SUB in ID token is memberId

zabiny · Sep 16, 2024 · 496241d · 496241d
1 parent 1695964
commit 496241d
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 49 deletions.
diff --git a/backend/src/main/java/club/klabis/config/authserver/LoginPageSecurityConfiguration.java b/backend/src/main/java/club/klabis/config/authserver/LoginPageSecurityConfiguration.java
@@ -13,8 +13,6 @@
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 
-import static org.springframework.security.config.Customizer.withDefaults;
-
 @EnableWebSecurity
 @Configuration(proxyBeanMethods = false)
 public class LoginPageSecurityConfiguration {

diff --git a/backend/src/main/java/club/klabis/config/authserver/TokenConfiguration.java b/backend/src/main/java/club/klabis/config/authserver/TokenConfiguration.java
@@ -1,23 +1,23 @@
 package club.klabis.config.authserver;
 
 import club.klabis.config.authserver.generatejwtkeys.JKWKeyGenerator;
+import club.klabis.domain.appusers.ApplicationUser;
+import club.klabis.domain.appusers.ApplicationUsersRepository;
+import club.klabis.domain.members.MembersRepository;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.ClassPathResource;
-import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
-import org.springframework.security.oauth2.server.authorization.token.*;
-import org.springframework.util.StringUtils;
+import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
+import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 
 import java.io.IOException;
 import java.text.ParseException;
-import java.util.stream.Collectors;
 
 @Configuration(proxyBeanMethods = false)
 public class TokenConfiguration {
@@ -29,47 +29,51 @@ public JWKSource<SecurityContext> jwkSource() throws IOException, ParseException
         System.out.println(jwkSet.toString());
         return new ImmutableJWKSet<>(jwkSet);
     }
-//
-//    @Bean
-//    public OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator(
-//            OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer, JwtGenerator jwtgenerator
-//    ) {
-//        OAuth2AccessTokenGenerator accessTokenGenerator = new OAuth2AccessTokenGenerator();
-//        accessTokenGenerator.setAccessTokenCustomizer(accessTokenCustomizer);
-//        OAuth2RefreshTokenGenerator refreshTokenGenerator = new OAuth2RefreshTokenGenerator();
-//
-//        return new DelegatingOAuth2TokenGenerator(
-//                jwtgenerator, accessTokenGenerator, refreshTokenGenerator
-//        );
-//    }
 
     @Bean
-    public OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer() {
-        return context -> {
-            UserDetails userDetails = null;
-
-            if (context.getPrincipal() instanceof OAuth2ClientAuthenticationToken) {
-                userDetails = (UserDetails) context.getPrincipal().getDetails();
-            } else if (context.getPrincipal() instanceof AbstractAuthenticationToken) {
-                userDetails = (UserDetails) context.getPrincipal().getPrincipal();
-            } else {
-                throw new IllegalStateException("Unexpected token type");
-            }
-
-            if (!StringUtils.hasText(userDetails.getUsername())) {
-                throw new IllegalStateException("Bad UserDetails, username is empty");
+    public OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer(
+            ApplicationUsersRepository appusersRepository, MembersRepository membersRepository) {
+        return (context) -> {
+            if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
+                appusersRepository.findByUserName(context.getPrincipal().getName()).flatMap(ApplicationUser::getMemberId).ifPresent(memberId -> {
+                    context.getClaims().claim(StandardClaimNames.PREFERRED_USERNAME, context.getPrincipal().getName());
+                    context.getClaims().claim(StandardClaimNames.SUB, memberId);
+                    membersRepository.findById(memberId).ifPresent(existingMember -> {
+                        context.getClaims().claim(StandardClaimNames.GIVEN_NAME, existingMember.getFirstName());
+                        context.getClaims().claim(StandardClaimNames.FAMILY_NAME, existingMember.getLastName());
+                    });
+                });
             }
-
-            context.getClaims()
-                    .claim(
-                            "authorities",
-                            userDetails.getAuthorities().stream()
-                                    .map(GrantedAuthority::getAuthority)
-                                    .collect(Collectors.toSet())
-                    )
-                    .claim(
-                            "username", userDetails.getUsername()
-                    );
         };
     }
+
+//    @Bean
+//    public OAuth2TokenCustomizer<OAuth2TokenClaimsContext> opaqueTokenCustomizer() {
+//        return context -> {
+//            UserDetails userDetails = null;
+//
+//            if (context.getPrincipal() instanceof OAuth2ClientAuthenticationToken) {
+//                userDetails = (UserDetails) context.getPrincipal().getDetails();
+//            } else if (context.getPrincipal() instanceof AbstractAuthenticationToken) {
+//                userDetails = (UserDetails) context.getPrincipal().getPrincipal();
+//            } else {
+//                throw new IllegalStateException("Unexpected token type");
+//            }
+//
+//            if (!StringUtils.hasText(userDetails.getUsername())) {
+//                throw new IllegalStateException("Bad UserDetails, username is empty");
+//            }
+//
+//            context.getClaims()
+//                    .claim(
+//                            "authorities",
+//                            userDetails.getAuthorities().stream()
+//                                    .map(GrantedAuthority::getAuthority)
+//                                    .collect(Collectors.toSet())
+//                    )
+//                    .claim(
+//                            "username", userDetails.getUsername()
+//                    );
+//        };
+//    }
 }
diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
@@ -120,8 +120,9 @@ spring:
             client-secret: ${GOOGLE_CLIENT_SECRET}
             scope:
               - openid
-              - profile
-              - email
+          #              - profile
+          #              - email
+
           #          facebook:
           #            client-id:
           #            client-secret: 6fb95f47d2e27faf28fff9ac93d28184