OAuth2 client refactoring (membrane#1681)

* refactor: oauth2 client

* refactor: oauth2 client

* Extracted <input> generation

* Chained if to pattern-matching switch

* Extract authSubject parameter
Extract username extraction to method

* remove intermediate reference to session.content

* replaced deprecated JSR310Module

* removed unthrown exceptions

* formatting of constant inits

* post-merge cleanup

---------

Co-authored-by: Valentin Brückel <brueckel@predic8.de>
Co-authored-by: Christian Gördes <118011644+christiangoerdes@users.noreply.github.com>

Author: 3 people

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/OAuth2AnswerParameters.java

@@ -15,16 +15,20 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.datatype.jsr310.JSR310Module;
+import com.fasterxml.jackson.databind.SerializationFeature;
+import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
+import com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2TokenResponseBody;
+import org.jetbrains.annotations.NotNull;
 
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.time.LocalDateTime;
 import java.util.HashMap;
 import java.util.Map;
 
 public class OAuth2AnswerParameters {
 
+    private final static ObjectMapper om = createObjectMapper();
+
     private String accessToken;
     private String tokenType;
     private String idToken;
@@ -33,6 +37,12 @@ public class OAuth2AnswerParameters {
     private LocalDateTime receivedAt;
     private String refreshToken;
 
+    public static OAuth2AnswerParameters createFrom(OAuth2TokenResponseBody tokenResponse) {
+        var r = new OAuth2AnswerParameters();
+        r.readFrom(tokenResponse);
+        return r;
+    }
+
     public String getAccessToken() {
         return accessToken;
     }
@@ -65,17 +75,18 @@ public String getTokenType() {
         return tokenType;
     }
 
-    public String serialize() throws JsonProcessingException, UnsupportedEncodingException {
-        return OAuth2Util.urlencode(getObjectMapper().writeValueAsString(this));
+    public String serialize() throws JsonProcessingException {
+        return OAuth2Util.urlencode(om.writeValueAsString(this));
     }
 
     public static OAuth2AnswerParameters deserialize(String oauth2answer) throws IOException {
-        return getObjectMapper().readValue(OAuth2Util.urldecode(oauth2answer),OAuth2AnswerParameters.class);
+        return om.readValue(OAuth2Util.urldecode(oauth2answer),OAuth2AnswerParameters.class);
     }
 
-    private static ObjectMapper getObjectMapper() {
+    private static ObjectMapper createObjectMapper() {
         ObjectMapper mapper = new ObjectMapper();
-        mapper.registerModule(new JSR310Module());
+        mapper.registerModule(new JavaTimeModule());
+        mapper.enable(SerializationFeature.WRITE_DATES_WITH_ZONE_ID);
         return mapper;
     }
 
@@ -106,9 +117,35 @@ public void setRefreshToken(String refreshToken) {
     @Override
     public String toString() {
         try {
-            return getObjectMapper().writeValueAsString(this);
+            return om.writeValueAsString(this);
         } catch (JsonProcessingException e) {
             return "";
         }
     }
+
+    public void updateReceivedAt() {
+        setReceivedAt(computeReceivedAt());
+    }
+
+    private static @NotNull LocalDateTime computeReceivedAt() {
+        LocalDateTime now = LocalDateTime.now();
+        LocalDateTime receivedAt = now.withSecond(floorTo30ies(now)).withNano(0);
+        return receivedAt;
+    }
+
+    private static int floorTo30ies(LocalDateTime now) {
+        return now.getSecond() / 30 * 30;
+    }
+
+    public void readFrom(OAuth2TokenResponseBody tokenResponse) {
+        updateReceivedAt();
+
+        setAccessToken(tokenResponse.getAccessToken());
+        setTokenType(tokenResponse.getTokenType());
+        setRefreshToken(tokenResponse.getRefreshToken());
+        // TODO: "refresh_token_expires_in":1209600
+        setExpiration(tokenResponse.getExpiresIn());
+        if (tokenResponse.getIdToken() != null)
+            setIdToken(tokenResponse.getVerifiedIdToken());
+    }
 }

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/OAuth2AuthorizationServerInterceptor.java

@@ -21,6 +21,7 @@
 import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.*;
 import com.predic8.membrane.core.proxies.*;
 import com.predic8.membrane.core.util.*;
+import org.jetbrains.annotations.NotNull;
 import org.jose4j.lang.*;
 import org.slf4j.*;
 
