fix implemented (#59)

* fix implemented

* fix tests

* new test

* new validations

* fix in auth response

* fix in handleAuthorizationCodeGrant

* delete from cache

* adapt auth serve config

* fixes and tests

* fix

* changes

* changes

* change for public client

* fix in redirectUri

* xivatos

* change

* new fixes

* test fixes

* new test

* new testing

* new pkce tests

* more tests

* sonar issues

* sonar issues fix

Author: AlbaLopez552

build.gradle

@@ -10,7 +10,7 @@ plugins {
 }
 
 group = 'es.in2'
-version = '2.0.0'
+version = '2.0.1'
 
 java {
 	toolchain {

src/main/java/es/in2/vcverifier/model/AuthorizationContext.java

@@ -9,6 +9,8 @@ public record AuthorizationContext(
         String redirectUri,
         String clientNonce,
         String originalRequestURL,
-        String requestUri
+        String requestUri,
+        String codeChallenge,
+        String codeChallengeMethod
 ) {
 }

src/main/java/es/in2/vcverifier/security/AuthorizationServerConfig.java

@@ -83,7 +83,7 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
                 )
                 .tokenEndpoint(tokenEndpoint ->
                         tokenEndpoint
-                                .accessTokenRequestConverter(new CustomTokenRequestConverter(jwtService, clientAssertionValidationService, vpService, cacheStoreForAuthorizationCodeData,oAuth2AuthorizationService(),objectMapper, refreshTokenDataCacheCacheStore))
+                                .accessTokenRequestConverter(new CustomTokenRequestConverter(jwtService, clientAssertionValidationService, vpService, cacheStoreForAuthorizationCodeData,objectMapper, refreshTokenDataCacheCacheStore))
                                 .authenticationProvider(new CustomAuthenticationProvider(jwtService,registeredClientRepository,backendConfig,objectMapper, refreshTokenDataCacheCacheStore, oAuth2AuthorizationService()))
                 )
                 .oidc(Customizer.withDefaults());    // Enable OpenID Connect 1.0

src/main/java/es/in2/vcverifier/security/filters/CustomAuthenticationProvider.java

@@ -30,12 +30,16 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.oauth2.core.*;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.authentication.*;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.security.Principal;
 import java.security.SecureRandom;
 import java.time.Instant;
@@ -75,6 +79,14 @@ private Authentication handleGrant(
         RegisteredClient registeredClient = getRegisteredClient(clientId);
         log.debug("CustomAuthenticationProvider -- handleGrant -- Registered client found: {}", registeredClient);
 
+        if (authentication instanceof OAuth2AuthorizationCodeAuthenticationToken authCodeToken) {
+            if (isPublicPkceClient(registeredClient)) {
+                validateAuthorizationCodePkce(authCodeToken, clientId);
+            } else {
+                log.debug("Omitting redirect+PKCE validation for confidential client '{}'", clientId);
+            }
+        }
+
         Instant issueTime = Instant.now();
         Instant expirationTime = issueTime.plus(
                 Long.parseLong(ACCESS_TOKEN_EXPIRATION_TIME),
@@ -123,9 +135,81 @@ private Authentication handleGrant(
         }
 
         log.info("Authorization grant successfully processed");
+
+        if (authentication instanceof OAuth2AuthorizationCodeAuthenticationToken authCodeToken) {
+            OAuth2Authorization authToRemove =
+                    oAuth2AuthorizationService.findByToken(authCodeToken.getCode(),
+                            new OAuth2TokenType(OAuth2ParameterNames.CODE));
+            if (authToRemove != null) {
+                oAuth2AuthorizationService.remove(authToRemove);
+            }
+        }
         return new OAuth2AccessTokenAuthenticationToken(registeredClient, authentication, oAuth2AccessToken, oAuth2RefreshToken, additionalParameters);
     }
 
