diff --git a/.circleci/config.yml b/.circleci/config.yml index 1ae4173..0afd789 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,6 +1,6 @@ # Common Logic machine: &machine-cfg - image: ubuntu-2004:202107-02 + image: ubuntu-2204:2023.10.1 version: 2.1 @@ -102,7 +102,7 @@ jobs: - checkout - run: name: Clone test script - command: git clone -b v0.0.1 --depth 1 https://github.com/auth0-samples/api-quickstarts-tests test + command: git clone -b v0.0.3 --depth 1 https://github.com/auth0-samples/api-quickstarts-tests test - persist_to_workspace: root: ~/ paths: diff --git a/01-Authorization-MVC/Dockerfile b/01-Authorization-MVC/Dockerfile index e01604f..d0fa659 100644 --- a/01-Authorization-MVC/Dockerfile +++ b/01-Authorization-MVC/Dockerfile @@ -1,4 +1,4 @@ -FROM gradle:5.4.1-jdk8 +FROM gradle:8.4-jdk17 WORKDIR /tmp ADD . /tmp diff --git a/01-Authorization-MVC/README.md b/01-Authorization-MVC/README.md index fde8117..8ecb1de 100644 --- a/01-Authorization-MVC/README.md +++ b/01-Authorization-MVC/README.md @@ -2,13 +2,12 @@ This sample demonstrates: -- Configuring a Spring Boot MVC application as a Resource Server -- Using and extending Spring Security to validate JWTs +- Using the [Okta Spring Boot Starter](https://github.com/okta/okta-spring-boot) to configure a Spring Boot Servlet Resource Server - Protecting APIs to only allow authorized access ## Prerequisites -- Java 8 or greater +- Java 17 or greater - An Auth0 account ## Setup @@ -26,16 +25,12 @@ The project needs to be configured with your Auth0 domain and API Identifier. To do this, first copy `src/main/resources/application.yml.example` into a new file in the same folder called `src/main/resources/application.yml`, and replace the values with your own Auth0 domain and API Identifier: ```yaml -auth0: - audience: {API_IDENTIFIER} - -spring: - security: - oauth2: - resourceserver: - jwt: - # Note the trailing slash is important! - issuer-uri: https://{DOMAIN}/ +okta: + oauth2: + # Replace with the domain of your Auth0 tenant. + issuer: https://{DOMAIN}/ + # Replace with the API Identifier for your Auth0 API. + audience: {AUDIENCE} ``` ## Running diff --git a/01-Authorization-MVC/build.gradle b/01-Authorization-MVC/build.gradle index 03709ab..846d7ef 100644 --- a/01-Authorization-MVC/build.gradle +++ b/01-Authorization-MVC/build.gradle @@ -6,21 +6,24 @@ buildscript { plugins { id 'java' - id 'org.springframework.boot' version '2.7.0' - id 'io.spring.dependency-management' version '1.1.0' + id 'org.springframework.boot' version '3.1.5' + id 'io.spring.dependency-management' version '1.1.3' } group = 'com.auth0' version = '0.0.1-SNAPSHOT' -sourceCompatibility = '1.8' + +java { + sourceCompatibility = '17' +} repositories { mavenCentral() } dependencies { + implementation 'com.okta.spring:okta-spring-boot-starter:3.0.5' implementation 'org.springframework.boot:spring-boot-starter-web' - implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server' testImplementation 'org.springframework.security:spring-security-test' testImplementation 'org.springframework.boot:spring-boot-starter-test' diff --git a/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.jar b/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.jar index 5c2d1cf..943f0cb 100644 Binary files a/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.jar and b/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.jar differ diff --git a/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.properties b/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.properties index ffed3a2..744c64d 100644 --- a/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.properties +++ b/01-Authorization-MVC/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip +networkTimeout=10000 zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/01-Authorization-MVC/gradlew b/01-Authorization-MVC/gradlew index b0d6d0a..65dcd68 100755 --- a/01-Authorization-MVC/gradlew +++ b/01-Authorization-MVC/gradlew @@ -1,13 +1,13 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -17,78 +17,113 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + # Determine the Java command to use to start the JVM. if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -97,7 +132,7 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" + JAVACMD=java which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the @@ -105,84 +140,105 @@ location of your Java installation." fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) -# For Cygwin, switch paths to Windows format before running java -if $cygwin ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=$((i+1)) + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - (0) set -- ;; - (1) set -- "$args0" ;; - (2) set -- "$args0" "$args1" ;; - (3) set -- "$args0" "$args1" "$args2" ;; - (4) set -- "$args0" "$args1" "$args2" "$args3" ;; - (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=$(save "$@") +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# -# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong -if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then - cd "$(dirname "$0")" -fi +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/01-Authorization-MVC/gradlew.bat b/01-Authorization-MVC/gradlew.bat index 15e1ee3..6689b85 100644 --- a/01-Authorization-MVC/gradlew.bat +++ b/01-Authorization-MVC/gradlew.bat @@ -5,7 +5,7 @@ @rem you may not use this file except in compliance with the License. @rem You may obtain a copy of the License at @rem -@rem http://www.apache.org/licenses/LICENSE-2.0 +@rem https://www.apache.org/licenses/LICENSE-2.0 @rem @rem Unless required by applicable law or agreed to in writing, software @rem distributed under the License is distributed on an "AS IS" BASIS, @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,10 +25,14 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" @@ -37,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto init +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -51,7 +55,7 @@ goto fail set JAVA_HOME=%JAVA_HOME:"=% set JAVA_EXE=%JAVA_HOME%/bin/java.exe -if exist "%JAVA_EXE%" goto init +if exist "%JAVA_EXE%" goto execute echo. echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% @@ -61,38 +65,26 @@ echo location of your Java installation. goto fail -:init -@rem Get command-line arguments, handling Windows variants - -if not "%OS%" == "Windows_NT" goto win9xME_args - -:win9xME_args -@rem Slurp the command line arguments. -set CMD_LINE_ARGS= -set _SKIP=2 - -:win9xME_args_slurp -if "x%~1" == "x" goto execute - -set CMD_LINE_ARGS=%* - :execute @rem Setup the command line set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + @rem Execute Gradle -"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/01-Authorization-MVC/src/main/java/com/auth0/example/model/Message.java b/01-Authorization-MVC/src/main/java/com/auth0/example/model/Message.java index 9923910..bf78d34 100644 --- a/01-Authorization-MVC/src/main/java/com/auth0/example/model/Message.java +++ b/01-Authorization-MVC/src/main/java/com/auth0/example/model/Message.java @@ -3,15 +3,4 @@ /** * Simple domain object for our API to return a message. */ -public class Message { - private final String message; - - public Message(String message) { - this.message = message; - } - - @SuppressWarnings("unused") - public String getMessage() { - return this.message; - } -} +public record Message(String message) {} diff --git a/01-Authorization-MVC/src/main/java/com/auth0/example/security/AudienceValidator.java b/01-Authorization-MVC/src/main/java/com/auth0/example/security/AudienceValidator.java deleted file mode 100644 index 97cb7cb..0000000 --- a/01-Authorization-MVC/src/main/java/com/auth0/example/security/AudienceValidator.java +++ /dev/null @@ -1,27 +0,0 @@ -package com.auth0.example.security; - -import org.springframework.security.oauth2.core.OAuth2Error; -import org.springframework.security.oauth2.core.OAuth2TokenValidator; -import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; -import org.springframework.security.oauth2.jwt.Jwt; - -/** - * Validates that the JWT token contains the intended audience in its claims. - */ -class AudienceValidator implements OAuth2TokenValidator { - private final String audience; - - AudienceValidator(String audience) { - this.audience = audience; - } - - public OAuth2TokenValidatorResult validate(Jwt jwt) { - OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null); - - if (jwt.getAudience().contains(audience)) { - return OAuth2TokenValidatorResult.success(); - } - - return OAuth2TokenValidatorResult.failure(error); - } -} diff --git a/01-Authorization-MVC/src/main/java/com/auth0/example/security/SecurityConfig.java b/01-Authorization-MVC/src/main/java/com/auth0/example/security/SecurityConfig.java index ff020de..a1c263e 100644 --- a/01-Authorization-MVC/src/main/java/com/auth0/example/security/SecurityConfig.java +++ b/01-Authorization-MVC/src/main/java/com/auth0/example/security/SecurityConfig.java @@ -1,58 +1,36 @@ package com.auth0.example.security; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; -import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; -import org.springframework.security.oauth2.core.OAuth2TokenValidator; -import org.springframework.security.oauth2.jwt.