code iteration

Author: longqiuling

README.md

@@ -7,13 +7,15 @@
 ## 第二步：修改配置
 修改application.yaml文件中的 idp 配置
 ```yaml
+custom:
+  serverDomain: # 填写当前运行的域名地址
 idaas:
     oidc:   
         clientId:  # IDaaS应用中拿到的 client_id
         clientSecret:  # IDaaS应用中拿到的 client_secret
         issuer: # IDaaS应用中拿到的Issuer
         scopes: # IDaaS应用中配置的scopes
-        redirectUri: ${baseUri}/authentication/login #登录 Redirect URI
+        redirectUri: ${custom.serverDomain}/authentication/login #登录 Redirect URI
 ```
 application.yaml中的配置项分别对应IDaaS应用中的配置
 ![img_3.png](src/main/resources/static/img/img_3.png)
@@ -22,7 +24,7 @@ application.yaml中的配置项分别对应IDaaS应用中的配置
 其中，redirectUri在当前项目中指向了/authentication/login
 ## 第三步：在 IDaaS 中添加重定向地址redirect-uri
 - 因为要最终需要到LoginController接口中拿到access token令牌，故重定向地址为LoginController内的login方法所指向的uri，将其填写到IDaaS中。
-  - {baseUri}/authentication/login
+  - http://127.0.0.1:8082/authentication/login
 
 ## 第四步：添加授权
 ### 添加授权
@@ -62,7 +64,7 @@ application.yaml中的配置项分别对应IDaaS应用中的配置
 ```yaml
 idaas:
     oidc:
-        openPkce: true #打开PKCE
+        pkceRequired: true #打开PKCE
         codeChallengeMethod: S256 #加密算法
 ```
 ## 访问

src/main/java/com/aliyunidaas/sample/Application.java

@@ -12,9 +12,7 @@
  **/
 @SpringBootApplication
 public class Application {
-
     public static void main(String[] args) {
         SpringApplication.run(Application.class, args);
     }
-
 }

src/main/java/com/aliyunidaas/sample/common/EndpointContext.java

@@ -15,6 +15,8 @@ public class EndpointContext {
 
     private String userinfoEndpoint;
 
+    private String jwksUri;
+
     public EndpointContext() {
     }
 
@@ -42,41 +44,12 @@ public void setUserinfoEndpoint(String userinfoEndpoint) {
         this.userinfoEndpoint = userinfoEndpoint;
     }
 
-    public static EndpointContextBuilder getBuilder() {
-        return EndpointContextBuilder.anEndpointContext();
+    public String getJwksUri() {
+        return jwksUri;
     }
 
-    public static final class EndpointContextBuilder {
-        private String authorizationEndpoint;
-        private String tokenEndpoint;
-        private String userinfoEndpoint;
-
-        private EndpointContextBuilder() {}
-
-        public static EndpointContextBuilder anEndpointContext() {return new EndpointContextBuilder();}
-
-        public EndpointContextBuilder setAuthorizationEndpoint(String authorizationEndpoint) {
-            this.authorizationEndpoint = authorizationEndpoint;
-            return this;
-        }
-
-        public EndpointContextBuilder setTokenEndpoint(String tokenEndpoint) {
-            this.tokenEndpoint = tokenEndpoint;
-            return this;
-        }
-
-        public EndpointContextBuilder setUserinfoEndpoint(String userinfoEndpoint) {
-            this.userinfoEndpoint = userinfoEndpoint;
-            return this;
-        }
-
-        public EndpointContext build() {
-            EndpointContext endpointContext = new EndpointContext();
-            endpointContext.setAuthorizationEndpoint(authorizationEndpoint);
-            endpointContext.setTokenEndpoint(tokenEndpoint);
-            endpointContext.setUserinfoEndpoint(userinfoEndpoint);
-            return endpointContext;
-        }
+    public void setJwksUri(String jwksUri) {
+        this.jwksUri = jwksUri;
     }
 }
 

src/main/java/com/aliyunidaas/sample/common/SimpleAuthnInterceptor.java

@@ -14,8 +14,10 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.net.URLEncoder;
 import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -36,33 +38,31 @@ public class SimpleAuthnInterceptor implements HandlerInterceptor {
 
     private final static String ILLEGAL_ACCESS_EXCEPTION_MESSAGE = "the cookie is invalid, please clear the cookie and try again.";
 
+    private final static String UTF_8 = "UTF-8";
+
     @Autowired
     private CustomOidcConfiguration customOidcConfiguration;
 
     @Autowired
     private CacheManager cacheManager;
 
