Stub out authorization_code grant implementation

Fixes gh-65

build.gradle

@@ -12,7 +12,8 @@ buildscript {
 
 apply plugin: 'io.spring.convention.root'
 
-group = 'org.springframework.experimental'
+group = 'org.springframework.security.experimental'
+description = 'Spring Authorization Server'
 version = '0.0.1-SNAPSHOT'
 
 repositories {

core/spring-authorization-server-core.gradle

@@ -1 +1,20 @@
 apply plugin: 'io.spring.convention.spring-module'
+
+dependencies {
+	compile 'org.springframework.security:spring-security-core'
+	compile 'org.springframework.security:spring-security-web'
+	compile 'org.springframework.security:spring-security-oauth2-core'
+	compile springCoreDependency
+	compile 'com.nimbusds:oauth2-oidc-sdk'
+	compile 'com.fasterxml.jackson.core:jackson-databind'
+
+	optional 'com.nimbusds:nimbus-jose-jwt'
+	optional 'org.springframework.security:spring-security-oauth2-jose'
+
+	testCompile 'junit:junit'
+	testCompile 'org.assertj:assertj-core'
+	testCompile 'org.mockito:mockito-core'
+	testCompile 'com.squareup.okhttp3:mockwebserver'
+
+	provided 'javax.servlet:javax.servlet-api'
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java

@@ -0,0 +1,31 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization;
+
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+
+import java.util.Map;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2Authorization {
+	private String registeredClientId;
+	private String principalName;
+	private OAuth2AccessToken accessToken;
+	private Map<String, Object> attributes;
+
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationService.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization;
+
+/**
+ * @author Joe Grandja
+ */
+public interface OAuth2AuthorizationService {
+
+	void save(OAuth2Authorization authorization);
+
+	OAuth2Authorization findByTokenAndTokenType(String token, TokenType tokenType);
+
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/TokenType.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization;
+
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.util.Assert;
+
+import java.io.Serializable;
+
+/**
+ * @author Joe Grandja
+ */
+public final class TokenType implements Serializable {
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	public static final TokenType ACCESS_TOKEN = new TokenType("access_token");
+	public static final TokenType AUTHORIZATION_CODE = new TokenType("authorization_code");
+	private final String value;
+
+	public TokenType(String value) {
+		Assert.hasText(value, "value cannot be empty");
+		this.value = value;
+	}
+
+	public String getValue() {
+		return this.value;
+	}
+
+	@Override
+	public boolean equals(Object obj) {
+		if (this == obj) {
+			return true;
+		}
+		if (obj == null || this.getClass() != obj.getClass()) {
+			return false;
+		}
+		TokenType that = (TokenType) obj;
+		return this.getValue().equals(that.getValue());
+	}
+
+	@Override
+	public int hashCode() {
+		return this.getValue().hashCode();
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AccessTokenAuthenticationToken.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.security.oauth2.core.OAuth2AccessToken;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+
+import java.util.Collections;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2AccessTokenAuthenticationToken extends AbstractAuthenticationToken {
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private RegisteredClient registeredClient;
+	private Authentication clientPrincipal;
+	private OAuth2AccessToken accessToken;
+
+	public OAuth2AccessTokenAuthenticationToken(RegisteredClient registeredClient,
+			Authentication clientPrincipal, OAuth2AccessToken accessToken) {
+		super(Collections.emptyList());
+		this.registeredClient = registeredClient;
+		this.clientPrincipal = clientPrincipal;
+		this.accessToken = accessToken;
+	}
+
+	@Override
+	public Object getCredentials() {
+		return null;
+	}
+
+	@Override
+	public Object getPrincipal() {
+		return null;
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2AuthorizationCodeAuthenticationProvider implements AuthenticationProvider {
+	private RegisteredClientRepository registeredClientRepository;
+	private OAuth2AuthorizationService authorizationService;
+	private StringKeyGenerator accessTokenGenerator;
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		return authentication;
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return OAuth2AuthorizationCodeAuthenticationToken.class.isAssignableFrom(authentication);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationToken.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.lang.Nullable;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.SpringSecurityCoreVersion;
+
+import java.util.Collections;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2AuthorizationCodeAuthenticationToken extends AbstractAuthenticationToken {
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private String code;
+	private Authentication clientPrincipal;
+	private String clientId;
+	private String redirectUri;
+
+	public OAuth2AuthorizationCodeAuthenticationToken(String code,
+			Authentication clientPrincipal, @Nullable String redirectUri) {
+		super(Collections.emptyList());
+		this.code = code;
+		this.redirectUri = redirectUri;
+		this.clientPrincipal = clientPrincipal;
+	}
+
+	public OAuth2AuthorizationCodeAuthenticationToken(String code,
+			String clientId, @Nullable String redirectUri) {
+		super(Collections.emptyList());
+		this.code = code;
+		this.redirectUri = redirectUri;
+		this.clientId = clientId;
+	}
+
+	@Override
+	public Object getCredentials() {
+		return null;
+	}
+
+	@Override
+	public Object getPrincipal() {
+		return null;
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2ClientAuthenticationProvider implements AuthenticationProvider {
+	private RegisteredClientRepository registeredClientRepository;
+
+	@Override
+	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+		return authentication;
+	}
+
+	@Override
+	public boolean supports(Class<?> authentication) {
+		return OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication);
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationToken.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+
+import java.util.Collections;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2ClientAuthenticationToken extends AbstractAuthenticationToken {
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private String clientId;
+	private String clientSecret;
+	private RegisteredClient registeredClient;
+
+	public OAuth2ClientAuthenticationToken(String clientId, String clientSecret) {
+		super(Collections.emptyList());
+		this.clientId = clientId;
+		this.clientSecret = clientSecret;
+	}
+
+	public OAuth2ClientAuthenticationToken(RegisteredClient registeredClient) {
+		super(Collections.emptyList());
+		this.registeredClient = registeredClient;
+		setAuthenticated(true);
+	}
+
+	@Override
+	public Object getCredentials() {
+		return null;
+	}
+
+	@Override
+	public Object getPrincipal() {
+		return null;
+	}
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/client/RegisteredClient.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.client;
+
+import org.springframework.security.core.SpringSecurityCoreVersion;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * @author Joe Grandja
+ */
+public class RegisteredClient implements Serializable {
+	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
+	private String id;
+	private String clientId;
+	private String clientSecret;
+	private Set<ClientAuthenticationMethod> clientAuthenticationMethods = Collections.emptySet();
+	private Set<AuthorizationGrantType> authorizationGrantTypes = Collections.emptySet();
+	private Set<String> redirectUris = Collections.emptySet();
+	private Set<String> scopes = Collections.emptySet();
+
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/client/RegisteredClientRepository.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.client;
+
+/**
+ * @author Joe Grandja
+ */
+public interface RegisteredClientRepository {
+
+	RegisteredClient findById(String id);
+
+	RegisteredClient findByClientId(String clientId);
+
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.web;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.crypto.keygen.StringKeyGenerator;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilter {
+	private Converter<HttpServletRequest, OAuth2AuthorizationRequest> authorizationRequestConverter;
+	private RegisteredClientRepository registeredClientRepository;
+	private OAuth2AuthorizationService authorizationService;
+	private StringKeyGenerator codeGenerator;
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request,
+			HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+	}
+
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2ClientAuthenticationFilter.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.web;
+
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2ClientAuthenticationFilter extends OncePerRequestFilter {
+	private AuthenticationManager authenticationManager;
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request,
+			HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+	}
+
+}

