package com.heaerie.server.auth201.Auth201Server.config; import com.nimbusds.jose.jwk.JWKSet; import com.nimbusds.jose.jwk.RSAKey; import com.nimbusds.jose.jwk.source.ImmutableJWKSet; import com.nimbusds.jose.jwk.source.JWKSource; import com.nimbusds.jose.proc.SecurityContext; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.Customizer; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.oauth2.core.AuthorizationGrantType; import org.springframework.security.oauth2.core.ClientAuthenticationMethod; import org.springframework.security.oauth2.core.oidc.OidcScopes; import org.springframework.security.oauth2.jwt.JwtDecoder; import org.springframework.security.oauth2.jwt.NimbusJwtDecoder; import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.client.RegisteredClient; import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository; import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings; import org.springframework.security.oauth2.server.authorization.settings.ClientSettings; import org.springframework.security.oauth2.server.authorization.settings.TokenSettings; import org.springframework.security.provisioning.InMemoryUserDetailsManager; import org.springframework.security.web.SecurityFilterChain; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.interfaces.RSAPrivateKey; import java.security.interfaces.RSAPublicKey; import java.time.Duration; import java.util.UUID; @Configuration @EnableWebSecurity public class SecurityConfig { /** * Default Security Filter Chain for authentication * Handles login and OAuth 2.1 authorization */ @Bean public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { http .authorizeHttpRequests(authorize -> authorize .requestMatchers("/", "/h2-console/**").permitAll() .anyRequest().authenticated() ) .formLogin(Customizer.withDefaults()) .oauth2ResourceServer(oauth2 -> oauth2 .jwt(Customizer.withDefaults()) ); // Allow H2 console access (development only) http.csrf(csrf -> csrf .ignoringRequestMatchers("/h2-console/**") ); http.headers(headers -> headers .frameOptions(frame -> frame.sameOrigin()) ); return http.build(); } /** * Registered Client Repository with OAuth 2.1 compliant configuration * This example uses in-memory storage, but you can implement database storage */ @Bean public RegisteredClientRepository registeredClientRepository() { // OAuth 2.1 Public Client with PKCE (recommended for SPAs and mobile apps) RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("public-client") // No client secret for public clients (OAuth 2.1 requirement) .clientAuthenticationMethod(ClientAuthenticationMethod.NONE) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .redirectUri("http://127.0.0.1:8080/login/oauth2/code/public-client") .redirectUri("http://127.0.0.1:8080/authorized") .postLogoutRedirectUri("http://127.0.0.1:8080/logged-out") .scope(OidcScopes.OPENID) .scope(OidcScopes.PROFILE) .scope(OidcScopes.EMAIL) .scope("read") .scope("write") .clientSettings(ClientSettings.builder() .requireAuthorizationConsent(true) .requireProofKey(true) // PKCE is required (OAuth 2.1) .build()) .tokenSettings(TokenSettings.builder() .accessTokenTimeToLive(Duration.ofMinutes(15)) .refreshTokenTimeToLive(Duration.ofHours(24)) .reuseRefreshTokens(false) // OAuth 2.1: Refresh token rotation .build()) .build(); // OAuth 2.1 Confidential Client (for server-to-server) RegisteredClient confidentialClient = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("confidential-client") .clientSecret("{bcrypt}$2a$10$MJJhX9K8bGqVHJwF8X8o6O5fF5F5F5F5F5F5F5F5F5F5F5F5F5F5F") // "secret" .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN) .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS) .redirectUri("http://127.0.0.1:8080/login/oauth2/code/confidential-client") .redirectUri("http://127.0.0.1:8080/authorized") .postLogoutRedirectUri("http://127.0.0.1:8080/logged-out") .scope(OidcScopes.OPENID) .scope(OidcScopes.PROFILE) .scope(OidcScopes.EMAIL) .scope("read") .scope("write") .clientSettings(ClientSettings.builder() .requireAuthorizationConsent(true) .requireProofKey(true) // PKCE recommended even for confidential clients .build()) .tokenSettings(TokenSettings.builder() .accessTokenTimeToLive(Duration.ofMinutes(15)) .refreshTokenTimeToLive(Duration.ofHours(24)) .reuseRefreshTokens(false) // OAuth 2.1: Refresh token rotation .build()) .build(); return new InMemoryRegisteredClientRepository(publicClient, confidentialClient); } /** * User Details Service for authentication * In production, this should be backed by a database */ @Bean public UserDetailsService userDetailsService() { UserDetails user = User.builder() .username("user") .password(passwordEncoder().encode("password")) .roles("USER") .build(); UserDetails admin = User.builder() .username("admin") .password(passwordEncoder().encode("admin")) .roles("USER", "ADMIN") .build(); return new InMemoryUserDetailsManager(user, admin); } /** * Password Encoder */ @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } /** * JWK Source for signing JWT tokens */ @Bean public JWKSource jwkSource() { KeyPair keyPair = generateRsaKey(); RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic(); RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate(); RSAKey rsaKey = new RSAKey.Builder(publicKey) .privateKey(privateKey) .keyID(UUID.randomUUID().toString()) .build(); JWKSet jwkSet = new JWKSet(rsaKey); return new ImmutableJWKSet<>(jwkSet); } /** * Generate RSA key pair for JWT signing */ private static KeyPair generateRsaKey() { KeyPair keyPair; try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048); keyPair = keyPairGenerator.generateKeyPair(); } catch (Exception ex) { throw new IllegalStateException(ex); } return keyPair; } /** * JWT Decoder for validating JWT tokens */ @Bean public JwtDecoder jwtDecoder(JWKSource jwkSource) { return NimbusJwtDecoder.withJwkSetUri("http://localhost:9000/oauth2/jwks").build(); } /** * Authorization Server Settings * Configures the OAuth 2.1 endpoints */ @Bean public AuthorizationServerSettings authorizationServerSettings() { return AuthorizationServerSettings.builder() .issuer("http://localhost:9000") .build(); } }