✨ Support custom verification of client_secret

d44b851d · 智布道 · bf9b8769 · d44b851d · d44b851d · d44b851d
4 changed file
--- a/jap-ids/src/main/java/com/fujieid/jap/ids/context/IdsContext.java
+++ b/jap-ids/src/main/java/com/fujieid/jap/ids/context/IdsContext.java
@@ -45,6 +45,8 @@ public class IdsContext implements Serializable {

    private IdsTokenService tokenService = new IdsTokenServiceImpl();

+    private IdsSecretService secretService = new IdsSimpleSecretServiceImpl();
+
    private IdsConfig idsConfig;

    private IdsPipeline<Object> filterPipeline;
@@ -116,6 +118,15 @@ public class IdsContext implements Serializable {
        return this;
    }

+    public IdsSecretService getSecretService() {
+        return secretService;
+    }
+
+    public IdsContext setSecretService(IdsSecretService secretService) {
+        this.secretService = secretService;
+        return this;
+    }
+
    public IdsPipeline<Object> getFilterPipeline() {
        return filterPipeline;
    }

--- a/jap-ids/src/main/java/com/fujieid/jap/ids/service/IdsSecretService.java
+++ b/jap-ids/src/main/java/com/fujieid/jap/ids/service/IdsSecretService.java
+/*
+ * Copyright (c) 2020-2040, 北京符节科技有限公司 (support@fujieid.com & https://www.fujieid.com).
+ * <p>
+ * Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0;
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.gnu.org/licenses/lgpl.html
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.fujieid.jap.ids.service;
+
+/**
+ * Service interface for verifying client_secret.
+ * <p>
+ * The preferred implementation is {@link IdsSimpleSecretServiceImpl}.
+ *
+ * @author yadong.zhang (yadong.zhang0415(a)gmail.com)
+ * @version 1.0.0
+ * @since 1.0.4
+ */
+public interface IdsSecretService {
+
+    /**
+     * Verify the encoded secret obtained from storage matches the submitted raw
+     * secret after it too is encoded. Returns true if the secret match, false if
+     * they do not. The stored secret itself is never decoded.
+     *
+     * @param rawSecret     the raw secret to encode and match
+     * @param encodedSecret the encoded secret from storage to compare with
+     * @return true if the raw secret, after encoding, matches the encoded secret from
+     * storage
+     */
+    boolean matches(CharSequence rawSecret, String encodedSecret);
+}
--- a/jap-ids/src/main/java/com/fujieid/jap/ids/service/IdsSimpleSecretServiceImpl.java
+++ b/jap-ids/src/main/java/com/fujieid/jap/ids/service/IdsSimpleSecretServiceImpl.java
+/*
+ * Copyright (c) 2020-2040, 北京符节科技有限公司 (support@fujieid.com & https://www.fujieid.com).
+ * <p>
+ * Licensed under the GNU LESSER GENERAL PUBLIC LICENSE 3.0;
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.gnu.org/licenses/lgpl.html
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.fujieid.jap.ids.service;
+
+import com.xkcoding.json.util.StringUtil;
+
+/**
+ * Implementation of IdsSecretService that uses the {@code String.equals} function
+ *
+ * @author yadong.zhang (yadong.zhang0415(a)gmail.com)
+ * @version 1.0.0
+ * @since 1.0.0
+ */
+public class IdsSimpleSecretServiceImpl implements IdsSecretService {
+
+    /**
+     * Verify the encoded secret obtained from storage matches the submitted raw
+     * secret after it too is encoded. Returns true if the secret match, false if
+     * they do not. The stored secret itself is never decoded.
+     *
+     * @param rawSecret     the raw secret to encode and match
+     * @param encodedSecret the encoded secret from storage to compare with
+     * @return true if the raw secret, after encoding, matches the encoded secret from
+     * storage
+     */
+    @Override
+    public boolean matches(CharSequence rawSecret, String encodedSecret) {
+        return !StringUtil.isEmpty(encodedSecret) && rawSecret.equals(encodedSecret);
+    }
+}
--- a/jap-ids/src/main/java/com/fujieid/jap/ids/util/OauthUtil.java
+++ b/jap-ids/src/main/java/com/fujieid/jap/ids/util/OauthUtil.java
@@ -20,12 +20,14 @@ import cn.hutool.core.util.ArrayUtil;
 import cn.hutool.core.util.RandomUtil;
 import cn.hutool.core.util.URLUtil;
 import cn.hutool.crypto.SecureUtil;
+import com.fujieid.jap.ids.JapIds;
 import com.fujieid.jap.ids.exception.*;
 import com.fujieid.jap.ids.model.ClientDetail;
 import com.fujieid.jap.ids.model.IdsConsts;
 import com.fujieid.jap.ids.model.IdsRequestParam;
 import com.fujieid.jap.ids.model.enums.ErrorResponse;
 import com.fujieid.jap.ids.model.enums.GrantType;
+import com.fujieid.jap.ids.service.IdsSecretService;
 import com.fujieid.jap.ids.service.Oauth2Service;
 import com.xkcoding.json.util.StringUtil;
 import org.jose4j.base64url.Base64Url;
@@ -146,14 +148,21 @@ public class OauthUtil {
            if (param.isEnablePkce()) {
                oauth2Service.validateAuthrizationCodeChallenge(param.getCodeVerifier(), param.getCode());
            } else {
-                if (StringUtil.isEmpty(param.getClientSecret()) || !clientDetail.getClientSecret().equals(param.getClientSecret())) {
-                    throw new InvalidClientException(ErrorResponse.INVALID_CLIENT);
-                }
+                matchesSecret(param, clientDetail);
            }
        } else {
-            if (StringUtil.isEmpty(param.getClientSecret()) || !clientDetail.getClientSecret().equals(param.getClientSecret())) {
-                throw new InvalidClientException(ErrorResponse.INVALID_CLIENT);
-            }
+            matchesSecret(param, clientDetail);
+        }
+    }
+
+    private static void matchesSecret(IdsRequestParam param, ClientDetail clientDetail) {
+        IdsSecretService secretService = JapIds.getContext().getSecretService();
+        if (null == secretService) {
+            throw new IdsTokenException("com.fujieid.jap.ids.service.IdsSecretService has not been injected");
+        }
+
+        if (!secretService.matches(clientDetail.getClientSecret(), param.getClientSecret())) {
+            throw new InvalidClientException(ErrorResponse.INVALID_CLIENT);
        }
    }