networknt · stevehu · Jan 5, 2024 · Jan 5, 2024
diff --git a/openapi-security/src/test/java/com/networknt/openapi/JwkHandler.java b/openapi-security/src/test/java/com/networknt/openapi/JwkHandler.java
@@ -0,0 +1,19 @@
+package com.networknt.openapi;
+
+import com.networknt.handler.LightHttpHandler;
+import io.undertow.server.HttpServerExchange;
+import io.undertow.util.HttpString;
+
+public class JwkHandler implements LightHttpHandler {
+
+    public JwkHandler() {
+        if(logger.isInfoEnabled()) logger.info("JwkHandler constructed");
+    }
+
+    @Override
+    public void handleRequest(HttpServerExchange exchange) throws Exception {
+        exchange.setStatusCode(200);
+        exchange.getResponseHeaders().add(new HttpString("Content-Type"), "application/json");
+        exchange.getResponseSender().send("{\"keys\":[{\"kty\":\"RSA\",\"kid\":\"Tj_l_tIBTginOtQbL0Pv5w\",\"n\":\"0YRbWAb1FGDpPUUcrIpJC6BwlswlKMS-z2wMAobdo0BNxNa7hG_gIHVPkXu14Jfo1JhUhS4wES3DdY3a6olqPcRN1TCCUVHd-1TLd1BBS-yq9tdJ6HCewhe5fXonaRRKwutvoH7i_eR4m3fQ1GoVzVAA3IngpTr4ptnM3Ef3fj-5wZYmitzrRUyQtfARTl3qGaXP_g8pHFAP0zrNVvOnV-jcNMKm8YZNcgcs1SuLSFtUDXpf7Nr2_xOhiNM-biES6Dza1sMLrlxULFuctudO9lykB7yFh3LHMxtIZyIUHuy0RbjuOGC5PmDowLttZpPI_j4ynJHAaAWr8Ddz764WdQ\",\"e\":\"AQAB\"}]}");
+    }
+}
diff --git a/...api-security/src/test/java/com/networknt/openapi/JwtVerifierHandlerMultipleSpecsTest.java b/...api-security/src/test/java/com/networknt/openapi/JwtVerifierHandlerMultipleSpecsTest.java
diff --git a/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java b/openapi-security/src/test/java/com/networknt/openapi/JwtVerifyHandlerTest.java
diff --git a/openapi-security/src/test/java/com/networknt/openapi/UnifiedSecurityConfigTest.java b/openapi-security/src/test/java/com/networknt/openapi/UnifiedSecurityConfigTest.java
@@ -14,7 +14,7 @@ public void testLoadConfig() {
         List<String> anonymousPrefixes = config.getAnonymousPrefixes();
         Assert.assertTrue(anonymousPrefixes.contains("/v1/dogs"));
         Assert.assertTrue(anonymousPrefixes.contains("/v1/cats"));
-        Assert.assertEquals(2, config.getAnonymousPrefixes().size());
+        Assert.assertEquals(3, config.getAnonymousPrefixes().size());
         // check the pathPrefixAuths
         Assert.assertEquals(4, config.getPathPrefixAuths().size());
         UnifiedPathPrefixAuth auth1 = config.getPathPrefixAuths().get(0);

diff --git a/openapi-security/src/test/java/com/networknt/openapi/UnifiedSecurityHandlerTest.java b/openapi-security/src/test/java/com/networknt/openapi/UnifiedSecurityHandlerTest.java
diff --git a/openapi-security/src/test/resources/config/openapi-handler-multiple.yml b/openapi-security/src/test/resources/config/openapi-handler-multiple.yml
@@ -7,3 +7,4 @@ multipleSpec: ${openapi-handler.multipleSpec:true}
 pathSpecMapping:
   /petstore: openapi-petstore
   /market: openapi-market
+  /oauth2: openapi-oauth2
diff --git a/openapi-security/src/test/resources/config/openapi-oauth2.yaml b/openapi-security/src/test/resources/config/openapi-oauth2.yaml
@@ -0,0 +1,318 @@
+---
+openapi: "3.0.0"
+info:
+  version: "1.0.0"
+  title: "OAuth2 Service"
+  description: "OAuth2 Service that include code, token and keys."
