OIDC Improvements and bug fixes (#8761) (#8767)

Added pre-login filter to enable autologin, and restrict guest users
Added configuration for a OAuth2AuthorizedClientManager, which enables refreshing access token
Fixed the check for setting the userNameAttribute in GeonetworkOidcUserService.java and the Client Registration UserNameAttribute configuration in GeonetworkClientRegistrationProvider.java to based on OIDCConfig
Update the postLogoutRedirect endpoint to exclude default port numbers


* Update AudienceAccessTokenValidator.java

Fix logic

* oidc fix

* remove @configuration in OAuth2Config

* add license file header

Co-authored-by: xiechangning20 <59653172+xiechangning20@users.noreply.github.com>

Author: ianwallen

core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkClientRegistrationProvider.java

@@ -120,7 +120,6 @@ else if (!StringUtils.isBlank(serverMetadataJsonText) && (serverMetadataJsonText
     public GeonetworkClientRegistrationProvider(InputStream inputStream,
                                                 OIDCConfiguration oidcConfiguration) throws IOException, ParseException {
         this.oidcConfiguration = oidcConfiguration;
-        this.oidcConfiguration = oidcConfiguration;
         String clientId = oidcConfiguration.clientId;
         String clientSecret = oidcConfiguration.clientSecret;
         clientRegistration = createClientRegistration(inputStream, clientId, clientSecret);
@@ -246,7 +245,7 @@ ClientRegistration createClientRegistration(String jsonServerConfig,
         Map<String, Object> configurationMetadata = new LinkedHashMap<>(oidcMetadata.toJSONObject());
 
         ClientRegistration.Builder builder = ClientRegistration.withRegistrationId(CLIENTREGISTRATION_NAME)
-            .userNameAttributeName(IdTokenClaimNames.SUB)
+            .userNameAttributeName(this.oidcConfiguration.getUserNameAttribute())
             .scope(scopes)
             .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
             .clientAuthenticationMethod(method)

core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcLogoutHandler.java

@@ -71,7 +71,11 @@ private URI createPostLogoutRedirectUri(HttpServletRequest request) {
             String host = request.getServerName();
             int port = request.getServerPort();
             String path = servletContext.getContextPath();
-            uri = protocol + "://" + host + ":" + port + path;
+            // Only include the port if it's not the default for the scheme
+            boolean isDefaultPort = ("https".equalsIgnoreCase(protocol) && port == 443)
+                || ("http".equalsIgnoreCase(protocol) && port == 80);
+
+            uri = protocol + "://" + host + (isDefaultPort ? "" : ":" + port) + path;
             return new URI(uri);
         } catch (URISyntaxException e) {
             Log.debug(Geonet.SECURITY,"OIDC Post Logout Redirect Uri is invalid.  Likely you can ignore this -"

core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcPreAuthActionsLoginFilter.java

@@ -0,0 +1,107 @@
+/*
+ * Copyright (C) 2025 Food and Agriculture Organization of the
+ * United Nations (FAO-UN), United Nations World Food Programme (WFP)
+ * and United Nations Environment Programme (UNEP)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+ * Rome - Italy. email: geonetwork@osgeo.org
+ */
+package org.fao.geonet.kernel.security.openidconnect;
+
+import org.fao.geonet.Constants;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+
+import javax.servlet.*;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.URLEncoder;
+
+/**
+ * Filter implementation for handling pre-authentication actions for OpenID Connect (OIDC) login.
+ * This filter checks if the user is authenticated and redirects unauthenticated users to the login page.
+ */
+public class GeonetworkOidcPreAuthActionsLoginFilter  implements Filter {
+
+    /**
+     * Repository for managing client registrations for OpenID Connect.
+     * This is used to retrieve client registration details such as registration ID.
+     */
+    @Autowired
+    private  ClientRegistrationRepository clientRegistrationRepository;
+
+
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    /**
+     * Filter implementation for handling pre-authentication actions for OpenID Connect login.
+     * This filter checks if the user is authenticated and redirects unauthenticated users to the login page.
+     * It ensures secure access to protected resources by handling login redirection and bypassing public endpoints.
+     */
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
+        throws IOException, ServletException {
+
+        HttpServletRequest servletRequest = (HttpServletRequest) request;
+        HttpServletResponse servletResponse = (HttpServletResponse) response;
+
+        String requestUri = servletRequest.getRequestURI();
+        String contextPath = servletRequest.getContextPath();
+        String clientRegistrationId = GeonetworkClientRegistrationProvider.CLIENTREGISTRATION_NAME;
+        // Grab the first (or default) registrationId from repository
+        String registrationId = clientRegistrationRepository.findByRegistrationId(clientRegistrationId).getRegistrationId();
+        String loginPath = contextPath + OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/" + registrationId;
+
+        // Avoid infinite loop and skip API or OIDC system endpoints or bearer token access
+        boolean isLoginRequest = requestUri.equals(loginPath);
+        boolean isBearerTokenAccess = servletRequest.getHeader("Authorization") != null &&
+            servletRequest.getHeader("Authorization").startsWith("Bearer ");
+        boolean isAuthenticated = SecurityContextHolder.getContext().getAuthentication() != null &&
+            SecurityContextHolder.getContext().getAuthentication().isAuthenticated() &&
+            !(SecurityContextHolder.getContext().getAuthentication() instanceof AnonymousAuthenticationToken);
+
+        boolean isPublicEndpoint =
+            requestUri.endsWith("/.well-known/jwks.json");
+
+        if (!isAuthenticated && !isLoginRequest && !isPublicEndpoint && !isBearerTokenAccess) {
+            String returningUrl = requestUri +
+                (servletRequest.getQueryString() == null ? "" : "?" + servletRequest.getQueryString());
+
+            String redirectUrl = loginPath + "?redirectUrl=" + URLEncoder.encode(returningUrl, Constants.ENCODING);
+            servletResponse.sendRedirect(redirectUrl);
+            return;
+        }
+
+        chain.doFilter(servletRequest, servletResponse);
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+
+
+
+}

core/src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcUserService.java

@@ -89,7 +89,7 @@ public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2Authenticatio
         String userNameAttributeName = userRequest.getClientRegistration()
             .getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();
 
-        if (!StringUtils.hasText(userNameAttributeName)) {
+        if (StringUtils.hasText(userNameAttributeName)) {
             user = new DefaultOidcUser(authorities, userRequest.getIdToken(), userInfo, userNameAttributeName);
         } else {
             user = new DefaultOidcUser(authorities, userRequest.getIdToken(), userInfo);

core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OAuth2Configuration.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2025 Food and Agriculture Organization of the
+ * United Nations (FAO-UN), United Nations World Food Programme (WFP)
+ * and United Nations Environment Programme (UNEP)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Contact: Jeroen Ticheler - FAO - Viale delle Terme di Caracalla 2,
+ * Rome - Italy. email: geonetwork@osgeo.org
+ */
+package org.fao.geonet.kernel.security.openidconnect;
+
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.oauth2.client.*;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+
+public class OAuth2Configuration {
+
+    /**
+     * Client registration repository used to set authorized client manager
+     */
+    @Autowired
+    private ClientRegistrationRepository clientRegistrationRepository;
+
+    @Autowired
+    private OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
+
+    /**
+     * This method is used to obtain the OAuth2 authorized clients
+     * which is used to obtaining OAuth2 Access Token, and refresh token.
+     */
+    @Bean
+    public OAuth2AuthorizedClientManager authorizedClientManager() {
+        OAuth2AuthorizedClientProvider authorizedClientProvider =
+            OAuth2AuthorizedClientProviderBuilder.builder()
+                .clientCredentials()
+                .refreshToken()
+                .build();
+
+        AuthorizedClientServiceOAuth2AuthorizedClientManager authorizedClientManager =
+            new AuthorizedClientServiceOAuth2AuthorizedClientManager(
+                clientRegistrationRepository, oAuth2AuthorizedClientService);
+
+        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+
+        return authorizedClientManager;
+    }
+
+}

web/src/main/webapp/WEB-INF/config-security/config-security-openidconnectbearer-overrides.properties

