Add Google DEV OAuth2 app

Author: blacelle

contest-core/src/main/java/eu/solven/kumite/player/ContestPlayersRegistry.java

@@ -73,7 +73,7 @@ private void registerContender(Contest contest, UUID playerId) {
 			if (game.canAcceptPlayer(contest, player)) {
 				boolean registeredInBoard = contestPlayersRepository.registerContender(contestId, playerId);
 				if (registeredInBoard) {
-					log.info(
+					log.debug(
 							"Skip `board.registerContender` as already managed by `contestPlayersRepository.registerContender`");
 				} else {
 					IKumiteBoard board = contest.getBoard().get();

server/src/main/java/eu/solven/kumite/app/webflux/api/KumiteLoginController.java

@@ -35,12 +35,12 @@
 import eu.solven.kumite.account.KumiteUser;
 import eu.solven.kumite.account.KumiteUserRawRaw;
 import eu.solven.kumite.account.KumiteUsersRegistry;
-import eu.solven.kumite.account.login.IKumiteTestConstants;
 import eu.solven.kumite.app.IKumiteSpringProfiles;
 import eu.solven.kumite.oauth2.authorizationserver.KumiteTokenService;
 import eu.solven.kumite.player.IAccountPlayersRegistry;
 import eu.solven.kumite.player.KumitePlayer;
 import eu.solven.kumite.security.LoginRouteButNotAuthenticatedException;
+import eu.solven.kumite.security.oauth2.KumiteOAuth2UserService;
 import lombok.AllArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import reactor.core.publisher.Mono;
@@ -56,9 +56,6 @@
 @AllArgsConstructor
 @Slf4j
 public class KumiteLoginController {
-	public static final String PROVIDERID_GITHUB = "github";
-	@Deprecated
-	public static final String PROVIDERID_TEST = IKumiteTestConstants.PROVIDERID_TEST;
 
 	final InMemoryReactiveClientRegistrationRepository clientRegistrationRepository;
 
@@ -127,6 +124,12 @@ public Mono<Map> basic() {
 				"/html/login?success"));
 	}
 
+	private KumiteUser userFromOAuth2(OAuth2User o) {
+		KumiteUserRawRaw rawRaw = KumiteOAuth2UserService.oauth2ToRawRaw(o);
+		KumiteUser user = usersRegistry.getUser(rawRaw);
+		return user;
+	}
+
 	@GetMapping("/user")
 	public Mono<KumiteUser> user() {
 		return ReactiveSecurityContextHolder.getContext().map(sc -> {
@@ -150,39 +153,6 @@ private KumiteUser userFromUsername(UsernamePasswordAuthenticationToken username
 		return user;
 	}
 
-	private KumiteUser userFromOAuth2(OAuth2User o) {
-		String providerId = guessProviderId(o);
-		String sub = getSub(providerId, o);
-		KumiteUserRawRaw rawRaw = KumiteUserRawRaw.builder().providerId(providerId).sub(sub).build();
-		KumiteUser user = usersRegistry.getUser(rawRaw);
-		return user;
-	}
-
-	private String getSub(String providerId, OAuth2User o) {
-		if (PROVIDERID_GITHUB.equals(providerId)) {
-			Object sub = o.getAttribute("id");
-			if (sub == null) {
-				throw new IllegalStateException("Invalid sub: " + sub);
-			}
-			return sub.toString();
-		} else if (PROVIDERID_TEST.equals(providerId)) {
-			Object sub = o.getAttribute("id");
-			if (sub == null) {
-				throw new IllegalStateException("Invalid sub: " + sub);
-			}
-			return sub.toString();
-		} else {
-			throw new IllegalStateException("Not managed providerId: " + providerId);
-		}
-	}
-
-	private String guessProviderId(OAuth2User o) {
-		if (PROVIDERID_TEST.equals(o.getAttribute("providerId"))) {
-			return PROVIDERID_TEST;
-		}
-		return PROVIDERID_GITHUB;
-	}
-
 	@GetMapping("/oauth2/token")
 	public Mono<?> token(@RequestParam(name = "player_id", required = false) String rawPlayerId,
 			@RequestParam(name = "refresh_token", defaultValue = "false") boolean requestRefreshToken) {