@@ -31,6 +32,7 @@
 @MCElement(name = "oauth2authserver")
 public class OAuth2AuthorizationServerInterceptor extends AbstractInterceptor {
     private static final Logger log = LoggerFactory.getLogger(OAuth2AuthorizationServerInterceptor.class.getName());
+    public static final Set<@NotNull String> SUPPORTED_AUTHORIZATION_GRANTS = Set.of("code", "token", "id_token token");
 
     private String issuer;
     private String location;
@@ -130,23 +132,24 @@ public void init() {
     }
 
     private void addDefaultProcessors() {
-        getProcessors()
-                .add(new InvalidMethodProcessor(this))
-                .add(new FaviconEndpointProcessor(this))
-                .add(new AuthEndpointProcessor(this))
-                .add(new TokenEndpointProcessor(this))
-                .add(new UserinfoEndpointProcessor(this))
-                .add(new RevocationEndpointProcessor(this))
-                .add(new LoginDialogEndpointProcessor(this))
-                .add(new WellknownEndpointProcessor(this))
-                .add(new CertsEndpointProcessor(this))
-                .add(new EmptyEndpointProcessor(this))
-                .add(new DefaultEndpointProcessor(this));
+        List.of(
+                new InvalidMethodProcessor(this),
+                new FaviconEndpointProcessor(this),
+                new AuthEndpointProcessor(this),
+                new TokenEndpointProcessor(this),
+                new UserinfoEndpointProcessor(this),
+                new RevocationEndpointProcessor(this),
+                new LoginDialogEndpointProcessor(this),
+                new WellknownEndpointProcessor(this),
+                new CertsEndpointProcessor(this),
+                new EmptyEndpointProcessor(this),
+                new DefaultEndpointProcessor(this)
+        ).forEach(processors::add);
     }
 
     @Override
     public Outcome handleRequest(Exchange exc) {
-        Outcome outcome = getProcessors().runProcessors(exc);
+        Outcome outcome = processors.runProcessors(exc);
         if (outcome != Outcome.CONTINUE)
             sessionManager.postProcess(exc);
         return outcome;
@@ -327,9 +330,7 @@ public String getShortDescription() {
     }
 
     public void addSupportedAuthorizationGrants() {
-        getSupportedAuthorizationGrants().add("code");
-        getSupportedAuthorizationGrants().add("token");
-        getSupportedAuthorizationGrants().add("id_token token");
+        getSupportedAuthorizationGrants().addAll(SUPPORTED_AUTHORIZATION_GRANTS);
     }
 
     public OAuth2Statistics getStatistics() {

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/OAuth2TokenBody.java

@@ -0,0 +1,59 @@
+package com.predic8.membrane.core.interceptor.oauth2;
+
+import com.predic8.membrane.core.interceptor.oauth2client.rf.FormPostGenerator;
+
+import java.util.function.Function;
+
+import static java.net.URLEncoder.encode;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+public class OAuth2TokenBody {
+    private String code;
+    private String grantType;
+    private String refreshToken;
+    private String scope;
+    private String redirectUri;
+
+    public static OAuth2TokenBody refreshTokenBodyBuilder(String refreshToken) {
+        OAuth2TokenBody r = new OAuth2TokenBody();
+        r.grantType = "refresh_token";
+        r.refreshToken = refreshToken;
+        return r;
+    }
+
+    public static OAuth2TokenBody authorizationCodeBodyBuilder(String code) {
+        OAuth2TokenBody r = new OAuth2TokenBody();
+        r.code = code;
+        r.grantType = "authorization_code";
+        return r;
+    }
+
+    public OAuth2TokenBody scope(String scope) {
+        this.scope = scope;
+        return this;
+    }
+
+    public String build() {
+        StringBuilder r = new StringBuilder("grant_type=" + grantType);
+        appendParam(r, "refresh_token", refreshToken);
+        appendParam(r, "code", code);
+        appendParam(r, "redirect_uri", redirectUri);
+        appendParam(r, "scope", scope, e -> encode(e, UTF_8));
+        return r.toString();
+    }
+
+    private void appendParam(StringBuilder sb, String paramName, String paramValue) {
+        appendParam(sb, paramName, paramValue, e -> e);
+    }
+
+    private void appendParam(StringBuilder sb, String paramName, String paramValue, Function<String, String> encoder) {
+        if (paramValue == null)
+            return;
+        sb.append("&").append(paramName).append("=").append(encoder.apply(paramValue));
+    }
+
+    public OAuth2TokenBody redirectUri(String redirectUri) {
+        this.redirectUri = redirectUri;
+        return this;
+    }
+}

