changed configuration from a single user to multiple users

Author: martin-kuba

README.md

@@ -3,12 +3,13 @@
 (c) 2020 Martin Kuba, CESNET
 
 This application implements an OpenID Connect (OIDC) Authorization Server (AS) that
-provides just one user. Its purpose is to provide a temporary OIDC AS that can be
+provides a constant set of users. Its original purpose was to provide a temporary OIDC AS that can be
 used after deployment of an OIDC client and an OIDC resource server to set them up before
-a real OIDC server is deployed.
+a real OIDC server is deployed. But it can be used for other purposes like testing.
 
 This fake server has the following features:
 * it is implemented in Java as Spring Boot application
+* is deployed as JAR file executable on Linux
 * implements the following grant types:
   * **Implicit Grant flow** (for JavaScript clients - deprecated)
   * **Authorization Code flow with Proof Key for Code Exchange** (for JavaScript clients - recommended)

pom.xml

@@ -5,16 +5,16 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.4.5</version>
+		<version>2.6.3</version>
 	</parent>
 	<groupId>cz.metacentrum</groupId>
 	<artifactId>fake_oidc</artifactId>
-	<version>1.2.0</version>
+	<version>1.3.0</version>
 	<name>fake_oidc</name>
 	<description>Fake OpenId Connect Authorization Server</description>
 
 	<properties>
-		<java.version>11</java.version>
+		<java.version>17</java.version>
 	</properties>
 
 	<dependencies>
@@ -44,7 +44,7 @@
 		<dependency>
 			<groupId>com.nimbusds</groupId>
 			<artifactId>nimbus-jose-jwt</artifactId>
-			<version>8.19</version>
+			<version>9.16.1</version>
 		</dependency>
 	</dependencies>
 
@@ -54,15 +54,12 @@
 			<plugin>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-maven-plugin</artifactId>
+				<configuration>
+					<!-- https://docs.spring.io/spring-boot/docs/current/reference/html/deployment.html#deployment.installing -->
+					<executable>true</executable>
+				</configuration>
 			</plugin>
 		</plugins>
 	</build>
-	<distributionManagement>
-		<repository>
-			<id>github</id>
-			<name>GitHub Packages</name>
-			<url>https://maven.pkg.github.com/CESNET/fake-oidc-server</url>
-		</repository>
-	</distributionManagement>
 
 </project>

src/main/java/cz/metacentrum/fake_oidc/FakeOidcServerProperties.java

@@ -3,19 +3,21 @@
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
+import java.util.List;
+
 @Component
 @ConfigurationProperties(prefix="oidc")
 public class FakeOidcServerProperties {
 
-    private User user;
+    private List<User> users;
     private long tokenExpirationSeconds;
 
-    public User getUser() {
-        return user;
+    public List<User> getUsers() {
+        return users;
     }
 
-    public void setUser(User user) {
-        this.user = user;
+    public void setUsers(List<User> users) {
+        this.users = users;
     }
 
     public long getTokenExpirationSeconds() {
@@ -29,7 +31,7 @@ public void setTokenExpirationSeconds(long tokenExpirationSeconds) {
     @Override
     public String toString() {
         return "FakeOidcServerProperties{" +
-                "user=" + user +
+                "users=" + users +
                 ", tokenExpirationSeconds=" + tokenExpirationSeconds +
                 '}';
     }