-    @Autowired
-    private CommonUtil commonUtil;
-
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
             throws IOException, NoSuchAlgorithmException, IllegalAccessException {
         Cookie cookie = WebUtils.getCookie(request, ParameterNameFactory.COOKIE_NAME);
         if (cookie == null) {
-            String cacheKey = UUID.randomUUID().toString();
-            String redirectUri = commonUtil.getRedirectUri(request);
-            String loginUri = getAuthorizationEndpointLoginUri(request, cacheKey, redirectUri);
-            if (customOidcConfiguration.isOpenPkce()) {
-                loginUri = getPkceAuthorizationEndpointLoginUri(cacheKey, loginUri);
+            String state = UUID.randomUUID().toString();
+            String redirectUri = customOidcConfiguration.getRedirectUri();
+            String iDaaSLoginUri = getIDaaSLoginUri(request, state, redirectUri);
+            if (customOidcConfiguration.isPkceRequired()) {
+                iDaaSLoginUri = getIDaaSLoginUri(state, iDaaSLoginUri);
             }
-            response.sendRedirect(loginUri);
+            response.sendRedirect(iDaaSLoginUri);
         } else {
             String cookieValue = cacheManager.getCache(CommonUtil.generateCacheKey(cookie.getValue(), ParameterNameFactory.COOKIE_NAME));
             if (StringUtils.isBlank(cookieValue) || !cookie.getValue().equals(cookieValue)) {
                 throw new IllegalAccessException(ILLEGAL_ACCESS_EXCEPTION_MESSAGE);
             }
-
         }
         return true;
     }
@@ -71,10 +71,11 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
      * Redirect the user to the authorization endpoint of the authorization server
      * and include some query parameters in the URL of the authorization endpoint
      *
-     * @param cacheKey 用于作为缓存的key
+     * @param state 用于作为缓存的key以及作为随机值用于跨站保护
      * @return 登录的重定向地址
      */
-    private String getAuthorizationEndpointLoginUri(HttpServletRequest request, String cacheKey, String redirectUri) throws MalformedURLException {
+    private String getIDaaSLoginUri(HttpServletRequest request, String state, String redirectUri)
+            throws MalformedURLException, UnsupportedEncodingException {
         EndpointContext endpointContext = cacheManager.getCache(customOidcConfiguration.getIssuer());
         String authorizationEndpoint = endpointContext.getAuthorizationEndpoint();
         final String clientId = customOidcConfiguration.getClientId();
@@ -83,40 +84,37 @@ private String getAuthorizationEndpointLoginUri(HttpServletRequest request, Stri
         final String queryString = request.getQueryString();
         final String requestUrl = request.getRequestURL().toString();
         final URL url = new URL(requestUrl);
-        final String state = url.getPath() + (queryString == null ? "" : "?" + queryString) + ":" + cacheKey;
+        String callbackUrl = url.getPath() + (queryString == null ? "" : "?" + queryString);
+        cacheManager.setCache(CommonUtil.generateCacheKey(state, ParameterNameFactory.URI), callbackUrl);
         // responseType = code , It means that this is an authorization code request
-        final String loginUrl = String.format(
-                "%s?response_type=code&client_id=%s&redirect_uri=%s&scope=%s&state=%s",
-                authorizationEndpoint,
-                clientId,
-                redirectUri,
-                scopes,
-                state);
-        return loginUrl;
+        return authorizationEndpoint +
+                "?response_type=code"
+                + "&client_id=" + URLEncoder.encode(clientId, UTF_8)
+                + "&redirect_uri=" + URLEncoder.encode(redirectUri, UTF_8)
+                + "&scope=" + URLEncoder.encode(scopes, UTF_8)
+                + "&state=" + URLEncoder.encode(state, UTF_8);
     }
 
     /**
      * Obtain the redirection URL of Authorization Code With PKCE Flow
      *
      * @param state    缓存code verifier 的key
-     * @param loginUri 授权码情况下的重定向地址
+     * @param iDaaSLoginUri 授权码情况下的重定向地址
      * @return pkce情况下登录的的重定向地址
      * @throws NoSuchAlgorithmException
      */
-    private String getPkceAuthorizationEndpointLoginUri(String state, String loginUri) throws NoSuchAlgorithmException {
+    private String getIDaaSLoginUri(String state, String iDaaSLoginUri) throws NoSuchAlgorithmException, UnsupportedEncodingException {
         String codeVerifier = createCodeVerifier();
         String codeChallenge = codeVerifier;
         String codeChallengeMethod = customOidcConfiguration.getCodeChallengeMethod();
         if (codeChallengeMethod.equals(CodeChallengeMethodFactory.SHA_256)) {
             codeChallenge = createHash(codeVerifier);
         }
         cacheManager.setCache(CommonUtil.generateCacheKey(state, ParameterNameFactory.CODE_VERIFIER), codeVerifier);
-        loginUri = String.format(
-                "%s&code_challenge_method=%s&code_challenge=%s",
-                loginUri,
-                customOidcConfiguration.getCodeChallengeMethod(),
-                codeChallenge);
-        return loginUri;
+        iDaaSLoginUri = iDaaSLoginUri
+                + "&code_challenge_method=" + URLEncoder.encode(customOidcConfiguration.getCodeChallengeMethod(), UTF_8)
+                + "&code_challenge=" + URLEncoder.encode(codeChallenge, UTF_8);
+        return iDaaSLoginUri;
     }
 
