When a developer tried to impersonate a user (principal) that had an active OIDC session, it triggered an edge case. The edge case found the existing session from the non-developer which lead to the JWT generation trying to populate the OIDC claim "auth_time". The authentication time is looked up from the `FactorGrantedAuthority`'s in the custom principals authorities. Since there was no such authority it failed.
When a developer impersonates a user such an authority is now added so that the claim can be populated if necessary.
The new ["modular design"](https://spring.io/blog/2025/10/28/modularizing-spring-boot/) required a few changes in the starter Maven dependencies. It also caused some minor Java import changes. The main problem that arose was that the spring-boot-web-server dependency got scoped to "runtime" in Maven. This broke the embedded Docker build since it was excluded from dependency lists. Therefore, it had to be manually added back in the correct "provided" scope.
spring-boot-starter-web, JTE, and Testcontainers had new artifact names. Jackson had to be added as an explicit dependency (for testing only) since it's no longer included by default in Spring Boot.
## Spring Boot OAuth 2.0 Authorization Server
There were some internal changes that broke the "custom" developer authorization. The OAuth2AuthorizationEndpointFilter got split into two separate ones (for MFA purposes), and the split off one is executed much much earlier in the chain. Therefore, the old method of changing the HTTP method of the request to trick the regular filter from the custom one no longer works. Luckily an unrelated change had added POST support to the OAuth2AuthorizationEndpointFilter which meant we could stop changing the HTTP method and change the form to submit everything as form fields instead of query parameters. A lot of mechanical changes in the tests were required for this.
MFA support also meant that OIDC ID tokens require the authenticated principal to have a FactorGrantedAuthority which was added to the Shibboleth authentication.
Lastly the default for clients changed to require PKCE, this was turned off in the tests to match production (not required for clients with credentials).
Reviewed-by: Stefan Nenzén <nenzen@dsv.su.se>
Reviewed-on: #18
Instead of being forced to use a table scan it now uses the available indexes for direct access to the correct rows.
Fixes#15
Old `ANALYZE` output
```
*************************** 1. row ***************************
id: 1
select_type: SIMPLE
table: v2_oauth2_authorization
type: ALL
possible_keys: I_authorization_code_token,I_authorization_access_token
key: NULL
key_len: NULL
ref: NULL
rows: 7473
r_rows: 11669.00
filtered: 100.00
r_filtered: 0.00
Extra: Using where
```
and after indexes were added
```
*************************** 1. row ***************************
id: 1
select_type: SIMPLE
table: v2_oauth2_authorization
type: index_merge
possible_keys: I_authorization_code_token,I_authorization_access_token,I_authorization_device_code_token,I_authorization_state,I_authorization_user_code_token,I_authorization_refresh_token,I_authorization_id_token
key: I_authorization_state,I_authorization_code_token,I_authorization_device_code_token,I_authorization_user_code_token,I_authorization_access_token,I_authorization_refresh_token,I_authorization_id_token
key_len: 3075,3075,3075,3075,3075,3075,3075
ref: NULL
rows: 7
r_rows: 0.00
filtered: 100.00
r_filtered: 100.00
Extra: Using sort_union(I_authorization_state,I_authorization_code_token,I_authorization_device_code_token,I_authorization_user_code_token,I_authorization_access_token,I_authorization_refresh_token,I_authorization_id_token); Using where
```
When tags matching the pattern 'v*' are pushed a new image is built and published. It is tagged with the number, and the "latest" rolling tag is updated.
Reviewed-by: Stefan Nenzén <nenzen@dsv.su.se>
Reviewed-on: #17
Public clients are intended to be supported with PKCE as a requirement. However, since exchanging the authorization code for a token is a cross-origin POST request it will be blocked due to lack of a CORS policy.
This change introduces a CORS policy for just the token exchange endpoint where POST is allowed.
Reviewed-on: #14
Reviewed-by: Stefan Nenzén <nenzen@dsv.su.se>
During a normal OIDC login workflow (authentication/consent, code exchange, and user info lookup), that results in SQL queries filtering on columns that are now indexed. Before it used to table scan which was extremely slow.
Reviewed-by: Stefan Nenzén <nenzen@dsv.su.se>
Reviewed-on: #12
Primary reason for this inclusion is for Nextcloud social login.
The login function uses the OIDC UserInfo endpoint to gather profile
data (name/email) as well as a way to assign group memberships in
Nextcloud which are based on some attribute in the UserInfo response.
We want to use entitlements as a way to assign groups in Nextcloud and
therefore the entitlements must be included in the UserInfo endpoint.
If they are included in the UserInfo endpoint then it makes sense to
also include them in the ID token.
There is some encoding error with the injection of Shibboleth attributes somewhere between the Apache SAML plugin -> AJP -> Tomcat. Tomcat treats the data as ISO-8859-1 while it actually is UTF-8.
A decision was made to not deploy as a drop-in replacement but rather migrate applications to the new authorzitanion server.
This means it is no longer necessary to maintain backwards-compatible URLs and can instead use more "standard" URLs.
Not super-critical since they should be discovered via metadata but still nice that the URLs map closer to what the endpoint is called in the various specifications.
Utilize Java serialization to turn the entire OAuth2Authorization to a binary blob and store that in the database. Could not find a better way to do it given the types involved (like Map<String, Object> properties). Sure, Java serialization can fail on arbitrary objects but hopefully since OAuth2Authorization implements java.io.Serializable any properties put in are serializable as well.
Allow developers to add this as a service to their Docker Compose file to enable local OAuth 2.0 flows.
See the following example:
```
services:
oauth2:
build: https://gitea.dsv.su.se/DMC/oauth2-authorization-server.git
restart: unless-stopped
ports:
- "<host_port>:8080"
environment:
CLIENT_ID=awesome-app
CLIENT_SECRET=p4ssw0rd
CLIENT_REDIRECT_URI=http://localhost/oauth2/callback
```
Reviewed-on: #1
Error controller must handle all HTTP methods, not just GET. For example if getting an error on submitting a form.
All the test that previously excluded DataSourceConfiguration can no longer do so because of the ClientAdminController that requires a ClientManagementService whose implementation relies on a DataSource.
ansv7779
