OIDC Provider for the grails-spring-security-oauth2 plugin

Author: sbglasius

.sdkmanrc

@@ -0,0 +1,3 @@
+# Enable auto-env through the sdkman_auto_env config
+# Add key=value pairs of SDKs to use below
+java=17.0.15-librca

README.md

@@ -0,0 +1,48 @@
+Spring Security OAuth2 OIDC Plugin
+====================================
+[ ![Download](https://api.bintray.com/packages/grails/plugins/spring-security-oauth2-google/images/download.svg) ](https://bintray.com/grails/plugins/spring-security-oauth2-google/_latestVersion)
+
+Add aa OIDC OAuth2 provider to the [Spring Security OAuth2 Plugin](https://github.com/apache/grails-/grails-spring-security-oauth2).
+
+Installation
+------------
+Add the following dependencies in `build.gradle`
+```
+dependencies {
+...
+    compile 'org.apache.grails:grails-spring-security-oauth2:7.0.0-M5'
+    compile 'org.grails.plugins:spring-security-oauth2-oidc:1.0.+'
+...
+}
+```
+
+Usage
+-----
+Add this to your application.yml
+```
+grails:
+    plugin:
+        springsecurity:
+            oauth2:
+                providers:
+                    oidc:
+                        api_key: 'oidc-api-key'               #needed
+                        api_secret: 'oidc-api-secret'         #needed
+                        successUri: "/oauth2/google/success"    #optional
+                        failureUri: "/oauth2/google/failure"    #optional
+                        callback: "/oauth2/google/callback"     #optional
+                        scopes: "some_scope"                    #optional, see https://developers.google.com/identity/protocols/googlescopes#monitoringv3
+```
+You can replace the URIs with your own controller implementation.
+
+In your view you can use the taglib exposed from this plugin and from OAuth plugin to create links and to know if the user is authenticated with a given provider:
+```xml
+<oauth2:connect provider="google" id="google-connect-link">Google</oauth2:connect>
+
+Logged with google?
+<oauth2:ifLoggedInWith provider="google">yes</oauth2:ifLoggedInWith>
+<oauth2:ifNotLoggedInWith provider="google">no</oauth2:ifNotLoggedInWith>
+```
+License
+-------
+Apache 2

build.gradle

@@ -1,3 +1,7 @@
+import java.time.Instant
+import java.time.ZoneOffset
+import java.time.format.DateTimeFormatter
+
 buildscript {
     repositories {
         mavenCentral()
@@ -14,13 +18,31 @@ buildscript {
         classpath "org.apache.grails:grails-gradle-plugins"
     }
 }
+apply plugin: 'groovy'
+apply plugin: 'java-library'
+apply plugin: 'org.apache.grails.gradle.grails-plugin'
+apply plugin: 'org.apache.grails.gradle.grails-publish'
+
+group "org.grails.plugins"
 
-version "0.1"
-group "grails.spring.security.oauth.oidc"
+ext {
+    buildInstant = java.util.Optional.ofNullable(System.getenv("SOURCE_DATE_EPOCH"))
+            .filter(s -> !s.isEmpty())
+            .map(Long::parseLong)
+            .map(Instant::ofEpochSecond)
+            .orElseGet(Instant::now)
+    formattedBuildDate = DateTimeFormatter.ISO_INSTANT.format(buildInstant)
+    buildDate = (buildInstant as Instant).atZone(ZoneOffset.UTC) // for reproducible builds
+
+    publishArtifactId = 'grails-spring-security-oauth2-oidc'
+    pomTitle = 'Grails Spring Security OAuth2 OIDC Provider Plugin'
+    pomDescription = 'This plugin provides the oauth2 OIDC provider for grails-spring-security-oauth2 plugin.'
+    pomDevelopers = [
+            sbglasius: 'Søren Berg Glasius',
+    ]
+    
+}
 
-apply plugin:"eclipse"
-apply plugin:"idea"
-apply plugin:"org.apache.grails.gradle.grails-plugin"
 