core/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenEndpointFilter.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.web;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+/**
+ * @author Joe Grandja
+ */
+public class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
+	private Converter<HttpServletRequest, Authentication> authorizationGrantConverter;
+	private AuthenticationManager authenticationManager;
+	private OAuth2AuthorizationService authorizationService;
+
+	@Override
+	protected void doFilterInternal(HttpServletRequest request,
+			HttpServletResponse response, FilterChain filterChain)
+			throws ServletException, IOException {
+
+	}
+}

gradle/dependency-management.gradle

@@ -1,11 +1,18 @@
 dependencyManagement {
 	imports {
 		mavenBom 'org.springframework:spring-framework-bom:latest.release'
+		mavenBom 'org.springframework.security:spring-security-bom:latest.release'
 	}
 
 	dependencies {
+		dependency "com.nimbusds:oauth2-oidc-sdk:latest.release"
+		dependency "com.nimbusds:nimbus-jose-jwt:latest.release"
+		dependency "com.fasterxml.jackson.core:jackson-databind:2.+"
+		dependency "javax.servlet:javax.servlet-api:4.+"
 		dependency 'junit:junit:latest.release'
 		dependency 'org.assertj:assertj-core:latest.release'
 		dependency 'org.mockito:mockito-core:latest.release'
+		dependency "com.squareup.okhttp3:mockwebserver:3.+"
+		dependency "com.squareup.okhttp3:okhttp:3.+"
 	}
 }