server/src/main/java/eu/solven/kumite/security/SocialWebFluxSecurity.java

@@ -4,7 +4,6 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
 import org.springframework.core.Ordered;
@@ -19,10 +18,15 @@
 import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.client.userinfo.ReactiveOAuth2UserService;
+import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
 import org.springframework.security.oauth2.server.resource.web.server.BearerTokenServerAuthenticationEntryPoint;
 import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.authentication.RedirectServerAuthenticationFailureHandler;
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.authentication.logout.RedirectServerLogoutSuccessHandler;
 import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
@@ -48,14 +52,23 @@
 @Slf4j
 public class SocialWebFluxSecurity {
 
+	// https://github.com/spring-projects/spring-security/issues/15846
+	@Bean
+	public OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService(
+			ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService) {
+		OidcReactiveOAuth2UserService oidcReactiveOAuth2UserService = new OidcReactiveOAuth2UserService();
+
+		oidcReactiveOAuth2UserService.setOauth2UserService(oauth2UserService);
+
+		return oidcReactiveOAuth2UserService;
+	}
+
 	// https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials/resource-server_with_ui
 	// https://stackoverflow.com/questions/74744901/default-401-instead-of-redirecting-for-oauth2-login-spring-security
 	// `-1` as this has to be used in priority aver the API securityFilterChain
 	@Order(Ordered.LOWEST_PRECEDENCE - 1)
 	@Bean
-	public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
-			ServerHttpSecurity http,
-			Environment env) {
+	public SecurityWebFilterChain configureUi(ServerHttpSecurity http, Environment env) {
 
 		boolean isFakeUser = env.acceptsProfiles(Profiles.of(IKumiteSpringProfiles.P_FAKEUSER));
 		if (isFakeUser) {
@@ -152,7 +165,11 @@ public SecurityWebFilterChain configureUi(ServerProperties serverProperties,
 				.oauth2Login(oauth2 -> {
 					String loginSuccess = "/html/login?success";
 					oauth2.authenticationSuccessHandler(new RedirectServerAuthenticationSuccessHandler(loginSuccess));
+
+					String loginError = "/html/login?error";
+					oauth2.authenticationFailureHandler(new RedirectServerAuthenticationFailureHandler(loginError));
 				})
+				// .oauth2Client(oauth2 -> oauth2.)
 
 				.httpBasic(basic -> {
 					if (isFakeUser) {
@@ -200,9 +217,9 @@ private void configureBasicForFakeUser(HttpBasicSpec basic) {
 	 */
 	@Order(Ordered.LOWEST_PRECEDENCE)
 	@Bean
-	public SecurityWebFilterChain configureApi(ServerHttpSecurity http,
-			Environment env,
-			ReactiveJwtDecoder jwtDecoder) {
+	public SecurityWebFilterChain configureApi(Environment env,
+			ReactiveJwtDecoder jwtDecoder,
+			ServerHttpSecurity http) {
 
 		boolean isFakeUser = env.acceptsProfiles(Profiles.of(IKumiteSpringProfiles.P_FAKEUSER));
 		if (isFakeUser) {

server/src/main/java/eu/solven/kumite/security/oauth2/KumiteOAuth2UserService.java

@@ -1,7 +1,10 @@
 package eu.solven.kumite.security.oauth2;
 
 import java.net.URI;
+import java.net.URISyntaxException;
+import java.net.URL;
 