+    private boolean isPublicPkceClient(RegisteredClient rc) {
+        if (rc == null) return false;
+        boolean isPublic = rc.getClientAuthenticationMethods().size() == 1
+                && rc.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.NONE);
+        boolean requirePkce = rc.getClientSettings() != null && rc.getClientSettings().isRequireProofKey();
+        return isPublic && requirePkce;
+    }
+
+
+    private void validateAuthorizationCodePkce(OAuth2AuthorizationCodeAuthenticationToken authCodeToken, String requestedClientId) {
+        final String code = authCodeToken.getCode();
+
+        OAuth2Authorization authorization = oAuth2AuthorizationService.findByToken(code, new OAuth2TokenType(OAuth2ParameterNames.CODE));
+        if (authorization == null) invalidGrant();
+
+        String storedClientId = authorization.getAttribute(OAuth2ParameterNames.CLIENT_ID);
+        if (!Objects.equals(storedClientId, requestedClientId)) invalidGrant();
+
+        String storedChallenge = authorization.getAttribute(PkceParameterNames.CODE_CHALLENGE);
+        String storedMethod    = authorization.getAttribute(PkceParameterNames.CODE_CHALLENGE_METHOD);
+
+        boolean requirePkce = Optional.ofNullable(registeredClientRepository.findByClientId(storedClientId))
+                .map(RegisteredClient::getClientSettings)
+                .map(cs -> cs.isRequireProofKey())
+                .orElse(false);
+
+        if (!org.springframework.util.StringUtils.hasText(storedChallenge)) {
+            if (requirePkce) invalidGrant();
+            return;
+        }
+
+        String codeVerifier = (String) authCodeToken.getAdditionalParameters().get(PkceParameterNames.CODE_VERIFIER);
+        if (!org.springframework.util.StringUtils.hasText(codeVerifier)) invalidGrant();
+
+        String method = (storedMethod == null ? "S256" : storedMethod).toUpperCase(Locale.ROOT);
+        switch (method) {
+            case "S256" -> {
+                String computed = s256(codeVerifier);
+                if (!computed.equals(storedChallenge)) invalidGrant();
+            }
+            case "PLAIN" -> {
+                if (!codeVerifier.equals(storedChallenge)) invalidGrant();
+            }
+            default -> invalidGrant();
+        }
+    }
+
+    private static void invalidGrant() {
+        throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+    }
+
+    private static String s256(String verifier) {
+        try {
+            byte[] digest = MessageDigest.getInstance("SHA-256")
+                    .digest(verifier.getBytes(StandardCharsets.US_ASCII));
+            return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
+        } catch (Exception e) {
+            throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_GRANT);
+        }
+    }
+
+
+
     private OAuth2RefreshToken getOAuth2RefreshToken(OAuth2AuthorizationGrantAuthenticationToken authentication, Instant issueTime, String clientId, JsonNode credentialJson, RegisteredClient registeredClient) {
         OAuth2RefreshToken oAuth2RefreshToken;
         oAuth2RefreshToken = generateRefreshToken(issueTime);

src/main/java/es/in2/vcverifier/security/filters/CustomAuthorizationRequestConverter.java

@@ -20,6 +20,7 @@
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
@@ -72,12 +73,16 @@ public Authentication convert(HttpServletRequest request) {
         String scope = request.getParameter(OAuth2ParameterNames.SCOPE);
         String redirectUri = request.getParameter(OAuth2ParameterNames.REDIRECT_URI);
         String clientNonce = request.getParameter(NONCE);
+        String codeChallenge = request.getParameter(PkceParameterNames.CODE_CHALLENGE);
+        String codeChallengeMethod = request.getParameter(PkceParameterNames.CODE_CHALLENGE_METHOD);
         AuthorizationContext authorizationContext = AuthorizationContext.builder()
                 .requestUri(requestUri)
                 .state(state)
                 .originalRequestURL(originalRequestURL)
                 .redirectUri(redirectUri)
                 .clientNonce(clientNonce)
+                .codeChallenge(codeChallenge)
+                .codeChallengeMethod(codeChallengeMethod)
                 .scope(scope)
                 .build();
 
@@ -482,9 +487,16 @@ private void cacheAuthorizationRequest(AuthorizationContext authorizationContext
         if (nonce != null && !nonce.isBlank()) {
             additionalParameters.put(NONCE, nonce);
         }
-        builder.additionalParameters(additionalParameters);
-
+        String codeChallenge = authorizationContext.codeChallenge();
+        if (codeChallenge != null && !codeChallenge.isBlank()) {
+            additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge);
+        }
+        String codeChallengeMethod = authorizationContext.codeChallengeMethod();
+        if (codeChallengeMethod != null && !codeChallengeMethod.isBlank()) {
+            additionalParameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, codeChallengeMethod);
+        }
 
+        builder.additionalParameters(additionalParameters);
 
         // Build the request
         OAuth2AuthorizationRequest oAuth2AuthorizationRequest = builder.build();
@@ -505,4 +517,4 @@ private String getFullRequestUrl(HttpServletRequest request) {
         }
         return requestURL.toString();
     }
-}
+}

src/main/java/es/in2/vcverifier/security/filters/CustomTokenRequestConverter.java

@@ -24,7 +24,7 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
-import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2RefreshTokenAuthenticationToken;
@@ -49,7 +49,6 @@ public class CustomTokenRequestConverter implements AuthenticationConverter {
     private final ClientAssertionValidationService clientAssertionValidationService;
     private final VpService vpService;
     private final CacheStore<AuthorizationCodeData> cacheStoreForAuthorizationCodeData;
-    private final OAuth2AuthorizationService oAuth2AuthorizationService;
     private final ObjectMapper objectMapper;
     private final CacheStore<RefreshTokenDataCache> refreshTokenDataCacheCacheStore;
 
