new validations

AlbaLopez552 · AlbaLopez552 · commit 1c9dd064513a · 2025-10-09T11:54:10.000+02:00
diff --git a/src/main/java/es/in2/vcverifier/security/filters/CustomAuthenticationProvider.java b/src/main/java/es/in2/vcverifier/security/filters/CustomAuthenticationProvider.java
@@ -30,8 +30,15 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.core.*;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+
+import java.security.MessageDigest;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import java.util.Objects;
 import org.springframework.security.oauth2.server.authorization.authentication.*;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
@@ -75,6 +82,10 @@ private Authentication handleGrant(
         RegisteredClient registeredClient = getRegisteredClient(clientId);
         log.debug("CustomAuthenticationProvider -- handleGrant -- Registered client found: {}", registeredClient);
 
+        if (authentication instanceof OAuth2AuthorizationCodeAuthenticationToken authCodeToken) {
+            validateAuthorizationCodePkceAndBinding(authCodeToken, clientId);
+        }
+
         Instant issueTime = Instant.now();
         Instant expirationTime = issueTime.plus(
                 Long.parseLong(ACCESS_TOKEN_EXPIRATION_TIME),
@@ -123,9 +134,81 @@ private Authentication handleGrant(
         }
 
         log.info("Authorization grant successfully processed");
+
+        if (authentication instanceof OAuth2AuthorizationCodeAuthenticationToken authCodeToken) {
+            OAuth2Authorization authToRemove =
+                    oAuth2AuthorizationService.findByToken(authCodeToken.getCode(),  new OAuth2TokenType(OAuth2ParameterNames.CODE));
+            if (authToRemove != null) {
+                oAuth2AuthorizationService.remove(authToRemove);
+            }
+        }
+
         return new OAuth2AccessTokenAuthenticationToken(registeredClient, authentication, oAuth2AccessToken, oAuth2RefreshToken, additionalParameters);
     }
 
+    private void validateAuthorizationCodePkceAndBinding(OAuth2AuthorizationCodeAuthenticationToken authCodeToken,
+                                                         String requestedClientId) {
+        final String code = authCodeToken.getCode();
+
+        OAuth2Authorization authorization =
+                oAuth2AuthorizationService.findByToken(code,  new OAuth2TokenType(OAuth2ParameterNames.CODE));
+        if (authorization == null) {
+            log.error("Authorization not found for code {}", code);
+            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+        }
+
+        String storedClientId = authorization.getAttribute(OAuth2ParameterNames.CLIENT_ID);
+        String storedRedirect = authorization.getAttribute(OAuth2ParameterNames.REDIRECT_URI);
+        String storedChallenge = authorization.getAttribute(PkceParameterNames.CODE_CHALLENGE);
+        String storedMethod    = authorization.getAttribute(PkceParameterNames.CODE_CHALLENGE_METHOD);
+
+        Map<String, Object> addl = authCodeToken.getAdditionalParameters();
+        String reqRedirect = authCodeToken.getRedirectUri();
+        if (reqRedirect == null && addl != null) {
+            reqRedirect = (String) addl.get(OAuth2ParameterNames.REDIRECT_URI);
+        }
+        String codeVerifier = addl == null ? null : (String) addl.get(PkceParameterNames.CODE_VERIFIER);
+
+        if (!Objects.equals(storedClientId, requestedClientId)) {
+            log.error("client_id binding mismatch. stored={}, requested={}", storedClientId, requestedClientId);
+            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+        }
+
+        if (!Objects.equals(storedRedirect, reqRedirect)) {
+            log.error("redirect_uri binding mismatch. stored={}, requested={}", storedRedirect, reqRedirect);
+            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+        }
+
+        if (storedChallenge == null || storedMethod == null) {
+            log.error("Missing PKCE attributes in stored authorization");
+            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+        }
+
+        if ("S256".equalsIgnoreCase(storedMethod)) {
+            try {
+                byte[] digest = MessageDigest.getInstance("SHA-256")
+                        .digest(codeVerifier.getBytes(StandardCharsets.US_ASCII));
+                String computed = Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
+                if (!computed.equals(storedChallenge)) {
+                    log.error("PKCE verification failed (S256)");
+                    throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+                }
+            } catch (Exception e) {
+                log.error("Error computing PKCE hash", e);
+                throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+            }
+        } else if ("plain".equalsIgnoreCase(storedMethod)) {
+            if (!Objects.equals(codeVerifier, storedChallenge)) {
+                log.error("PKCE verification failed (plain)");
+                throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+            }
+        } else {
+            log.error("Unsupported PKCE method: {}", storedMethod);
+            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+        }
+    }
+
+
     private OAuth2RefreshToken getOAuth2RefreshToken(OAuth2AuthorizationGrantAuthenticationToken authentication, Instant issueTime, String clientId, JsonNode credentialJson, RegisteredClient registeredClient) {
         OAuth2RefreshToken oAuth2RefreshToken;
         oAuth2RefreshToken = generateRefreshToken(issueTime);
diff --git a/src/main/java/es/in2/vcverifier/security/filters/CustomTokenRequestConverter.java b/src/main/java/es/in2/vcverifier/security/filters/CustomTokenRequestConverter.java
@@ -16,6 +16,7 @@
 import es.in2.vcverifier.service.ClientAssertionValidationService;
 import es.in2.vcverifier.service.JWTService;
 import es.in2.vcverifier.service.VpService;
+import io.micrometer.common.util.StringUtils;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -24,6 +25,7 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
@@ -106,6 +108,15 @@ private Authentication handleAuthorizationCodeGrant(MultiValueMap<String, String
             additionalParameters.put(NONCE, nonce);
         }
 