src/main/java/cz/metacentrum/fake_oidc/OidcController.java

@@ -18,7 +18,6 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.util.Base64Utils;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestHeader;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -43,6 +42,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
@@ -136,7 +136,7 @@ public ResponseEntity<?> userinfo(@RequestHeader("Authorization") String auth,
                                       HttpServletRequest req) {
         log.info("called " + USERINFO_ENDPOINT + " from {}", req.getRemoteHost());
         if (!auth.startsWith("Bearer ")) {
-            if(access_token == null) {
+            if (access_token == null) {
                 return ResponseEntity.status(HttpStatus.UNAUTHORIZED).body("No token");
             }
             auth = access_token;
@@ -217,7 +217,7 @@ public ResponseEntity<?> token(@RequestParam String grant_type,
         }
         if (codeInfo.codeChallenge != null) {
             // check PKCE
-            if(code_verifier == null) {
+            if (code_verifier == null) {
                 return jsonError("invalid_request", "code_verifier missing");
             }
             if ("S256".equals(codeInfo.codeChallengeMethod)) {
@@ -274,39 +274,40 @@ public ResponseEntity<?> authorize(@RequestParam String client_id,
             String[] creds = new String(Base64.getDecoder().decode(auth.split(" ")[1])).split(":", 2);
             String login = creds[0];
             String password = creds[1];
-            User user = serverProperties.getUser();
-            if (user.getLogname().equals(login) && user.getPassword().equals(password)) {
-                log.info("password for user {} is correct", login);
-                Set<String> responseType = setFromSpaceSeparatedString(response_type);
-                String iss = uriBuilder.replacePath("/").build().encode().toUriString();
-                if (responseType.contains("token")) {
-                    // implicit flow
-                    log.info("using implicit flow");
-                    String access_token = createAccessToken(iss, user, client_id, scope);
-                    String id_token = createIdToken(iss, user, client_id, nonce, access_token);
-                    String url = redirect_uri + "#" +
-                            "access_token=" + urlencode(access_token) +
-                            "&token_type=Bearer" +
-                            "&state=" + urlencode(state) +
-                            "&expires_in=" + serverProperties.getTokenExpirationSeconds() +
-                            "&id_token=" + urlencode(id_token);
-                    return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
-                } else if (responseType.contains("code")) {
-                    // authorization code flow
-                    log.info("using authorization code flow {}", code_challenge!=null ? "with PKCE" : "");
-                    String code = createAuthorizationCode(code_challenge, code_challenge_method, client_id, redirect_uri, user, iss, scope, nonce);
-                    String url = redirect_uri + "?" +
-                            "code=" + code +
-                            "&state=" + urlencode(state);
-                    return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
-                } else {
-                    String url = redirect_uri + "#" + "error=unsupported_response_type";
-                    return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
+            List<User> users = serverProperties.getUsers();
+            for (User user : users) {
+                if (user.getLogname().equals(login) && user.getPassword().equals(password)) {
+                    log.info("password for user {} is correct", login);
+                    Set<String> responseType = setFromSpaceSeparatedString(response_type);
+                    String iss = uriBuilder.replacePath("/").build().encode().toUriString();
+                    if (responseType.contains("token")) {
+                        // implicit flow
+                        log.info("using implicit flow");
+                        String access_token = createAccessToken(iss, user, client_id, scope);
+                        String id_token = createIdToken(iss, user, client_id, nonce, access_token);
+                        String url = redirect_uri + "#" +
+                                "access_token=" + urlencode(access_token) +
+                                "&token_type=Bearer" +
+                                "&state=" + urlencode(state) +
+                                "&expires_in=" + serverProperties.getTokenExpirationSeconds() +
+                                "&id_token=" + urlencode(id_token);
+                        return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
+                    } else if (responseType.contains("code")) {
+                        // authorization code flow
+                        log.info("using authorization code flow {}", code_challenge != null ? "with PKCE" : "");
+                        String code = createAuthorizationCode(code_challenge, code_challenge_method, client_id, redirect_uri, user, iss, scope, nonce);
+                        String url = redirect_uri + "?" +
+                                "code=" + code +
+                                "&state=" + urlencode(state);
+                        return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
+                    } else {
+                        String url = redirect_uri + "#" + "error=unsupported_response_type";
+                        return ResponseEntity.status(HttpStatus.FOUND).header("Location", url).build();
+                    }
                 }
-            } else {
-                log.info("wrong user and password combination");
-                return response401();
             }
+            log.info("wrong user and password combination");
+            return response401();
         }
     }
 

src/main/resources/application.yml

@@ -1,7 +1,7 @@
 # every value can be changed from command line by preceding the option with --
 # see https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-external-config-command-line-args
 # example:
-#   java -jar fake_oidc.jar --server.port=8100 -server.ssl.key-store=mykeystore.p12 --oidc.user.password=bflmpsvz
+#   target/fake_oidc_server.jar --server.port=8100 -server.ssl.key-store=mykeystore.p12 --oidc.user.password=bflmpsvz
 
 server:
   port: 8090
@@ -13,12 +13,20 @@ server:
     key-store-password: password
 oidc:
   tokenExpirationSeconds: 36000
-  user:
-    logname: "perun"
-    password: "test"
-    sub: "perun1"
-    name: "Master Perun"
-    given_name: "Master"
-    family_name: "Perun"
-    preferred_username: "perun"
-    email: "perun@cesnet.cz"
+  users:
+    - logname: "perun"
+      password: "test"
+      sub: "perun1"
+      name: "Master Perun"
+      given_name: "Master"
+      family_name: "Perun"
+      preferred_username: "perun"
+      email: "perun@cesnet.cz"
+    - logname: "makub"
+      password: "test"
+      sub: "makub1"
+      name: "Martin Kuba"
+      given_name: "Kuba"
+      family_name: "Martin"
+      preferred_username: "makub"
+      email: "makub@ics.muni.cz"