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/OAuth2Util.java

@@ -70,14 +70,17 @@ public static Response createParameterizedJsonErrorResponse(String... params) th
     }
 
     public static @NotNull String getPublicURL(Exchange exc) {
-        return (isHTTPS(exc.getProxy(), getxForwardedProto(exc)) ? "https://" : "http://") + exc.getOriginalHostHeader();
+        return getProtocol(exc.getProxy(), getxForwardedProto(exc))+ "://" + exc.getOriginalHostHeader();
     }
 
-    private static boolean isHTTPS(Proxy proxy, String xForwardedProto) {
+    private static String getProtocol(Proxy proxy, String xForwardedProto) {
         if (!(proxy instanceof SSLableProxy sp)) {
-            return false;
+            return "http";
+        }
+        if (xForwardedProto != null) {
+            return "https".equals(xForwardedProto) ? "https" : "http";
         }
-        return xForwardedProto != null ? "https".equals(xForwardedProto) : sp.isInboundSSL();
+        return sp.getProtocol() ;
     }
 
     private static String getxForwardedProto(Exchange exc) {

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/WellknownFile.java

@@ -80,7 +80,7 @@ private String baseOauth2Url(){
         return resolver.combine(getOauth2Issuer() + "/","oauth2/");
     }
 
-    private void getValuesFromOasi() throws UnsupportedEncodingException {
+    private void getValuesFromOasi() {
         if(oasi == null)
             return;
 

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/authorizationservice/AuthorizationService.java

@@ -23,6 +23,7 @@
 import com.predic8.membrane.core.interceptor.oauth2.OAuth2AnswerParameters;
 import com.predic8.membrane.core.interceptor.oauth2.tokengenerators.JwtGenerator;
 import com.predic8.membrane.core.interceptor.oauth2client.rf.LogHelper;
+import com.predic8.membrane.core.interceptor.oauth2client.rf.OAuth2TokenResponseBody;
 import com.predic8.membrane.core.interceptor.oauth2client.rf.token.JWSSigner;
 import com.predic8.membrane.core.interceptor.session.Session;
 import com.predic8.membrane.core.resolver.ResolverMap;
@@ -31,6 +32,7 @@
 import com.predic8.membrane.core.transport.ssl.PEMSupport;
 import com.predic8.membrane.core.transport.ssl.SSLContext;
 import com.predic8.membrane.core.transport.ssl.StaticSSLContext;
+import jakarta.mail.internet.ParseException;
 import org.apache.commons.codec.binary.Base64;
 import org.jose4j.jwt.JwtClaims;
 import org.jose4j.jwt.MalformedClaimException;
@@ -40,16 +42,20 @@
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.concurrent.GuardedBy;
+import java.io.IOException;
 import java.io.InputStream;
-import java.net.URLEncoder;
+import java.net.URISyntaxException;
 import java.util.List;
 import java.util.UUID;
 
 import static com.predic8.membrane.core.Constants.USERAGENT;
 import static com.predic8.membrane.core.http.Header.*;
 import static com.predic8.membrane.core.http.MimeType.APPLICATION_JSON;
 import static com.predic8.membrane.core.http.MimeType.APPLICATION_X_WWW_FORM_URLENCODED;
-import static java.nio.charset.StandardCharsets.UTF_8;
+import static com.predic8.membrane.core.interceptor.oauth2.OAuth2TokenBody.authorizationCodeBodyBuilder;
+import static com.predic8.membrane.core.interceptor.oauth2.OAuth2TokenBody.refreshTokenBodyBuilder;
+import static com.predic8.membrane.core.interceptor.oauth2client.rf.JsonUtils.isJson;
+import static java.net.URLEncoder.encode;
 
 public abstract class AuthorizationService {
     protected Logger log;
@@ -189,9 +195,12 @@ public void setHttpClient(HttpClient httpClient) {
     }
 
     public Response doRequest(Exchange e) throws Exception {
+        logHelper.handleRequest(e);
         if (sslContext != null)
             e.setProperty(Exchange.SSL_CONTEXT, sslContext);
-        return getHttpClient().call(e).getResponse();
+        Response response = getHttpClient().call(e).getResponse();
+        logHelper.handleResponse(e);
+        return response;
     }
 
     public SSLParser getSslParser() {
@@ -229,31 +238,20 @@ public Request.Builder applyAuth(Request.Builder requestBuilder, String body) {
         return requestBuilder;
     }
 