     /**
@@ -140,9 +138,8 @@ private static String createCodeVerifier() {
      */
     private static String createHash(String codeVerifier) throws NoSuchAlgorithmException {
         MessageDigest md = MessageDigest.getInstance(SHA_256);
-        byte[] digest = md.digest(codeVerifier.getBytes(StandardCharsets.UTF_8));
+        byte[] digest = md.digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
         return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
     }
-
 }
 

src/main/java/com/aliyunidaas/sample/common/cache/CacheManager.java

@@ -9,15 +9,15 @@
  **/
 public interface CacheManager {
     /**
-     * set cache
+     * 设置缓存
      *
      * @param cacheKey 缓存key
      * @param cacheValue 缓存value
      */
     void setCache(String cacheKey, Object cacheValue);
 
     /**
-     * get cache
+     * 获取缓存
      *
      * @param cacheKey 缓存key
      * @return value

src/main/java/com/aliyunidaas/sample/common/cache/LocalCacheManager.java

@@ -8,7 +8,7 @@
 
 /**
  * Copyright (c)  Alibaba Cloud Computing
- * Description:  This project is a demo example. It is recommended to use cache middleware (redis) for storage in the project
+ * Description:  本示例为demo演示示例，在实际项目中建议使用第三方缓存（如redis）
  *
  * @date: 2022/6/30 10:11 AM
  * @author: longqiuling

src/main/java/com/aliyunidaas/sample/common/config/CustomOidcConfiguration.java

@@ -2,9 +2,14 @@
 
 import com.aliyunidaas.sample.common.factory.CodeChallengeMethodFactory;
 import com.aliyunidaas.sample.common.factory.ParameterNameFactory;
+import org.apache.commons.lang.StringUtils;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 
+import javax.annotation.PostConstruct;
+import java.net.URI;
+import java.net.URISyntaxException;
+
 /**
  * Copyright (c)  Alibaba Cloud Computing
  * Description:
@@ -16,7 +21,7 @@
 @ConfigurationProperties("idaas.oidc")
 public class CustomOidcConfiguration {
 
-    private boolean openPkce = false;
+    private boolean pkceRequired = false;
 
     private String codeChallengeMethod = CodeChallengeMethodFactory.SHA_256;
 
@@ -33,12 +38,41 @@ public class CustomOidcConfiguration {
     public CustomOidcConfiguration() {
     }
 
-    public boolean isOpenPkce() {
-        return openPkce;
+    @PostConstruct
+    private void valid() throws Exception {
+        if (StringUtils.isBlank(clientId)) {
+            throw new Exception(ParameterNameFactory.CLIENT_ID_IS_NULL);
+        }
+        if (StringUtils.isBlank(clientSecret)) {
+            throw new Exception(ParameterNameFactory.CLIENT_SECRET_IS_NULL);
+        }
+        if (StringUtils.isBlank(issuer)) {
+            throw new Exception(ParameterNameFactory.ISSUER_IS_NULL);
+        }
+        if (StringUtils.isBlank(redirectUri)) {
+            throw new Exception(ParameterNameFactory.REDIRECT_URI_IS_NULL);
+        }
+        validRedirectUri();
+    }
+
+    private void validRedirectUri() throws Exception {
+        URI uri = null;
+        try {
+            uri = new URI(redirectUri);
+        } catch (URISyntaxException e) {
+            throw new Exception(ParameterNameFactory.REDIRECT_URI_IS_VALID);
+        }
+        if (uri.getHost() == null) {
+            throw new Exception(ParameterNameFactory.REDIRECT_URI_IS_VALID);
+        }
+    }
+
+    public boolean isPkceRequired() {
+        return pkceRequired;
     }
 
-    public void setOpenPkce(boolean openPkce) {
-        this.openPkce = openPkce;
+    public void setPkceRequired(boolean pkceRequired) {
+        this.pkceRequired = pkceRequired;
     }
 
     public String getCodeChallengeMethod() {

src/main/java/com/aliyunidaas/sample/common/config/WebAppConfigurer.java

@@ -27,6 +27,5 @@ SimpleAuthnInterceptor simpleAuthnInterceptor() {
     public void addInterceptors(InterceptorRegistry registry) {
         registry.addInterceptor(simpleAuthnInterceptor())
                 .addPathPatterns("/token/**");
-
     }
 }

src/main/java/com/aliyunidaas/sample/common/factory/CodeChallengeMethodFactory.java

@@ -6,10 +6,15 @@
  *
  * @date: 2022/6/30 7:32 PM
  * @author: longqiuling
+ * CodeChallengeMethod 方法,详情查看RFC标准: @see "https://datatracker.ietf.org/doc/html/rfc7636"
  **/
 public class CodeChallengeMethodFactory {
-
+    /**
+     * S256
+     */
     public static final String SHA_256 = "S256";
-
+    /**
+     * 原文
+     */
     public static final String PLAIN = "plain";
 }