@@ -94,3 +94,4 @@ openidconnectConfiguration.clientId=${OPENIDCONNECT_CLIENTID}
 openidconnectConfiguration.clientSecret=${OPENIDCONNECT_CLIENTSECRET}
 
 openidconnectConfiguration.userNameAttribute=${OPENIDCONNECT_USERNAME_ATTRIBUTE:#{'email'}}
+openidconnectConfiguration.loginType=${OPENIDCONNECT_LOGINTYPE:#{'LINK'}}

web/src/main/webapp/WEB-INF/config-security/config-security-openidconnectbearer.xml

@@ -199,30 +199,56 @@
     </constructor-arg>
     <property name="filterProcessesUrl" value="/signout"/>
   </bean>
+  <bean id="geonetworkOidcPreAuthActionsLoginFilter" class="org.fao.geonet.kernel.security.openidconnect.GeonetworkOidcPreAuthActionsLoginFilter"/>
 
+  <bean id="oAuth2Configuration" class="org.fao.geonet.kernel.security.openidconnect.OAuth2Configuration"/>
 
   <bean id="filterChainFilters" class="java.util.ArrayList">
-    <constructor-arg>
-      <list>
-        <ref bean="securityContextPersistenceFilter"/>
-        <!-- To disable csrf security (not recommended) comment the following line -->
-        <ref bean="csrfFilter" />
-        <!-- To disable csrf security (not recommended) comment the upper line -->
-
-        <ref bean="openidconnectOAuth2AuthorizationRequestRedirectFilter"/>
-        <ref bean="openidconnectOAuth2LoginAuthenticationFilter"/>
-        <ref bean="logoutFilter"/>
-
-        <ref bean="openidconnectBearerTokenAuthenticationFilter"/>
-        <!--        <ref bean="openidconnect_GeonetworkBearerTokenAuthenticationFilter"/>-->
-
-        <ref bean="requestCacheFilter"/>
-        <ref bean="anonymousFilter"/>
-        <ref bean="sessionMgmtFilter"/>
-        <ref bean="exceptionTranslationFilter"/>
-        <ref bean="filterSecurityInterceptor"/>
-      </list>
+    <constructor-arg
+      ref="#{ openidconnectConfiguration.loginType == 'autologin' ? 'openidConnectFilterChanFiltersInclusive' : 'openidConnectFilterChanFiltersExclusive' }">
+
     </constructor-arg>
   </bean>
+  <util:list id="openidConnectFilterChanFiltersExclusive">
+
+    <ref bean="securityContextPersistenceFilter"/>
+    <!-- To disable csrf security (not recommended) comment the following line -->
+    <ref bean="csrfFilter" />
+    <!-- To disable csrf security (not recommended) comment the upper line -->
+
+    <ref bean="openidconnectOAuth2AuthorizationRequestRedirectFilter"/>
+    <ref bean="openidconnectOAuth2LoginAuthenticationFilter"/>
+    <ref bean="logoutFilter"/>
+
+    <ref bean="openidconnectBearerTokenAuthenticationFilter"/>
+    <!--        <ref bean="openidconnect_GeonetworkBearerTokenAuthenticationFilter"/>-->
+
+    <ref bean="requestCacheFilter"/>
+    <ref bean="anonymousFilter"/>
+    <ref bean="sessionMgmtFilter"/>
+    <ref bean="exceptionTranslationFilter"/>
+    <ref bean="filterSecurityInterceptor"/>
+
+  </util:list>
+
+  <util:list id="openidConnectFilterChanFiltersInclusive">
+
+    <ref bean="securityContextPersistenceFilter"/>
+    <ref bean="csrfFilter" />
+
+    <ref bean="openidconnectOAuth2AuthorizationRequestRedirectFilter"/>
+    <ref bean="openidconnectOAuth2LoginAuthenticationFilter"/>
+    <ref bean="logoutFilter"/>
+    <!--     include a pre login filter-->
+    <ref bean="geonetworkOidcPreAuthActionsLoginFilter"/>
+
+    <ref bean="openidconnectBearerTokenAuthenticationFilter"/>
+
+    <ref bean="requestCacheFilter"/>
+    <ref bean="anonymousFilter"/>
+    <ref bean="sessionMgmtFilter"/>
+    <ref bean="exceptionTranslationFilter"/>
+    <ref bean="filterSecurityInterceptor"/>
 
+  </util:list>
 </beans>