 repositories {
     mavenCentral()
@@ -35,23 +57,34 @@ repositories {
 
 dependencies {
     implementation platform("org.apache.grails:grails-bom:$grailsVersion")
-    developmentOnly "org.springframework.boot:spring-boot-devtools" // Spring Boot DevTools may cause performance slowdowns or compatibility issues on larger applications
-    integrationTestImplementation testFixtures("org.apache.grails:grails-geb")
-    console "org.apache.grails:grails-console"
-    implementation "org.springframework.boot:spring-boot-starter-logging"
-    implementation "org.springframework.boot:spring-boot-starter-validation"
-    implementation "org.springframework.boot:spring-boot-autoconfigure"
-    implementation "org.springframework.boot:spring-boot-starter"
-    implementation "org.apache.grails:grails-core"
-    implementation "org.apache.grails:grails-i18n"
+    compileOnly "org.springframework.boot:spring-boot-starter-logging"
+    compileOnly "org.springframework.boot:spring-boot-starter-validation"
+    compileOnly "org.springframework.boot:spring-boot-autoconfigure"
+    compileOnly "org.springframework.boot:spring-boot-starter"
+    compileOnly "org.apache.grails:grails-core"
     profile "org.apache.grails.profiles:plugin"
     runtimeOnly "org.fusesource.jansi:jansi"
-    testImplementation "org.apache.grails:grails-testing-support-datamapping"
-    testImplementation "org.spockframework:spock-core"
+
+    implementation 'org.apache.grails:grails-spring-security:7.0.0-M5'
+    implementation 'org.apache.grails:grails-spring-security-oauth2:7.0.0-M5'
+    implementation 'com.auth0:java-jwt:4.5.0'
+    implementation 'com.auth0:jwks-rsa:0.23.0'
+}
+
+grailsPublish {
+    githubSlug = 'grails-plugins/grails-spring-security-oauth2-oidc'
+    license {
+        name = 'Apache-2.0'
+    }
+    title = pomTitle
+    desc = pomDescription
+    developers = pomDevelopers
 }
 
-compileJava.options.release = 17
+
+compileJava.options.release = javaVersion.toInteger()
 
 tasks.withType(Test) {
     useJUnitPlatform()
 }
+

buildSrc/build.gradle

@@ -0,0 +1,26 @@
+plugins {
+    id 'groovy-gradle-plugin'
+}
+
+file('../gradle.properties').withInputStream {
+    def gradleProperties = new Properties()
+    gradleProperties.load(it)
+    gradleProperties.each { k, v -> ext.set(k, v) }
+
+}
+
+repositories {
+    maven { url = 'https://repo.grails.org/grails/restricted' }
+    maven {
+        url = 'https://repository.apache.org/content/groups/snapshots'
+        content {
+            includeVersionByRegex('org[.]apache[.](grails|groovy).*', '.*', '.*-SNAPSHOT')
+        }
+    }
+}
+
+dependencies {
+    implementation platform("org.apache.grails:grails-bom:$grailsVersion")
+    implementation "org.asciidoctor.jvm.convert:org.asciidoctor.jvm.convert.gradle.plugin:$asciidoctorGradlePluginVersion"
+    implementation 'org.apache.grails:grails-gradle-plugins'
+}

gradle.properties

@@ -1,4 +1,11 @@
-grailsVersion=7.0.0-RC1
+version=1.0.0-SNAPSHOT
+grailsVersion=7.0.0-SNAPSHOT
+javaVersion=17
+
+asciidoctorGradlePluginVersion=4.0.4
+gradleCryptoChecksumVersion=1.4.0
+ratVersion=0.8.1
+
 org.gradle.daemon=true
 org.gradle.parallel=true
 org.gradle.jvmargs=-Dfile.encoding=UTF-8 -Xmx1024M

grails-app/conf/DefaultOAuth2OidcConfig.groovy

@@ -0,0 +1,29 @@
+/* Copyright 2025-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+security {
+    oauth2 {
+        providers {
+            oidc {
+                domain = 'https://some.oidc.provider.domain' // Mandatory
+                api_key = "changeme_apikey" // Mandatory 
+                api_secret = "changeme_apisecret" // Mandatory
+                successUri = "/oauth2/oidc/success" // Optional
+                failureUri = "/oauth2/oidc/failure" // Optional
+                callback = "/oauth2/oidc/callback" // Optional
+            }
+        }
+    }
+}

grails-app/conf/application.yml

@@ -1,7 +1,7 @@
 grails:
     profile: plugin
     codegen:
-        defaultPackage: grails.spring.security.oauth.oidc
+        defaultPackage: grails.springsecurity.oauth2.oidc
     gorm:
         reactor:
             # Whether to translate GORM events into Reactor events
@@ -20,15 +20,6 @@ spring:
     groovy:
         template:
             check-template-location: false
-    devtools:
-        restart:
-            additional-exclude:
-                - '*.gsp'
-                - '**/*.gsp'
-                - '*.gson'
-                - '**/*.gson'
-                - 'logback-spring.xml'
-                - '*.properties'
 environments:
     development:
         management:

grails-app/init/grails/spring/security/oauth/oidc/BootStrap.groovy

@@ -1,4 +1,4 @@
-package grails.spring.security.oauth.oidc
+package grails.springsecurity.oauth2.oidc
 
 import grails.boot.*
 import grails.boot.config.GrailsAutoConfiguration

…g/security/oauth/oidc/Application.groovy …gsecurity/oauth2/oidc/Application.groovygrails-app/init/grails/spring/security/oauth/oidc/Application.groovy renamed to grails-app/init/grails/springsecurity/oauth2/oidc/Application.groovy grails-app/init/grails/spring/security/oauth/oidc/Application.groovy renamed to grails-app/init/grails/springsecurity/oauth2/oidc/Application.groovy

