diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e083c83 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +.idea +.gradle +build + diff --git a/README.md b/README.md new file mode 100644 index 0000000..c3e6793 --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ +# Auth0 Integration Demo Service + +This Spring Boot service showcases how to use Auth0 to protect endpoints. + +## Pre-Requisites + +1. Have an Auth0 account +2. Have an Auth0 application and an Auth0 API +3. Have a created user with 2 roles: "read:snippets" and "write:snippets". You must create them in the API first as they are linked to it. +4. Allow the Auth0 application to use the "password" Grant-Type +5. Set a database connection default for the tenant. + +With this resources created, you will have to set the following environment variables: + +- `AUTH0_AUDIENCE`: use the "audience" value you set when first creating the Auth0 API +- `AUTH_SERVER_URI`: use the url set to you as Auth0 tenant. It will have the following format: "dev-****.us.auth0.com" +- `AUTH_CLIENT_ID`: use the client ID in your "API" Application (when you created the Auth0 API it also created an Application for you) +- `AUTH_CLIENT_SECRET`: use the client secret in your "API" Application (when you created the Auth0 API it also created an Application for you) + +## How to use + +First you need to get an Auth Token in behalf of the Resource Owner (the user you created). +To do this you can run the following curl: + +```shell +curl --location '' \ +--data-urlencode 'grant_type=password' \ +--data-urlencode 'username=' \ +--data-urlencode 'password=' \ +--data-urlencode 'audience=' \ +--data-urlencode 'scope=read:snippets write:snippets' \ +--data-urlencode 'client_id=' \ +--data-urlencode 'client_secret=' +``` + +Grab the "access_token" field in the response and use it as Bearer token for your requests. + +## Trying out role based auth + +In the section above we requested an auth token with both "read" and "write" scoped. Try requesting only "read" scopes +and Posting a resource to the server and the other way around. \ No newline at end of file diff --git a/build.gradle b/build.gradle new file mode 100644 index 0000000..ee1cb76 --- /dev/null +++ b/build.gradle @@ -0,0 +1,42 @@ +import org.jetbrains.kotlin.gradle.tasks.KotlinCompile + +plugins { + id 'org.springframework.boot' version '3.2.5' + id 'io.spring.dependency-management' version '1.1.4' + id 'org.jetbrains.kotlin.jvm' version '1.9.23' + id 'org.jetbrains.kotlin.plugin.spring' version '1.9.23' +} + +group = 'org.austral.ingsis' +version = '0.0.1-SNAPSHOT' + +java { + sourceCompatibility = '17' +} + +repositories { + mavenCentral() +} + +dependencies { + implementation 'org.springframework.boot:spring-boot-starter-web' + implementation 'com.fasterxml.jackson.module:jackson-module-kotlin' + implementation 'io.projectreactor.kotlin:reactor-kotlin-extensions' + implementation 'org.jetbrains.kotlinx:kotlinx-coroutines-reactor' + implementation 'org.springframework.boot:spring-boot-starter-actuator' + testImplementation 'org.springframework.boot:spring-boot-starter-test' + testImplementation 'io.projectreactor:reactor-test' + implementation 'org.springframework.boot:spring-boot-starter-security' + implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server' +} + +tasks.withType(KotlinCompile) { + kotlinOptions { + freeCompilerArgs += '-Xjsr305=strict' + jvmTarget = '17' + } +} + +tasks.named('test') { + useJUnitPlatform() +} diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..e644113 Binary files /dev/null and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..b82aa23 --- /dev/null +++ b/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew new file mode 100755 index 0000000..1aa94a4 --- /dev/null +++ b/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat new file mode 100644 index 0000000..7101f8e --- /dev/null +++ b/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. 1>&2 +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 1>&2 +echo. 1>&2 +echo Please set the JAVA_HOME variable in your environment to match the 1>&2 +echo location of your Java installation. 1>&2 + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/settings.gradle b/settings.gradle new file mode 100644 index 0000000..b5a474a --- /dev/null +++ b/settings.gradle @@ -0,0 +1 @@ +rootProject.name = 'auth' diff --git a/src/main/kotlin/org/austral/ingsis/auth/AuthenticationServiceApplication.kt b/src/main/kotlin/org/austral/ingsis/auth/AuthenticationServiceApplication.kt new file mode 100644 index 0000000..5a59802 --- /dev/null +++ b/src/main/kotlin/org/austral/ingsis/auth/AuthenticationServiceApplication.kt @@ -0,0 +1,49 @@ +package org.austral.ingsis.auth + +import org.springframework.boot.autoconfigure.SpringBootApplication +import org.springframework.boot.runApplication +import org.springframework.security.access.prepost.PreAuthorize +import org.springframework.security.core.annotation.AuthenticationPrincipal +import org.springframework.security.oauth2.jwt.Jwt +import org.springframework.web.bind.annotation.GetMapping +import org.springframework.web.bind.annotation.PathVariable +import org.springframework.web.bind.annotation.PostMapping +import org.springframework.web.bind.annotation.RequestBody +import org.springframework.web.bind.annotation.RestController + + +@RestController +@SpringBootApplication +class AuthenticationServiceApplication { + + @GetMapping("/") + fun index(): String { + return "I'm Alive!" + } + + @GetMapping("/jwt") + fun jwt(@AuthenticationPrincipal jwt: Jwt): String { + return jwt.tokenValue + } + + @GetMapping("/snippets") + fun getAllMessages(): String { + return "secret message" + } + + @GetMapping("/snippets/{id}") + fun getSingleMessage(@PathVariable id: String): String { + return "secret message $id" + } + + @PostMapping("/snippets") + fun createMessage(@RequestBody message: String?): String { + return String.format("Message was created. Content: %s", message) + } +} + +fun main(args: Array) { + runApplication(*args) +} + + diff --git a/src/main/kotlin/org/austral/ingsis/auth/security/AudienceValidator.kt b/src/main/kotlin/org/austral/ingsis/auth/security/AudienceValidator.kt new file mode 100644 index 0000000..8ff68ec --- /dev/null +++ b/src/main/kotlin/org/austral/ingsis/auth/security/AudienceValidator.kt @@ -0,0 +1,18 @@ +package org.austral.ingsis.auth.security + +import org.springframework.security.oauth2.core.OAuth2Error +import org.springframework.security.oauth2.core.OAuth2TokenValidator +import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult +import org.springframework.security.oauth2.jwt.Jwt + +class AudienceValidator(private val audience: String) : OAuth2TokenValidator { + override fun validate(jwt: Jwt): OAuth2TokenValidatorResult { + val error = OAuth2Error("invalid_token", "The required audience is missing", null) + + return if (jwt.audience.contains(audience)) { + OAuth2TokenValidatorResult.success() + } else { + OAuth2TokenValidatorResult.failure(error) + } + } +} \ No newline at end of file diff --git a/src/main/kotlin/org/austral/ingsis/auth/security/OAuth2ResourceServerSecurityConfiguration.kt b/src/main/kotlin/org/austral/ingsis/auth/security/OAuth2ResourceServerSecurityConfiguration.kt new file mode 100644 index 0000000..3eb8cfe --- /dev/null +++ b/src/main/kotlin/org/austral/ingsis/auth/security/OAuth2ResourceServerSecurityConfiguration.kt @@ -0,0 +1,54 @@ +package org.austral.ingsis.auth.security + +import org.springframework.beans.factory.annotation.Value +import org.springframework.context.annotation.Bean +import org.springframework.context.annotation.Configuration +import org.springframework.http.HttpMethod.GET +import org.springframework.http.HttpMethod.POST +import org.springframework.security.config.Customizer.withDefaults +import org.springframework.security.config.annotation.web.builders.HttpSecurity +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity +import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator +import org.springframework.security.oauth2.core.OAuth2TokenValidator +import org.springframework.security.oauth2.jwt.Jwt +import org.springframework.security.oauth2.jwt.JwtDecoder +import org.springframework.security.oauth2.jwt.JwtValidators +import org.springframework.security.oauth2.jwt.NimbusJwtDecoder +import org.springframework.security.web.SecurityFilterChain + +@Configuration +@EnableWebSecurity +class OAuth2ResourceServerSecurityConfiguration(@Value("\${auth0.audience}") + val audience: String, + @Value("\${spring.security.oauth2.resourceserver.jwt.issuer-uri}") + val issuer: String,) { + @Bean + fun filterChain(http: HttpSecurity): SecurityFilterChain { + http.authorizeHttpRequests { + it + .requestMatchers("/").permitAll() + .requestMatchers(GET, "/snippets").hasAuthority("SCOPE_read:snippets") + .requestMatchers(GET, "/snippets/*").hasAuthority("SCOPE_read:snippets") + .requestMatchers(POST, "/snippets").hasAuthority("SCOPE_write:snippets") + .anyRequest().authenticated() + } + .oauth2ResourceServer { it.jwt(withDefaults()) } + .cors { + it.disable() + } + .csrf { + it.disable() + } + return http.build() + } + + @Bean + fun jwtDecoder(): JwtDecoder { + val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build() + val audienceValidator: OAuth2TokenValidator = AudienceValidator(audience) + val withIssuer: OAuth2TokenValidator = JwtValidators.createDefaultWithIssuer(issuer) + val withAudience: OAuth2TokenValidator = DelegatingOAuth2TokenValidator(withIssuer, audienceValidator) + jwtDecoder.setJwtValidator(withAudience) + return jwtDecoder + } +} \ No newline at end of file diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml new file mode 100644 index 0000000..8353f42 --- /dev/null +++ b/src/main/resources/application.yml @@ -0,0 +1,12 @@ +auth0: + audience: ${AUTH0_AUDIENCE} +spring: + application: + name: resource-service-with-auth-example + security: + oauth2: + resourceserver: + jwt: + issuer-uri: ${AUTH_SERVER_URI} + client-id: ${AUTH_CLIENT_ID} + client-secret: ${AUTH_CLIENT_SECRET} diff --git a/src/test/kotlin/org/austral/ingsis/auth/AuthenticationServiceApplicationTests.kt b/src/test/kotlin/org/austral/ingsis/auth/AuthenticationServiceApplicationTests.kt new file mode 100644 index 0000000..ba7c915 --- /dev/null +++ b/src/test/kotlin/org/austral/ingsis/auth/AuthenticationServiceApplicationTests.kt @@ -0,0 +1,13 @@ +package org.austral.ingsis.auth + +import org.junit.jupiter.api.Test +import org.springframework.boot.test.context.SpringBootTest + +@SpringBootTest +class AuthenticationServiceApplicationTests { + + @Test + fun contextLoads() { + } + +}