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
@@ -13,6 +16,7 @@
 import eu.solven.kumite.account.KumiteUserRaw.KumiteUserRawBuilder;
 import eu.solven.kumite.account.KumiteUserRawRaw;
 import eu.solven.kumite.account.KumiteUsersRegistry;
+import eu.solven.kumite.account.login.IKumiteTestConstants;
 import graphql.VisibleForTesting;
 import lombok.RequiredArgsConstructor;
 import lombok.SneakyThrows;
@@ -33,6 +37,11 @@
 @Service
 @RequiredArgsConstructor
 public class KumiteOAuth2UserService extends DefaultReactiveOAuth2UserService {
+	public static final String PROVIDERID_GITHUB = "github";
+	public static final String PROVIDERID_GOOGLE = "google";
+
+	@Deprecated
+	public static final String PROVIDERID_TEST = IKumiteTestConstants.PROVIDERID_TEST;
 
 	// private final AccountsStore accountsStore;
 	final KumiteUsersRegistry usersRegistry;
@@ -57,23 +66,18 @@ private Mono<OAuth2User> processOAuth2User(OAuth2UserRequest oAuth2UserRequest,
 			// The following comment can be used to register new unittest on new registration
 			// new ObjectMapper().writeValueAsString(userFromProvider.getAttributes());
 
-			String registrationId = oAuth2UserRequest.getClientRegistration().getRegistrationId();
-
-			String keyForSub = switch (registrationId) {
-			case "github":
-				yield "id";
-			default:
-				throw new IllegalArgumentException("Unexpected value: " + registrationId);
-			};
+			KumiteUserRawRaw rawRaw = oauth2ToRawRaw(userFromProvider);
 
-			KumiteUserRawRaw rawRaw = KumiteUserRawRaw.builder()
-					.providerId(registrationId)
-					.sub(userFromProvider.getAttributes().get(keyForSub).toString())
-					.build();
+			String registrationId = oAuth2UserRequest.getClientRegistration().getRegistrationId();
+			if (!registrationId.equals(rawRaw.getProviderId())) {
+				throw new IllegalStateException("Inconsistent providerId inference from OAuth2User");
+			}
 
 			String keyForPicture = switch (registrationId) {
-			case "github":
+			case PROVIDERID_GITHUB:
 				yield "avatar_url";
+			case PROVIDERID_GOOGLE:
+				yield "picture";
 			default:
 				throw new IllegalArgumentException("Unexpected value: " + registrationId);
 			};
@@ -97,4 +101,65 @@ private Mono<OAuth2User> processOAuth2User(OAuth2UserRequest oAuth2UserRequest,
 
 	}
 
+	public static KumiteUserRawRaw oauth2ToRawRaw(OAuth2User o) {
+		String providerId = guessProviderId(o);
+		String sub = getSub(providerId, o);
+		KumiteUserRawRaw rawRaw = KumiteUserRawRaw.builder().providerId(providerId).sub(sub).build();
+		return rawRaw;
+	}
+
+	private static String getSub(String providerId, OAuth2User o) {
+		if (PROVIDERID_GITHUB.equals(providerId)) {
+			Object id = o.getAttribute("id");
+			if (id == null) {
+				throw new IllegalStateException("Invalid id: " + id);
+			}
+			return id.toString();
+		} else if (PROVIDERID_GOOGLE.equals(providerId)) {
+			Object sub = o.getAttribute("sub");
+			if (sub == null) {
+				throw new IllegalStateException("Invalid sub: " + sub);
+			}
+			return sub.toString();
+		} else if (PROVIDERID_TEST.equals(providerId)) {
+			Object id = o.getAttribute("id");
+			if (id == null) {
+				throw new IllegalStateException("Invalid sub: " + id);
+			}
+			return id.toString();
+		} else {
+			throw new IllegalStateException("Not managed providerId: " + providerId);
+		}
+	}
+
+	private static String guessProviderId(OAuth2User o) {
+		if (isGoogle(o)) {
+			return PROVIDERID_GOOGLE;
+		} else if (PROVIDERID_TEST.equals(o.getAttribute("providerId"))) {
+			return PROVIDERID_TEST;
+		}
+		return PROVIDERID_GITHUB;
+	}
+
+	private static boolean isGoogle(OAuth2User o) {
+		if (o.getAuthorities()
+				.contains(new SimpleGrantedAuthority("SCOPE_https://www.googleapis.com/auth/userinfo.email"))) {
+			return true;
+		}
+
+		// TODO Unclear when we receive iss or not (Changed around introducing
+		// SocialWebFluxSecurity.oidcReactiveOAuth2UserService)
+		URL issuer = (URL) o.getAttribute("iss");
+		if (issuer == null) {
+			return false;
+		}
+		URI uri;
+		try {
+			uri = issuer.toURI();
+		} catch (URISyntaxException e) {
+			throw new IllegalStateException("Invalid iss: `%s`".formatted(issuer), e);
+		}
+		return "https://accounts.google.com".equals(uri.toASCIIString());
+	}
+
 }