+        String redirectUri  = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
+        String codeVerifier = parameters.getFirst(PkceParameterNames.CODE_VERIFIER);
+        if (StringUtils.isNotBlank(codeVerifier)) {
+            additionalParameters.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);
+        }
+        if (StringUtils.isNotBlank(redirectUri)) {
+            additionalParameters.put(OAuth2ParameterNames.REDIRECT_URI, redirectUri);
+        }
+
         // Return the authentication token
         return new OAuth2AuthorizationCodeAuthenticationToken(code, clientPrincipal, null, additionalParameters);
     }
diff --git a/src/main/java/es/in2/vcverifier/service/impl/AuthorizationResponseProcessorServiceImpl.java b/src/main/java/es/in2/vcverifier/service/impl/AuthorizationResponseProcessorServiceImpl.java
@@ -15,6 +15,9 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
@@ -27,9 +30,7 @@
 import java.text.ParseException;
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
-import java.util.Base64;
-import java.util.List;
-import java.util.UUID;
+import java.util.*;
 
 import static es.in2.vcverifier.util.Constants.*;
 import static org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.NONCE;
@@ -95,6 +96,14 @@ public void processAuthResponse(String state, String vpToken){
             throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
         }
 
+        String redirectUriUsed = oAuth2AuthorizationRequest.getRedirectUri();
+        Set<String> requestedScopes = oAuth2AuthorizationRequest.getScopes();
+
+        Map<String, Object> addl = oAuth2AuthorizationRequest.getAdditionalParameters();
+        String codeChallenge       = (String) addl.get(PkceParameterNames.CODE_CHALLENGE);
+        String codeChallengeMethod = (String) addl.get(PkceParameterNames.CODE_CHALLENGE_METHOD);
+
+
         Instant expirationTime = issueTime.plus(Long.parseLong(ACCESS_TOKEN_EXPIRATION_TIME), ChronoUnit.valueOf(ACCESS_TOKEN_EXPIRATION_CHRONO_UNIT));
         // Register the Oauth2Authorization because is needed for verifications
         OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
@@ -103,6 +112,11 @@ public void processAuthResponse(String state, String vpToken){
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                 .token(new OAuth2AuthorizationCode(code, issueTime, expirationTime))
                 .attribute(OAuth2AuthorizationRequest.class.getName(), oAuth2AuthorizationRequest)
+                .attribute(PkceParameterNames.CODE_CHALLENGE, codeChallenge)
+                .attribute(PkceParameterNames.CODE_CHALLENGE_METHOD, codeChallengeMethod)
+                .attribute(OAuth2ParameterNames.REDIRECT_URI, redirectUriUsed)
+                .attribute(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
+                .attribute(OAuth2ParameterNames.SCOPE, String.join(" ", requestedScopes))
                 .build();
 
         log.info("OAuth2Authorization generated");