@@ -74,15 +73,11 @@ private Authentication handleAuthorizationCodeGrant(MultiValueMap<String, String
         String code = parameters.getFirst(OAuth2ParameterNames.CODE);
         String state = parameters.getFirst(OAuth2ParameterNames.STATE);
         String clientId = parameters.getFirst(OAuth2ParameterNames.CLIENT_ID);
+        String redirectUri  = parameters.getFirst(OAuth2ParameterNames.REDIRECT_URI);
+        String codeVerifier = parameters.getFirst(PkceParameterNames.CODE_VERIFIER);
 
         AuthorizationCodeData authorizationCodeData = cacheStoreForAuthorizationCodeData.get(code);
 
-        // Remove the code from cache after retrieving the object
-        cacheStoreForAuthorizationCodeData.delete(code);
-
-        // Remove the authorization from the initial request
-        oAuth2AuthorizationService.remove(authorizationCodeData.oAuth2Authorization());
-
         // Check state only if it is not null and not blank
         if (state != null && !state.isBlank() && (!authorizationCodeData.state().equals(state))) {
             log.error("CustomTokenRequestConverter -- handleAuthorizationCodeGrant -- State mismatch. Expected: {}, Actual: {}",
@@ -106,8 +101,12 @@ private Authentication handleAuthorizationCodeGrant(MultiValueMap<String, String
             additionalParameters.put(NONCE, nonce);
         }
 
+        if (codeVerifier != null && !codeVerifier.isBlank()) {
+            additionalParameters.put(PkceParameterNames.CODE_VERIFIER, codeVerifier);
+        }
+
         // Return the authentication token
-        return new OAuth2AuthorizationCodeAuthenticationToken(code, clientPrincipal, null, additionalParameters);
+        return new OAuth2AuthorizationCodeAuthenticationToken(code, clientPrincipal, redirectUri, additionalParameters);
     }
 
     private Authentication handleClientCredentialsGrant(MultiValueMap<String, String> parameters) {
@@ -194,4 +193,4 @@ private static MultiValueMap<String, String> getParameters(HttpServletRequest re
         return parameters;
     }
 
-}
+}

src/main/java/es/in2/vcverifier/service/impl/AuthorizationResponseProcessorServiceImpl.java

@@ -15,6 +15,8 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationCode;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
@@ -95,15 +97,33 @@ public void processAuthResponse(String state, String vpToken){
             throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
         }
 
+
+        var addl = oAuth2AuthorizationRequest.getAdditionalParameters();
+        String codeChallenge       = (String) addl.get(PkceParameterNames.CODE_CHALLENGE);
+        String codeChallengeMethod = (String) addl.get(PkceParameterNames.CODE_CHALLENGE_METHOD);
+
+
         Instant expirationTime = issueTime.plus(Long.parseLong(ACCESS_TOKEN_EXPIRATION_TIME), ChronoUnit.valueOf(ACCESS_TOKEN_EXPIRATION_CHRONO_UNIT));
         // Register the Oauth2Authorization because is needed for verifications
-        OAuth2Authorization authorization = OAuth2Authorization.withRegisteredClient(registeredClient)
+        OAuth2Authorization.Builder authBuilder = OAuth2Authorization.withRegisteredClient(registeredClient)
                 .id(registeredClient.getId())
                 .principalName(registeredClient.getClientId())
                 .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                 .token(new OAuth2AuthorizationCode(code, issueTime, expirationTime))
-                .attribute(OAuth2AuthorizationRequest.class.getName(), oAuth2AuthorizationRequest)
-                .build();
+                .attribute(OAuth2ParameterNames.CLIENT_ID, registeredClient.getClientId())
+                .attribute(OAuth2ParameterNames.REDIRECT_URI, oAuth2AuthorizationRequest.getRedirectUri())
+                .attribute(OAuth2ParameterNames.SCOPE, String.join(" ", oAuth2AuthorizationRequest.getScopes()))
+                .attribute(OAuth2AuthorizationRequest.class.getName(), oAuth2AuthorizationRequest);
+
+        if (org.springframework.util.StringUtils.hasText(codeChallenge)) {
+            authBuilder.attribute(PkceParameterNames.CODE_CHALLENGE, codeChallenge);
+        }
+        if (org.springframework.util.StringUtils.hasText(codeChallengeMethod)) {
+            authBuilder.attribute(PkceParameterNames.CODE_CHALLENGE_METHOD, codeChallengeMethod);
+        }
+
+        OAuth2Authorization authorization = authBuilder.build();
+        oAuth2AuthorizationService.save(authorization);
 
         log.info("OAuth2Authorization generated");
 
@@ -123,7 +143,6 @@ public void processAuthResponse(String state, String vpToken){
         AuthorizationCodeData authorizationCodeData = authCodeDataBuilder.build();
         cacheStoreForAuthorizationCodeData.add(code, authorizationCodeData);
 
-        oAuth2AuthorizationService.save(authorization);
 
         // Build the redirect URL with the code (code) and the state
         String redirectUrl = UriComponentsBuilder.fromHttpUrl(redirectUri)
@@ -174,6 +193,4 @@ private void validateVpTokenNonceAndAudience(String decodedVpToken, String state
         }
     }
 
-}
-
-
+}