@@ -0,0 +1,132 @@
+/* Copyright 2025-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package grails.plugin.springsecurity.oauth2.oidc
+
+import com.auth0.jwk.JwkProviderBuilder
+import com.auth0.jwt.JWT
+import com.auth0.jwt.JWTVerifier
+import com.auth0.jwt.algorithms.Algorithm
+import com.auth0.jwt.exceptions.JWTVerificationException
+import com.auth0.jwt.interfaces.DecodedJWT
+import com.auth0.jwt.interfaces.RSAKeyProvider
+import com.github.scribejava.core.builder.ServiceBuilder
+import com.github.scribejava.core.builder.api.DefaultApi20
+import com.github.scribejava.core.model.OAuth2AccessToken
+import com.github.scribejava.core.oauth.OAuth20Service
+import grails.plugin.springsecurity.oauth2.SpringSecurityOauth2BaseService
+import grails.plugin.springsecurity.oauth2.exception.OAuth2Exception
+import grails.plugin.springsecurity.oauth2.service.OAuth2AbstractProviderService
+import grails.plugin.springsecurity.oauth2.token.OAuth2SpringToken
+import grails.plugin.springsecurity.oauth2.util.OAuth2ProviderConfiguration
+import groovy.json.JsonSlurper
+import groovy.transform.CompileStatic
+import org.springframework.beans.factory.InitializingBean
+
+import java.security.interfaces.RSAPrivateKey
+import java.security.interfaces.RSAPublicKey
+import java.util.concurrent.TimeUnit
+
+@CompileStatic
+class OidcAuth2Service extends OAuth2AbstractProviderService implements InitializingBean{
+
+    SpringSecurityOauth2BaseService springSecurityOauth2BaseService
+    
+    OidcOauth2Config OidcOauth2Config
+    
+    final String providerID = OidcOauth2Api.PROVIDER_ID
+    final Class apiClass = OidcOauth2Api
+    final String scopeSeparator = ' '
+    private JWTVerifier jwtVerifier 
+    
+    String getProfileScope() {
+        "${OidcOauth2Config.domain}/userinfo"
+    }
+    String getScopes() {
+        OidcOauth2Config.scope
+    }
+    
+
+    @Override
+    OAuth2SpringToken createSpringAuthToken(OAuth2AccessToken accessToken) {
+        DecodedJWT decoded = decodeJWT(accessToken)
+        verifyJWT(decoded)
+        return new OidcOauth2SpringToken(accessToken, decoded.claims)
+    }
+
+    DecodedJWT decodeJWT(OAuth2AccessToken accessToken) {
+        def raw = new JsonSlurper().parseText(accessToken.rawResponse as String) as Map
+        String idToken = raw?.id_token as String
+        if (!idToken) throw new IllegalStateException("Missing id_token from OIDC response")
+
+        DecodedJWT decoded = new JWT().decodeJwt(idToken)
+        return decoded
+    }
+
+    @Override
+    OAuth20Service buildScribeService(OAuth2ProviderConfiguration providerConfiguration) {
+        DefaultApi20 api = new OidcOauth2Api(OidcOauth2Config.domain)
+
+        return new ServiceBuilder(OidcOauth2Config.apiKey)
+                .apiSecret(OidcOauth2Config.apiSecret)
+                .defaultScope(OidcOauth2Config.scope)
+                .callback(providerConfiguration.callbackUrl)
+                .build(api)
+    }
+
+    
+    @Override
+    void afterPropertiesSet() throws Exception {
+        def jwkProvider = new JwkProviderBuilder(OidcOauth2Config.domain)
+                .cached(10, 24, TimeUnit.HOURS)
+                .rateLimited(10, 1, TimeUnit.MINUTES)
+                .build()
+        
+        RSAKeyProvider keyProvider = new RSAKeyProvider() {
+            @Override
+            RSAPublicKey getPublicKeyById(String kid) {
+                return (RSAPublicKey) jwkProvider.get(kid).getPublicKey()
+            }
+
+            @Override
+            RSAPrivateKey getPrivateKey() {
+                // return the private key used 
+                return null
+            }
+
+            @Override
+            String getPrivateKeyId() {
+                return null
+            }
+        }
+
+        def algorithm = Algorithm.RSA256(keyProvider)
+        String issuerDomain = OidcOauth2Config.domain.endsWith('/') ? OidcOauth2Config.domain : OidcOauth2Config.domain + '/'
+        jwtVerifier = JWT.require(algorithm)
+                .withIssuer(issuerDomain)
+                .withAnyOfAudience(OidcOauth2Config.apiKey)
+                .build()
+    }
+
+
+    private void verifyJWT(DecodedJWT decoded) {
+        try {
+            jwtVerifier.verify(decoded)
+        } catch (JWTVerificationException e) {
+            throw new OAuth2Exception("OIDC token is invalid", e)
+        }
+    }
+
+}