wip

backend/build.gradle.kts

@@ -47,8 +47,8 @@ dependencies {
     testImplementation("org.springframework.boot:spring-boot-starter-test")
     testRuntimeOnly("org.junit.platform:junit-platform-launcher")
     implementation("org.springframework.boot:spring-boot-starter-security")
-    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.4.3")
-    implementation("org.springframework.boot:spring-boot-starter-oauth2-client:3.4.3")
+    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.3.3")
+    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
     runtimeOnly("org.postgresql:postgresql")
     implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.5")
 }

backend/src/main/java/de/szut/casino/security/KeycloakSecurityConfig.java

@@ -1,82 +0,0 @@
-package de.szut.casino.security;
-
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
-import org.springframework.security.config.Customizer;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
-import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.core.session.SessionRegistryImpl;
-import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
-import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
-import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
-import org.springframework.security.web.session.HttpSessionEventPublisher;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-
-@Configuration
-@EnableWebSecurity
-class KeycloakSecurityConfig {
-
-    private final KeycloakLogoutHandler keycloakLogoutHandler;
-
-    KeycloakSecurityConfig(KeycloakLogoutHandler keycloakLogoutHandler) {
-        this.keycloakLogoutHandler = keycloakLogoutHandler;
-    }
-
-    @Bean
-    public SessionRegistry sessionRegistry() {
-        return new SessionRegistryImpl();
-    }
-
-    @Bean
-    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
-        return new RegisterSessionAuthenticationStrategy(sessionRegistry());
-    }
-
-    @Bean
-    public HttpSessionEventPublisher httpSessionEventPublisher() {
-        return new HttpSessionEventPublisher();
-    }
-
-
-    @Bean
-    public SecurityFilterChain resourceServerFilterChain(HttpSecurity http) throws Exception {
-        http.csrf(csrf -> csrf
-                        .ignoringRequestMatchers("/webhook")
-                )
-                .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(HttpMethod.POST, "/webhook").permitAll()
-                        .requestMatchers("/swagger", "/swagger-ui/**", "/v3/api-docs/**", "/health").permitAll()
-                        .anyRequest().authenticated()
-                )
-                .oauth2ResourceServer(spec -> spec.jwt(Customizer.withDefaults()));
-
-        return http.build();
-    }
-
-    @Bean
-    public JwtAuthenticationConverter jwtAuthenticationConverter() {
-        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
-        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwt -> {
-            List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
-
-            Map<String, Object> realmAccess = jwt.getClaim("realm_access");
-            if (realmAccess != null && realmAccess.containsKey("roles")) {
-                List<String> roles = (List<String>) realmAccess.get("roles");
-                for (String role : roles) {
-                    grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + role));
-                }
-            }
-
-            return grantedAuthorities;
-        });
-        return jwtAuthenticationConverter;
-    }
-}

backend/src/main/resources/application.properties

@@ -9,16 +9,23 @@ app.frontend-host=http://localhost:4200
 
 spring.application.name=lf12_starter
 #client registration configuration
-spring.security.oauth2.client.registration.keycloak.client-id=lf12
-spring.security.oauth2.client.registration.keycloak.authorization-grant-type=authorization_code
-spring.security.oauth2.client.registration.keycloak.scope=openid
+
+spring.security.oauth2.client.registration.authentik.provider=authentik
+spring.security.oauth2.client.registration.authentik.client-id=MDqjm1kcWKuZfqHJXjxwAV20i44aT7m4VhhTL3Nm
+spring.security.oauth2.client.registration.authentik.client-secret=GY2F8te6iAVYt1TNAUVLzWZEXb6JoMNp6chbjqaXNq4gS5xTDL54HqBiAlV1jFKarN28LQ7FUsYX4SbwjfEhZhgeoKuBnZKjR9eiu7RawnGgxIK9ffvUfMkjRxnmiGI5
+spring.security.oauth2.client.registration.authentik.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}
+spring.security.oauth2.client.registration.authentik.scope=openid, profile, email
+spring.security.oauth2.client.registration.authentik.client-name=Authentik
+spring.security.oauth2.client.registration.authentik.authorization-grant-type=authorization_code
+spring.security.oauth2.client.provider.authentik.authorization-uri=https://oauth.simonis.lol/application/o/authorize/
+spring.security.oauth2.client.provider.authentik.issuer-uri=https://oauth.simonis.lol/
+spring.security.oauth2.client.provider.authentik.token-uri=https://oauth.simonis.lol/application/o/token/
+spring.security.oauth2.client.provider.authentik.user-info-uri=https://oauth.simonis.lol/application/o/userinfo/
+spring.security.oauth2.client.provider.authentik.jwk-set-uri=https://oauth.simonis.lol/application/o/jwks/
 
 #OIDC provider configuration:
-spring.security.oauth2.client.provider.keycloak.issuer-uri=http://localhost:9090/realms/LF12
-spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
 logging.level.org.springframework.security=DEBUG
 #validating JWT token against our Keycloak server
-spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:9090/realms/LF12
 
 springdoc.swagger-ui.path=swagger
 springdoc.swagger-ui.try-it-out-enabled=true

frontend/src/app/app.config.ts

@@ -3,15 +3,16 @@ import { provideRouter } from '@angular/router';
 import { FontAwesomeModule } from '@fortawesome/angular-fontawesome';
 
 import { routes } from './app.routes';
-import { provideHttpClient } from '@angular/common/http';
+import { provideHttpClient, withInterceptors } from '@angular/common/http';
 import { provideAnimationsAsync } from '@angular/platform-browser/animations/async';
 import { provideOAuthClient } from 'angular-oauth2-oidc';
+import { httpInterceptor } from './shared/interceptor/http.interceptor';
 
 export const appConfig: ApplicationConfig = {
   providers: [
     provideRouter(routes),
     FontAwesomeModule,
-    provideHttpClient(),
+    provideHttpClient(withInterceptors([httpInterceptor])),
     provideExperimentalZonelessChangeDetection(),
     provideAnimationsAsync(),
     provideOAuthClient(),

frontend/src/app/feature/login-success/login-success.component.ts

@@ -1,6 +1,7 @@
 import { ChangeDetectionStrategy, Component, inject, OnInit } from '@angular/core';
 import { Router } from '@angular/router';
 import { AuthService } from '../../service/auth.service';
+import { User } from '../../model/User';
 
