Add device client sample

Author: Steve Riesenberg

samples/device-client/samples-device-client.gradle

@@ -0,0 +1,35 @@
+plugins {
+	id "org.springframework.boot" version "3.0.0"
+	id "io.spring.dependency-management" version "1.0.11.RELEASE"
+	id "java"
+}
+
+group = project.rootProject.group
+version = project.rootProject.version
+sourceCompatibility = "17"
+
+repositories {
+	maven {
+		url = "https://repo.spring.io/snapshot"
+	}
+	mavenCentral()
+}
+
+// Temporarily use SNAPSHOT version
+// TODO: Use 6.1.0-M2 version after release
+ext["spring-security.version"] = "6.1.0-SNAPSHOT"
+
+dependencies {
+	implementation "org.springframework.boot:spring-boot-starter-web"
+	implementation "org.springframework.boot:spring-boot-starter-thymeleaf"
+	implementation "org.springframework.boot:spring-boot-starter-security"
+	implementation "org.springframework.boot:spring-boot-starter-oauth2-client"
+	implementation "org.springframework:spring-webflux"
+	//implementation "io.projectreactor.netty:reactor-netty"
+	implementation "org.webjars:webjars-locator-core"
+	implementation "org.webjars:bootstrap:3.4.1"
+	implementation "org.webjars:jquery:3.4.1"
+
+	testImplementation "org.springframework.boot:spring-boot-starter-test"
+	testImplementation "org.springframework.security:spring-security-test"
+}

samples/device-client/src/main/java/sample/DeviceClientApplication.java

@@ -0,0 +1,32 @@
+/*
+ * Copyright 2020-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+/**
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+@SpringBootApplication
+public class DeviceClientApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(DeviceClientApplication.class, args);
+	}
+
+}

samples/device-client/src/main/java/sample/config/SecurityConfig.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2020-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+
+/**
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+	@Bean
+	public WebSecurityCustomizer webSecurityCustomizer() {
+		return (web) -> web.ignoring().requestMatchers("/webjars/**", "/assets/**");
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		// @formatter:off
+		http
+			.authorizeHttpRequests((authorize) -> authorize
+				.requestMatchers("/", "/authorize").permitAll()
+				.anyRequest().authenticated()
+			)
+			.exceptionHandling((exceptions) -> exceptions
+				.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/"))
+			)
+			.oauth2Client(Customizer.withDefaults());
+		// @formatter:on
+		return http.build();
+	}
+
+}

samples/device-client/src/main/java/sample/config/WebClientConfig.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2020-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample.config;
+
+import sample.web.authentication.DeviceCodeOAuth2AuthorizedClientProvider;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProviderBuilder;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction;
+import org.springframework.web.reactive.function.client.WebClient;
+
+/**
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+@Configuration
+public class WebClientConfig {
+
+	@Bean
+	public WebClient webClient(OAuth2AuthorizedClientManager authorizedClientManager) {
+		ServletOAuth2AuthorizedClientExchangeFilterFunction oauth2Client =
+				new ServletOAuth2AuthorizedClientExchangeFilterFunction(authorizedClientManager);
+		// @formatter:off
+		return WebClient.builder()
+				.apply(oauth2Client.oauth2Configuration())
+				.build();
+		// @formatter:on
+	}
+
+	@Bean
+	public OAuth2AuthorizedClientManager authorizedClientManager(
+			ClientRegistrationRepository clientRegistrationRepository,
+			OAuth2AuthorizedClientRepository authorizedClientRepository) {
+
+		OAuth2AuthorizedClientProvider authorizedClientProvider =
+				OAuth2AuthorizedClientProviderBuilder.builder()
+						.provider(new DeviceCodeOAuth2AuthorizedClientProvider())
+						.authorizationCode()
+						.refreshToken()
+						.build();
+		DefaultOAuth2AuthorizedClientManager authorizedClientManager =
+				new DefaultOAuth2AuthorizedClientManager(
+						clientRegistrationRepository, authorizedClientRepository);
+		authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+		// Set a contextAttributesMapper to obtain device_code from the request
+		authorizedClientManager.setContextAttributesMapper(DeviceCodeOAuth2AuthorizedClientProvider
+				.deviceCodeContextAttributesMapper());
+
+		return authorizedClientManager;
+	}
+
+}