-    public Response refreshTokenRequest(Session session, OAuth2AnswerParameters params, String wantedScope) throws Exception {
+
+
+    public String getTokenEndpoint(Session session) {
         String tokenEndpoint = getTokenEndpoint();
         if (session.get("defaultFlow") != null) {
             tokenEndpoint = tokenEndpoint.replaceAll(session.get("defaultFlow"), session.get("triggerFlow"));
         }
-
-        Exchange e = applyAuth(
-                new Request.Builder().post(tokenEndpoint)
-                        .contentType(APPLICATION_X_WWW_FORM_URLENCODED)
-                        .header(ACCEPT, APPLICATION_JSON)
-                        .header(USER_AGENT, USERAGENT),
-                "grant_type=refresh_token" + "&refresh_token=" + params.getRefreshToken() +
-                        (wantedScope != null ? "&scope=" + URLEncoder.encode(wantedScope, UTF_8) : ""))
-                .buildExchange();
-
-        logHelper.handleRequest(e);
-        Response response = doRequest(e);
-        logHelper.handleResponse(e);
-        return response;
+        return tokenEndpoint;
     }
 
-    public Response requestUserEndpoint(OAuth2AnswerParameters params) throws Exception {
+    public Response requestUserEndpoint(String tokenType, String token) throws Exception {
         return doRequest(new Request.Builder()
                 .get(getUserInfoEndpoint())
-                .header("Authorization", params.getTokenType() + " " + params.getAccessToken())
+                .header("Authorization", tokenType + " " + token)
                 .header("User-Agent", USERAGENT)
                 .header(ACCEPT, APPLICATION_JSON)
                 .buildExchange());
@@ -286,7 +284,8 @@ private String createClientToken() {
             jwtClaims.setExpirationTime(expiration);
             jwtClaims.setNotBeforeMinutesInThePast(2f);
 
-            return JWSSigner.signToCompactSerialization(jwtClaims.toJson());
+            String payload = jwtClaims.toJson();
+            return JWSSigner.generateSignedJWS(payload);
         } catch (JoseException | MalformedClaimException e) {
             throw new RuntimeException(e);
         }
@@ -299,4 +298,42 @@ public InputStream resolve(ResolverMap rm, String baseLocation, String url) thro
             return httpClient.call(Request.get(url).buildExchange()).getResponse().getBodyAsStreamDecoded();
         return rm.resolve(url);
     }
+
+    public OAuth2TokenResponseBody refreshTokenRequest(Session session, String wantedScope, String refreshToken) throws Exception {
+        return parseTokenResponse(checkTokenResponse(doRequest(applyAuth(
+                new Request.Builder().post(getTokenEndpoint(session))
+                        .contentType(APPLICATION_X_WWW_FORM_URLENCODED)
+                        .header(ACCEPT, APPLICATION_JSON)
+                        .header(USER_AGENT, USERAGENT),
+                refreshTokenBodyBuilder(refreshToken).scope(wantedScope).build())
+                .buildExchange())));
+    }
+
+    public OAuth2TokenResponseBody codeTokenRequest(String redirectUri, String code) throws Exception {
+        return parseTokenResponse(checkTokenResponse(doRequest(applyAuth(
+                new Request.Builder()
+                        .post(getTokenEndpoint())
+                        .contentType(APPLICATION_X_WWW_FORM_URLENCODED)
+                        .header(ACCEPT, APPLICATION_JSON)
+                        .header(USER_AGENT, USERAGENT),
+                authorizationCodeBodyBuilder(code).redirectUri(redirectUri).build()).buildExchange())));
+    }
+
+    private OAuth2TokenResponseBody parseTokenResponse(Response response) throws IOException {
+        return OAuth2TokenResponseBody.parse(this, response.getBodyAsStreamDecoded());
+    }
+
+    private Response checkTokenResponse(Response response) throws IOException, ParseException {
+        if (response.getStatusCode() != 200) {
+            response.getBody().read();
+            throw new RuntimeException("Authorization server returned " + response.getStatusCode() + ".");
+        }
+
+        if (!isJson(response)) {
+            response.getBody().read();
+            throw new RuntimeException("Token response is no JSON.");
+        }
+        return response;
+    }
+
 }