+  contact:
+    email: "[email protected]"
+  license:
+    name: "Apache 2.0"
+    url: "http://www.apache.org/licenses/LICENSE-2.0.html"
+servers:
+  - url: "https://oauth2.networknt.com/oauth2"
+paths:
+  /{hostId}/code:
+    get:
+      description: "Return 302 redirect with authorization code"
+      operationId: "getAuthCode"
+      parameters:
+        - name: "hostId"
+          description: "The host id this service belongs to"
+          in: "path"
+          required: true
+          schema:
+            type: "string"
+        - name: "response_type"
+          in: "query"
+          description: "The response type for authorization code"
+          required: true
+          schema:
+            type: "string"
+            enum:
+              - "code"
+        - name: "client_id"
+          in: "query"
+          description: "The client id for authorization code"
+          required: true
+          schema:
+            type: "string"
+        - name: "redirect_uri"
+          in: "query"
+          description: "The redirect uri for authorization code"
+          required: false
+          schema:
+            type: "string"
+        - name: "username"
+          in: "query"
+          description: "The user name for authorization code"
+          required: false
+          schema:
+            type: "string"
+        - name: "password"
+          in: "query"
+          description: "The password for authorization code in clear text"
+          required: false
+          schema:
+            type: "string"
+        - name: "user_type"
+          in: "query"
+          description: "The type of user that drives authentication and authorization"
+          required: false
+          schema:
+            type: "string"
+        - name: "roles"
+          in: "query"
+          description: "User roles concat with a space for fine-grained authorization"
+          required: false
+          schema:
+            type: "string"
+        - name: "state"
+          in: "query"
+          description: "to prevent cross-site request forgery"
+          required: false
+          schema:
+            type: "string"
+        - name: "scope"
+          in: "query"
+          description: "scope of the request"
+          required: false
+          schema:
+            type: "string"
+        - name: "code_challenge"
+          in: "query"
+          description: "PKCE code challenge"
+          required: false
+          schema:
+            type: "string"
+        - name: "code_challenge_method"
+          in: "query"
+          description: "PKCE code challenge method"
+          required: false
+          schema:
+            type: "string"
+      responses:
+        "302":
+          description: "Successful Operation"
+    post:
+      description: "Return 302 redirect with authorization code"
+      operationId: "postAuthCode"
+      parameters:
+        - name: "hostId"
+          description: "The host id this service belongs to"
+          in: "path"
+          required: true
+          schema:
+            type: "string"
+      responses:
+        "302":
+          description: "Successful Operation"
+      requestBody:
+        content:
+          application/x-www-form-urlencoded:
+            schema:
+              type: "object"
+              properties:
+                j_username:
+                  description: "User name"
+                  type: "string"
+                j_password:
+                  description: "Password"
+                  type: "string"
+                response_type:
+                  description: "Response type"
+                  type: "string"
+                  enum:
+                    - "code"
+                client_id:
+                  description: "Client Id"
+                  type: "string"
+                redirect_uri:
+                  description: "Redirect Uri"
+                  type: "string"
+                state:
+                  description: "to prevent cross-site request forgery"
+                  type: "string"
+                scope:
+                  description: "scope of the request"
+                  type: "string"
+                code_challenge:
+                  description: "PKCE code challenge"
+                  type: "string"
+                code_challenge_method:
+                  description: "PKCE code challenge method"
+                  type: "string"
+              required:
+                - "j_username"
+                - "j_password"
+                - "response_type"
+                - "client_id"
+  /{hostId}/keys:
+    get:
+      description: "Get the statndard jwks"
+      operationId: "getJwks"
+      parameters:
+        - name: "hostId"
+          description: "The host id this service belongs to"
+          in: "path"
+          required: true
+          schema:
+            type: "string"
+      responses:
+        "200":
+          description: "Successful response"
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/Jwk"
+        "400":
+          description: "Bad request"
+        "404":
+          description: "Key not found"
+      security:
+        - key_auth:
+            - "oauth.key.r"
+            - "oauth.key.w"
+  /{hostId}/token:
+    post:
+      description: "JSON object that contains access token"
+      operationId: "postToken"
+      parameters:
+        - name: "hostId"
+          description: "The host id this service belongs to"
+          in: "path"
+          required: true
+          schema:
+            type: "string"
+      responses:
+        "200":
+          description: "Successful Operation"
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: "object"
+              properties:
+                grant_type:
+                  type: "string"
+                  enum:
+                    - "authorization_code"
+                    - "client_credentials"
+                    - "password"
+                    - "refresh_token"
+                    - "client_authenticated_user"
+                client_id:
+                  description: "used as alternative to authentication header for client\
+                    \ authentication"
+                  type: "string"
+                client_secret:
+                  description: "used as alternative to authentication header for client\
+                    \ authentication"
+                  type: "string"
+                code:
+                  description: "used in authorization_code to specify the code"
+                  type: "string"
+                username:
+                  description: "mandatory in password grant type"
+                  type: "string"
+                password:
+                  description: "mandatory in password grant type"
+                  type: "string"
+                user_type:
+                  description: "mandatory user type in password grant type"
+                  type: "string"
+                roles:
+                  description: "optional user roles in password grant type"
+                  type: "string"
+                scope:
+                  description: "used by all flows to specify scope in the access token"
+                  type: "string"
+                redirect_uri:
+                  description: "used in authorization code if code endpoint with rediret_uri"
+                  type: "string"
+                refresh_token:
+                  description: "refresh token used to get another access token"
+                  type: "string"
+                code_verifier:
+                  description: "PKCE code verifier"
+                  type: "string"
+              required:
+                - "grant_type"
+  /{hostId}/deref/{token}:
+    get:
+      description: "exchange by-reference token to a JWT"
+      operationId: "derefToken"
+      parameters:
+        - name: "hostId"
+          description: "The host id this service belongs to"
+          in: "path"
+          required: true
+          schema:
+            type: "string"
+        - name: "token"
+          in: "path"
+          description: "by-reference token"
+          required: true
+          schema:
+            type: "string"
+      responses:
+        "200":
+          description: "successful operation"
+  /{hostId}/signing:
+    post:
+      description: "Sign a JSON object and return a JWT"
+      operationId: "postSigning"
+      parameters:
+        - name: "hostId"
+          description: "The host id this service belongs to"
+          in: "path"
+          required: true
+          schema:
+            type: "string"
+      responses:
+        "200":
+          description: "Successful Operation"
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: "#/components/schemas/SignRequest"
+        description: "Signing request object"
+        required: true
+components:
+  securitySchemes:
+    key_auth:
+      type: "oauth2"
+      flows:
+        implicit:
+          authorizationUrl: "http://localhost:8888/oauth2/code"
+          scopes:
+            oauth.key.w: "write key"
+            oauth.key.r: "read key"
+  schemas:
+    Jwk:
+      type: "object"
+      required:
+        - "keyId"
+        - "certificate"
+      properties:
+        keyId:
+          type: "string"
+          description: "a unique id"
+        certificate:
+          type: "string"
+          description: "certificate"
+    SignRequest:
+      type: "object"
+      required:
+        - "expires"
+        - "payload"
+      properties:
+        expires:
+          type: "integer"
+          format: "int32"
+          description: "expires in seconds"
+        payload:
+          type: "object"
+          description: "payload that needs to be signed"
+