samples/device-client/src/main/java/sample/web/DeviceController.java

@@ -0,0 +1,192 @@
+/*
+ * Copyright 2020-2023 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package sample.web;
+
+import java.time.Instant;
+import java.util.Map;
+import java.util.Objects;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.ParameterizedTypeReference;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.annotation.RegisteredOAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.core.OAuth2DeviceCode;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.util.LinkedMultiValueMap;
+import org.springframework.util.MultiValueMap;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.reactive.function.BodyInserters;
+import org.springframework.web.reactive.function.client.WebClient;
+
+import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.oauth2AuthorizedClient;
+
+/**
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+@Controller
+public class DeviceController {
+
+	private static final ParameterizedTypeReference<Map<String, Object>> TYPE_REFERENCE =
+			new ParameterizedTypeReference<>() {};
+
+	private final ClientRegistrationRepository clientRegistrationRepository;
+
+	private final WebClient webClient;
+
+	private final String messagesBaseUri;
+
+	private final SecurityContextRepository securityContextRepository =
+			new HttpSessionSecurityContextRepository();
+
+	private final SecurityContextHolderStrategy securityContextHolderStrategy =
+			SecurityContextHolder.getContextHolderStrategy();
+
+	public DeviceController(ClientRegistrationRepository clientRegistrationRepository, WebClient webClient,
+			@Value("${messages.base-uri}") String messagesBaseUri) {
+
+		this.clientRegistrationRepository = clientRegistrationRepository;
+		this.webClient = webClient;
+		this.messagesBaseUri = messagesBaseUri;
+	}
+
+	@GetMapping("/")
+	public String index() {
+		return "index";
+	}
+
+	@GetMapping("/authorize")
+	public String authorize(Model model, HttpServletRequest request, HttpServletResponse response) {
+		// @formatter:off
+		ClientRegistration clientRegistration =
+				this.clientRegistrationRepository.findByRegistrationId(
+						"messaging-client-device-grant");
+		// @formatter:on
+
+		MultiValueMap<String, String> requestParameters = new LinkedMultiValueMap<>();
+		requestParameters.add(OAuth2ParameterNames.CLIENT_ID, clientRegistration.getClientId());
+		requestParameters.add(OAuth2ParameterNames.SCOPE, StringUtils.collectionToDelimitedString(
+				clientRegistration.getScopes(), " "));
+
+		// @formatter:off
+		Map<String, Object> responseParameters =
+				this.webClient.post()
+						.uri(clientRegistration.getProviderDetails().getAuthorizationUri())
+						.headers(headers -> headers.setBasicAuth(clientRegistration.getClientId(),
+								clientRegistration.getClientSecret()))
+						.contentType(MediaType.APPLICATION_FORM_URLENCODED)
+						.body(BodyInserters.fromFormData(requestParameters))
+						.retrieve()
+						.bodyToMono(TYPE_REFERENCE)
+						.block();
+		// @formatter:on
+
+		Objects.requireNonNull(responseParameters, "Device Authorization Response cannot be null");
+		Instant issuedAt = Instant.now();
+		Integer expiresIn = (Integer) responseParameters.get(OAuth2ParameterNames.EXPIRES_IN);
+		Instant expiresAt = issuedAt.plusSeconds(expiresIn);
+		String deviceCodeValue = (String) responseParameters.get(OAuth2ParameterNames.DEVICE_CODE);
+
+		OAuth2DeviceCode deviceCode = new OAuth2DeviceCode(deviceCodeValue, issuedAt, expiresAt);
+		saveSecurityContext(deviceCode, request, response);
+
+		model.addAttribute("deviceCode", deviceCode.getTokenValue());
+		model.addAttribute("expiresAt", deviceCode.getExpiresAt());
+		model.addAttribute("userCode", responseParameters.get(OAuth2ParameterNames.USER_CODE));
+		model.addAttribute("verificationUri", responseParameters.get(OAuth2ParameterNames.VERIFICATION_URI));
+		// Note: You could use a QR-code to display this URL
+		model.addAttribute("verificationUriComplete", responseParameters.get(
+				OAuth2ParameterNames.VERIFICATION_URI_COMPLETE));
+
+		return "authorize";
+	}
+
+	/**
+	 * @see DeviceControllerAdvice
+	 */
+	@PostMapping("/authorize")
+	public ResponseEntity<Void> poll(@RequestParam(OAuth2ParameterNames.DEVICE_CODE) String deviceCode,
+			@RegisteredOAuth2AuthorizedClient("messaging-client-device-grant")
+					OAuth2AuthorizedClient authorizedClient) {
+
+		// The client will repeatedly poll until authorization is granted.
+		//
+		// The OAuth2AuthorizedClientManager uses the device_code parameter
+		// to make a token request, which returns authorization_pending until
+		// the user has granted authorization.
+		//
+		// If the user has denied authorization, access_denied is returned and
+		// polling should stop.
+		//
+		// If the device code expires, expired_token is returned and polling
+		// should stop.
+		//
+		// This endpoint simply returns 200 OK when client is authorized.
+		return ResponseEntity.status(HttpStatus.OK).build();
+	}
+
+	@GetMapping("/authorized")
+	public String authorized(Model model,
+			@RegisteredOAuth2AuthorizedClient("messaging-client-device-grant")
+					OAuth2AuthorizedClient authorizedClient) {
+
+		String[] messages = this.webClient.get()
+				.uri(this.messagesBaseUri)
+				.attributes(oauth2AuthorizedClient(authorizedClient))
+				.retrieve()
+				.bodyToMono(String[].class)
+				.block();
+		model.addAttribute("messages", messages);
+
+		return "authorized";
+	}
+
+	private void saveSecurityContext(OAuth2DeviceCode deviceCode, HttpServletRequest request,
+			HttpServletResponse response) {
+
+		// @formatter:off
+		UsernamePasswordAuthenticationToken deviceAuthentication =
+				UsernamePasswordAuthenticationToken.authenticated(
+						deviceCode, null, AuthorityUtils.createAuthorityList("ROLE_DEVICE"));
+		// @formatter:on
+
+		SecurityContext securityContext = this.securityContextHolderStrategy.createEmptyContext();
+		securityContext.setAuthentication(deviceAuthentication);
+		this.securityContextHolderStrategy.setContext(securityContext);
+		this.securityContextRepository.saveContext(securityContext, request, response);
+	}
+
+}