-                    } else {
-                        alert("Error: " + response.error_description + " (" + response.error + ")");
-                    }
-
-                    document.getElementById("result").innerHTML = message;
-                };
-                xhr.responseType = 'json';
-                xhr.open("POST", tokenEndpoint, true);
-                xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
-                xhr.send(new URLSearchParams({
-                    client_id: clientId,
-                    code_verifier: window.sessionStorage.getItem("code_verifier"),
-                    grant_type: "authorization_code",
-                    redirect_uri: redirectUri,
-                    code: code,
-                    state: state
-                }));
-            } else {
-            	startOauth2Flow();
+    <script>  
+    	start();
+        
+        async function start() {
+        	if (window.location.search) {
+                var args = new URLSearchParams(window.location.search);
+                var code = args.get("code");
+                var state = args.get("state");
+                if (code) {
+                	const oauth2Config = await fetchConfig();
+                	if (window.sessionStorage.getItem("state") !== state){
+                	    throw Error("Probable session hijacking attack!");
+                	}
+                	fetch(oauth2Config.accessTokenUrl, {
+                		  method: 'POST',
+                		  headers: {
+                		    'Content-Type': 'application/x-www-form-urlencoded'
+                		  },
+                		  body: new URLSearchParams({
+                		    client_id: oauth2Config.clientId,
+                		    code_verifier: window.sessionStorage.getItem("code_verifier"),
+                		    grant_type: "authorization_code",
+                		    redirect_uri: oauth2Config.redirectUrl,
+                		    code: code,
+                		    state: state
+                		  })
+                		})
+                		.then(response => response.json().then(data => ({ status: response.status, body: data })))
+                		.then(({ status, body }) => {
+                		  if (status === 200) {
+                		    // storing id_token for later usage (on logout)
+                		    window.sessionStorage.setItem("id_token", body.id_token);
+
+                		    const lastRedirectUri = window.location.href.split('?')[0];
+                		    const args = new URLSearchParams({
+                		      PAGE: "LoginPage",
+                		      NEW_SESSION: "TRUE",
+                		      access_token: body.access_token
+                		    });
+
+                		    window.location = lastRedirectUri + "?" + args;
+                		  } else {
+                		    alert(`Error: ${body.error_description} (${body.error})`);
+                		  }
+
+                		})
+                		.catch(error => {
+                		  console.error("Errore nella richiesta fetch:", error);
+                		});
+
+                } else {
+                	startOauth2Flow();
+                }
             }
         }
-
-        function startOauth2Flow() {
-        	var state = generateRandomString(64);
-            var codeVerifier = generateRandomString(128);
-
-            generateCodeChallenge(codeVerifier).then(function(codeChallenge) {
-            	window.sessionStorage.setItem("state", state);
-                window.sessionStorage.setItem("code_verifier", codeVerifier);
-
-                var args = new URLSearchParams({
-                    response_type: "code",
-                    client_id: clientId,
-                    code_challenge_method: "S256",
-                    code_challenge: codeChallenge,
-                    state: state,
-                    redirect_uri: redirectUri,
-                    scope: "openid profile"
-                });
-                window.location = authorizeEndpoint + "?" + args;
-            });
+        
+        async function fetchConfig() {
+        	const response = await fetch('/knowage/restful-services/oauth2configservice', {
+    	        method: 'GET'
+    	    })
+        	
+        	if (!response.ok) {
+	               throw new Error("Errore nella chiamata oauth2configservice");
+	        }
+        	const config = await response.json();
+    	    return config;
         }
-
-        async function generateCodeChallenge(codeVerifier) {
-            var digest = await crypto.subtle.digest("SHA-256",
-                new TextEncoder().encode(codeVerifier));
-
-            return btoa(String.fromCharCode(...new Uint8Array(digest)))
-                .replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')
+        
+        async function startOauth2Flow() {
+        	const oauth2Config = await fetchConfig();
+        	const state = generateRandomString(64);
+        	const verifier = generateRandomString(128);
+         	const challenge = await generateCodeChallenge(verifier);
+            sessionStorage.setItem("state", state);
+        	sessionStorage.setItem("code_verifier", verifier);
+        	var args = new URLSearchParams({
+                response_type: "code",
+                client_id: oauth2Config.clientId,
+                code_challenge_method: "S256",
+                code_challenge: challenge,
+                state: state,
+                redirect_uri: oauth2Config.redirectUrl,
+                scope: "openid profile"
+            });
+            window.location = oauth2Config.authorizeUrl + "?" + args;
+            
         }
+        
 
-        function generateRandomString(length) {
-            var text = "";
-            var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-
-            for (var i = 0; i < length; i++) {
-                text += possible.charAt(Math.floor(Math.random() * possible.length));
-            }
+     // Funzione per generare una stringa casuale (code_verifier)
+     function generateRandomString(length) {
+       const charset = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~';
+       let result = '';
+       const array = new Uint8Array(length);
+       window.crypto.getRandomValues(array);
+       for (let i = 0; i < array.length; i++) {
+         result += charset[array[i] % charset.length];
+       }
+       return result;
+     }
+
+
+	  // Funzione per generare il code_challenge (SHA256 + base64url)
+	  async function generateCodeChallenge(codeVerifier) {
+	    const encoder = new TextEncoder();
+	    const data = encoder.encode(codeVerifier);
+	    const digest = await window.crypto.subtle.digest('SHA-256', data);
+	    const base64url = btoa(String.fromCharCode(...new Uint8Array(digest)))
+	      .replace(/\+/g, '-')
+	      .replace(/\//g, '_')
+	      .replace(/=+$/, '');
+	    return base64url;
+	  }
 
-            return text;
-        }
         
     </script>
   </body>

knowageutils/src/main/java/it/eng/spagobi/security/OAuth2/OAuth2Filter.java

@@ -201,6 +201,8 @@ public void init(FilterConfig fConfig) throws ServletException {
 			flowManager = new ImplicitFlowManager();
 			break;
 		case PKCE:
+			flowManager = new ClassicFlowManager();
+			break;
 		case AUTHORIZATION_CODE:
 			flowManager = new ClassicFlowManager();
 			break;

knowageutils/src/main/java/it/eng/spagobi/security/utils/AntiCsrfFilter.java

@@ -82,6 +82,8 @@ private boolean excludeCheck(String path) {
 		urlToExclude.add("/start/generatePPTV2");
 		urlToExclude.add("/start/generatePPT");
 		urlToExclude.add("/start/generateDOC");
+		urlToExclude.add("/oauth2configservice");
+		urlToExclude.add("/oauth2clientservice");
 
 		return urlToExclude.contains(path) || path.startsWith("/1.0/ai/") || path.startsWith("/dossier/activity/");
 	}