 @Component({
   selector: 'app-login-success',
@@ -14,7 +15,6 @@ export default class LoginSuccessComponent implements OnInit {
   private router: Router = inject(Router);
   private authService: AuthService = inject(AuthService);
   async ngOnInit() {
-    console.log(this.authService.getAccessToken());
-    (this.authService.getUserInfo().then(console.log));
+    this.authService.getUserInfo()
   }
 }

frontend/src/app/service/auth.service.ts

@@ -1,29 +1,47 @@
 import { inject, Injectable } from '@angular/core';
 import { Subject } from 'rxjs';
 import { AuthConfig, OAuthService } from 'angular-oauth2-oidc';
+import { UserService } from './user.service';
+import { User } from '../model/User';
 
 
 @Injectable({
   providedIn: 'root',
 })
 export class AuthService {
+  private userService: UserService = inject(UserService);
+
   private readonly authConfig: AuthConfig = {
     issuer: 'https://oauth.simonis.lol/application/o/casino-dev/',
+    loginUrl: 'https://oauth.simonis.lol/application/o/authorize/',
+    tokenEndpoint: 'https://oauth.simonis.lol/application/o/token/',
+    userinfoEndpoint: 'https://oauth.simonis.lol/application/o/userinfo/',
     clientId: 'MDqjm1kcWKuZfqHJXjxwAV20i44aT7m4VhhTL3Nm',
-    redirectUri: window.location.origin + '/auth/callback',
-    responseType: 'code',
+    dummyClientSecret: 'GY2F8te6iAVYt1TNAUVLzWZEXb6JoMNp6chbjqaXNq4gS5xTDL54HqBiAlV1jFKarN28LQ7FUsYX4SbwjfEhZhgeoKuBnZKjR9eiu7RawnGgxIK9ffvUfMkjRxnmiGI5',
     scope: 'openid profile email',
-    showDebugInformation: true,
+    responseType: 'code',
+    redirectUri: window.location.origin + '/auth/callback',
     oidc: true,
     requestAccessToken: true,
+    strictDiscoveryDocumentValidation: false,
+    showDebugInformation: true,
   };
 
   private isAuthenticated = new Subject<boolean>();
-
+  private user: User | null = null;
   private oauthService: OAuthService = inject(OAuthService);
 
   constructor() {
     this.oauthService.configure(this.authConfig);
+    this.oauthService.events.subscribe((event) => {
+      if (event.type === 'token_received') {
+        this.oauthService.loadUserProfile().then((profile) => {
+          this.fromUserProfile(profile).subscribe((user) => {
+            this.user = user;
+          });
+        });
+      }
+    });
     this.oauthService.loadDiscoveryDocumentAndTryLogin().then(() => {
       this.isAuthenticated.next(this.oauthService.hasValidAccessToken());
     });
@@ -38,15 +56,19 @@ export class AuthService {
     this.isAuthenticated.next(false);
   }
 
-  getAccessToken() {
-    return this.oauthService.getAccessToken();
-  }
-
   getUserInfo() {
-    return this.oauthService.loadUserProfile();
+    return this.user;
   }
 
   isLoggedIn() {
     return this.oauthService.hasValidAccessToken();
   }
+
+  private fromUserProfile(profile: object) {
+    return this.userService.getOrCreateUser(profile);
+  }
+
+  getAccessToken() {
+    return this.oauthService.getAccessToken();
+  }
 }

frontend/src/app/service/user.service.ts

@@ -1,6 +1,6 @@
 import { inject, Injectable } from '@angular/core';
 import { HttpClient } from '@angular/common/http';
-import { catchError, EMPTY, Observable } from 'rxjs';
+import { catchError, EMPTY, Observable, of, switchMap } from 'rxjs';
 import { User } from '../model/User';
 
 @Injectable({
@@ -23,4 +23,21 @@ export class UserService {
       username: username,
     });
   }
+
+  public getOrCreateUser(profile: any): Observable<User> {
+    console.log(profile);
+    const id = profile.info.sub;
+    const username = profile.info.preferred_username;
+
+    return this.getUser(id).pipe(
+      switchMap((user) => {
+        if (user) {
+          return of(user);
+        } else {
+          return this.createUser(id, username);
+        }
+      }),
+      catchError(() => EMPTY)
+    );
+  }
 }

frontend/src/app/shared/interceptor/http.interceptor.ts

@@ -0,0 +1,9 @@
+import { HttpInterceptorFn } from '@angular/common/http';
+import { inject } from '@angular/core';
+import { AuthService } from '../../service/auth.service';
+
+export const httpInterceptor: HttpInterceptorFn = (req, next) => {
+  return next(req.clone({
+    setHeaders: {'Authorization': 'Bearer '+inject(AuthService).getAccessToken()},
+  }));
+};