*; import org.springframework.security.web.SecurityFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Configures our application with Spring Security to restrict access to our API endpoints. */ -@EnableWebSecurity +@Configuration public class SecurityConfig { - @Value("${auth0.audience}") - private String audience; - - @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}") - private String issuer; - @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { /* This is where we configure the security required for our endpoints and setup our app to serve as an OAuth2 Resource Server, using JWT validation. */ - http.authorizeRequests() - .mvcMatchers("/api/public").permitAll() - .mvcMatchers("/api/private").authenticated() - .mvcMatchers("/api/private-scoped").hasAuthority("SCOPE_read:messages") - .and().cors() - .and().oauth2ResourceServer().jwt(); - return http.build(); - } - - @Bean - JwtDecoder jwtDecoder() { - /* - By default, Spring Security does not validate the "aud" claim of the token, to ensure that this token is - indeed intended for our app. Adding our own validator is easy to do: - */ - - NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder) - JwtDecoders.fromOidcIssuerLocation(issuer); - - OAuth2TokenValidator audienceValidator = new AudienceValidator(audience); - OAuth2TokenValidator withIssuer = JwtValidators.createDefaultWithIssuer(issuer); - OAuth2TokenValidator withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator); - - jwtDecoder.setJwtValidator(withAudience); - - return jwtDecoder; + return http + .authorizeHttpRequests((authorize) -> authorize + .requestMatchers("/api/public").permitAll() + .requestMatchers("/api/private").authenticated() + .requestMatchers("/api/private-scoped").hasAuthority("SCOPE_read:messages") + ) + .cors(withDefaults()) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(withDefaults()) + ) + .build(); } } diff --git a/01-Authorization-MVC/src/main/resources/application.yml.example b/01-Authorization-MVC/src/main/resources/application.yml.example index 8240a92..3306585 100644 --- a/01-Authorization-MVC/src/main/resources/application.yml.example +++ b/01-Authorization-MVC/src/main/resources/application.yml.example @@ -2,17 +2,9 @@ debug: true server: port: 3010 -auth0: - # Replace with the API Identifier for your Auth0 API. - audience: {API_IDENTIFIER} - -# The following is standard Spring Security OAuth2 configuration. -spring: - security: - oauth2: - resourceserver: - jwt: - # Replace with the domain of your Auth0 tenant. - # Note the trailing slash is important! - issuer-uri: https://{DOMAIN}/ - \ No newline at end of file +okta: + oauth2: + # Replace with the domain of your Auth0 tenant. + issuer: https://{DOMAIN}/ + # Replace with the API Identifier for your Auth0 API. + audience: {API_IDENTIFIER} diff --git a/01-Authorization-WebFlux/Dockerfile b/01-Authorization-WebFlux/Dockerfile index e01604f..d0fa659 100644 --- a/01-Authorization-WebFlux/Dockerfile +++ b/01-Authorization-WebFlux/Dockerfile @@ -1,4 +1,4 @@ -FROM gradle:5.4.1-jdk8 +FROM gradle:8.4-jdk17 WORKDIR /tmp ADD . /tmp diff --git a/01-Authorization-WebFlux/README.md b/01-Authorization-WebFlux/README.md index f6a11d7..11304d6 100644 --- a/01-Authorization-WebFlux/README.md +++ b/01-Authorization-WebFlux/README.md @@ -2,18 +2,17 @@ This sample demonstrates: -- Configuring a Spring Boot WebFlux application as a Resource Server -- Using and extending Spring Security to validate JWTs +- Using the [Okta Spring Boot Starter](https://github.com/okta/okta-spring-boot) to configure a WebFlux Resource Server - Protecting APIs to only allow authorized access ## Prerequisites -- Java 8 or greater +- Java 17 or greater - An Auth0 account ## Setup -> For complete instructions and additional information, please refer to the [Spring 5 API Security Quickstart](https://auth0.com/docs/quickstart/backend/java-spring-security5) that this sample accompanies. +> For complete instructions and additional information, please refer to the [Spring API Security Quickstart](https://auth0.com/docs/quickstart/backend/java-spring-security5) that this sample accompanies. ### Create an Auth0 API @@ -26,16 +25,12 @@ The project needs to be configured with your Auth0 domain and API Identifier. To do this, first copy `src/main/resources/application.yml.example` into a new file in the same folder called `src/main/resources/application.yml`, and replace the values with your own Auth0 domain and API Identifier: ```yaml -auth0: - audience: {API_IDENTIFIER} - -spring: - security: - oauth2: - resourceserver: - jwt: - # Note the trailing slash is important! - issuer-uri: https://{DOMAIN}/ +okta: + oauth2: + # Replace with the domain of your Auth0 tenant. + issuer: https://{DOMAIN}/ + # Replace with the API Identifier for your Auth0 API. + audience: {AUDIENCE} ``` ## Running diff --git a/01-Authorization-WebFlux/build.gradle b/01-Authorization-WebFlux/build.gradle index a238f9e..d421481 100644 --- a/01-Authorization-WebFlux/build.gradle +++ b/01-Authorization-WebFlux/build.gradle @@ -6,13 +6,16 @@ buildscript { plugins { id 'java' - id 'org.springframework.boot' version '2.5.12' - id 'io.spring.dependency-management' version '1.0.9.RELEASE' + id 'org.springframework.boot' version '3.1.5' + id 'io.spring.dependency-management' version '1.1.3' } group = 'com.auth0' version = '0.0.1-SNAPSHOT' -sourceCompatibility = '1.8' + +java { + sourceCompatibility = '17' +} repositories { mavenCentral() @@ -20,5 +23,5 @@ repositories { dependencies { implementation 'org.springframework.boot:spring-boot-starter-webflux' - implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server' + implementation 'com.okta.spring:okta-spring-boot-starter:3.0.5' } diff --git a/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.jar b/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.jar index 7454180..943f0cb 100644 Binary files a/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.jar and b/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.jar differ diff --git a/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.properties b/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.properties index ffed3a2..744c64d 100644 --- a/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.properties +++ b/01-Authorization-WebFlux/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.2-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip +networkTimeout=10000 zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/01-Authorization-WebFlux/gradlew b/01-Authorization-WebFlux/gradlew index 1b6c787..65dcd68 100755 --- a/01-Authorization-WebFlux/gradlew +++ b/01-Authorization-WebFlux/gradlew @@ -55,7 +55,7 @@ # Darwin, MinGW, and NonStop. # # (3) This script is generated from the Groovy template -# https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt # within the Gradle project. # # You can find Gradle at https://github.com/gradle/gradle/. @@ -80,10 +80,10 @@ do esac done -APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit - -APP_NAME="Gradle" +# This is normally unused +# shellcheck disable=SC2034 APP_BASE_NAME=${0##*/} +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' @@ -143,12 +143,16 @@ fi if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then case $MAX_FD in #( max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 MAX_FD=$( ulimit -H -n ) || warn "Could not query maximum file descriptor limit" esac case $MAX_FD in #( '' | soft) :;; #( *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 ulimit -n "$MAX_FD" || warn "Could not set maximum file descriptor limit to $MAX_FD" esac @@ -205,6 +209,12 @@ set -- \ org.gradle.wrapper.GradleWrapperMain \ "$@" +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + # Use "xargs" to parse quoted args. # # With -n1 it outputs one arg per line, with the quotes and backslashes removed. diff --git a/01-Authorization-WebFlux/gradlew.bat b/01-Authorization-WebFlux/gradlew.bat index ac1b06f..6689b85 100644 --- a/01-Authorization-WebFlux/gradlew.bat +++ b/01-Authorization-WebFlux/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto execute +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal diff --git a/01-Authorization-WebFlux/src/main/java/com/auth0/example/model/Message.java b/01-Authorization-WebFlux/src/main/java/com/auth0/example/model/Message.java index 9923910..bf78d34 100644 --- a/01-Authorization-WebFlux/src/main/java/com/auth0/example/model/Message.java +++ b/01-Authorization-WebFlux/src/main/java/com/auth0/example/model/Message.java @@ -3,15 +3,4 @@ /** * Simple domain object for our API to return a message. */ -public class Message { - private final String message; - - public Message(String message) { - this.message = message; - } - - @SuppressWarnings("unused") - public String getMessage() { - return this.message; - } -} +public record Message(String message) {} diff --git a/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/AudienceValidator.java b/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/AudienceValidator.java deleted file mode 100644 index 19e7445..0000000 --- a/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/AudienceValidator.java +++ /dev/null @@ -1,31 +0,0 @@ -package com.auth0.example.security; - -import org.springframework.beans.factory.annotation.Value; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.oauth2.core.OAuth2Error; -import org.springframework.security.oauth2.core.OAuth2TokenValidator; -import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult; -import org.springframework.security.oauth2.jwt.Jwt; -import org.springframework.stereotype.Component; - -/** - * Validates that the JWT token contains the intended audience in its claims. - */ -class AudienceValidator implements OAuth2TokenValidator { - - private final String audience; - - OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null); - - AudienceValidator(String audience) { - this.audience = audience; - } - - public OAuth2TokenValidatorResult validate(Jwt jwt) { - if (jwt.getAudience().contains(audience)) { - return OAuth2TokenValidatorResult.success(); - } - - return OAuth2TokenValidatorResult.failure(error); - } -} diff --git a/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/SecurityConfig.java b/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/SecurityConfig.java index 6683d43..64c1732 100644 --- a/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/SecurityConfig.java +++ b/01-Authorization-WebFlux/src/main/java/com/auth0/example/security/SecurityConfig.java @@ -1,26 +1,18 @@ package com.auth0.example.security; -import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; -import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity; +import org.springframework.context.annotation.Configuration; import org.springframework.security.config.web.server.ServerHttpSecurity; -import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; -import org.springframework.security.oauth2.core.OAuth2TokenValidator; -import org.springframework.security.oauth2.jwt.