server/src/main/resources/application-default_server.yml

@@ -10,8 +10,8 @@ spring:
                         clientId: ${kumite.login.oauth2.github.clientId:NEEDS_TO_BE_DEFINED}
                         clientSecret: ${kumite.login.oauth2.github.clientSecret:NEEDS_TO_BE_DEFINED}
                     google:
-                        client-id: google-client-id
-                        client-secret: google-client-secret
+                        client-id: ${kumite.login.oauth2.google.clientId:NEEDS_TO_BE_DEFINED}
+                        client-secret: ${kumite.login.oauth2.google.clientSecret:NEEDS_TO_BE_DEFINED}
     graphql:
         graphiql:
             enabled: true

server/src/main/resources/application-unsafe_external_oauth2.yml

@@ -2,6 +2,15 @@
 
 
 kumite.login:
-    # https://github.com/settings/applications/2686735
-    oauth2.github.clientId: Ov23liakPa9YkyfEZGZE
-    oauth2.github.clientSecret: 35faf73b496bb30fa17c1dd2f9fc8111874965ca
+    # https://docs.spring.io/spring-security/site/docs/5.2.12.RELEASE/reference/html/oauth2.html
+    # redirectUri: `{baseUrl}/login/oauth2/code/{registrationId}`
+    oauth2:
+        github:
+            # https://github.com/settings/applications/2686735
+            clientId: Ov23liakPa9YkyfEZGZE
+            clientSecret: 35faf73b496bb30fa17c1dd2f9fc8111874965ca
+        google:
+            # https://developers.google.com/identity/sign-in/web/sign-in?hl=fr
+            # https://console.cloud.google.com/apis/credentials?hl=fr&project=kumite
+            clientId: 635294738113-sftufj1etk97bqdhj7m6949behc3clhn.apps.googleusercontent.com
+            clientSecret: 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

server/src/main/resources/application.yml

@@ -33,7 +33,6 @@ logging:
     level:
         org.springframework.security: INFO
         org.springframework.web.reactive: INFO
-        eu.solven.kumite.app.webflux.KumiteExceptionRoutingWebFilter: DEBUG
         eu.solven.kumite.app.webflux.KumiteWebExceptionHandler: DEBUG
 
 kumite.oauth2:

server/src/test/resources/oauth2/google-attributes.json

@@ -0,0 +1,7 @@
+{
+"at_hash":"Bh6lHMngzG6eaAWaew9XQw","sub":"106279441841850034209","email_verified":true,"iss":"https://accounts.google.com",
+"given_name":"Benoît","nonce":"c4gJrXkNzkL5vzW34qfo-NUkMU8L_Ki7KzL9myC3btw",
+"picture":"https://lh3.googleusercontent.com/a/ACg8ocI16JXR3Sv_fJeDYrbkLTNn5WRXSKBL6KL4T7U6SEYTXlOn9hPA=s96-c",
+"aud":["635294738113-sftufj1etk97bqdhj7m6949behc3clhn.apps.googleusercontent.com"],
+"azp":"635294738113-sftufj1etk97bqdhj7m6949behc3clhn.apps.googleusercontent.com","name":"Benoît Chatain Lacelle",
+"exp":"2024-09-24T17:20:00Z","family_name":"Chatain Lacelle","iat":"2024-09-24T16:20:00Z","email":"[email protected]"}