*; import org.springframework.security.web.server.SecurityWebFilterChain; +import static org.springframework.security.config.Customizer.withDefaults; + /** * Configures our application with Spring Security to restrict access to our API endpoints. */ -@EnableWebFluxSecurity +@Configuration public class SecurityConfig { - @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}") - private String issuer; - - @Value( "${auth0.audience}" ) - private String audience; - @Bean public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { /* @@ -28,32 +20,15 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { an OAuth2 Resource Server, using JWT validation. */ return http - .authorizeExchange() - .pathMatchers("/api/public").permitAll() - .pathMatchers("/api/private").authenticated() - .pathMatchers("/api/private-scoped").hasAuthority("SCOPE_read:messages") - .and().cors() - .and().oauth2ResourceServer() - .jwt().and().and().build(); - } - - @Bean - ReactiveJwtDecoder jwtDecoder() { - /* - By default, Spring Security does not validate the "aud" claim of the token, to ensure that this token is - indeed intended for our app. Adding our own validator is easy to do: - */ - - NimbusReactiveJwtDecoder jwtDecoder = (NimbusReactiveJwtDecoder) - ReactiveJwtDecoders.fromOidcIssuerLocation(issuer); - - OAuth2TokenValidator audienceValidator = new AudienceValidator(audience); - OAuth2TokenValidator withIssuer = JwtValidators.createDefaultWithIssuer(issuer); - OAuth2TokenValidator withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator, - new JwtTimestampValidator()); - - jwtDecoder.setJwtValidator(withAudience); - - return jwtDecoder; + .authorizeExchange((auth) -> { auth + .pathMatchers("/api/public").permitAll() + .pathMatchers("/api/private").authenticated() + .pathMatchers("/api/private-scoped").hasAuthority("SCOPE_read:messages"); + }) + .cors(withDefaults()) + .oauth2ResourceServer(oauth2 -> oauth2 + .jwt(withDefaults()) + ) + .build(); } } diff --git a/01-Authorization-WebFlux/src/main/resources/application.yml.example b/01-Authorization-WebFlux/src/main/resources/application.yml.example index 8240a92..3306585 100644 --- a/01-Authorization-WebFlux/src/main/resources/application.yml.example +++ b/01-Authorization-WebFlux/src/main/resources/application.yml.example @@ -2,17 +2,9 @@ debug: true server: port: 3010 -auth0: - # Replace with the API Identifier for your Auth0 API. - audience: {API_IDENTIFIER} - -# The following is standard Spring Security OAuth2 configuration. -spring: - security: - oauth2: - resourceserver: - jwt: - # Replace with the domain of your Auth0 tenant. - # Note the trailing slash is important! - issuer-uri: https://{DOMAIN}/ - \ No newline at end of file +okta: + oauth2: + # Replace with the domain of your Auth0 tenant. + issuer: https://{DOMAIN}/ + # Replace with the API Identifier for your Auth0 API. + audience: {API_IDENTIFIER} diff --git a/README.md b/README.md index d376cfa..1ac35ca 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,8 @@ -# Auth0 Spring Security 5 API Samples - -> **Note** -> If you are using Spring Boot 3 / Spring Security 6, check out the [use-spring-6 branch](https://github.com/auth0-samples/auth0-spring-security5-api-sample/tree/use-spring-6), which contains an updated version of this sample for Spring Boot 3. Also see [this issue](https://github.com/auth0-samples/auth0-spring-security5-api-sample/issues/25) for more information. +# Auth0 Spring Security API Samples [![CircleCI](https://circleci.com/gh/auth0-samples/auth0-spring-security5-api-sample.svg?style=svg)](https://circleci.com/gh/auth0-samples/auth0-spring-security5-api-sample) -These samples demonstrate how to create an API with Spring Boot 2 and Spring Security 5, which only permits access to resources if a valid **access token** is included. +These samples demonstrate how to create an API with Spring Boot and the [Okta Spring Boot Starter](https://github.com/okta/okta-spring-boot). These samples do not demonstrate how to sign a JWT but rather assume that a user has already been authenticated by Auth0 and holds an access token for API access. For information on how to use Auth0 to authenticate users, see [the docs](https://auth0.com/docs).