add jdbc authorization service

.run/VAuthenticatorApplication.run.xml

@@ -11,6 +11,11 @@
         <option name="name" value="key.master-key" />
         <option name="value" value="xxx" />
       </param>
+      <param>
+        <option name="enabled" value="true" />
+        <option name="name" value="spring.profiles.active" />
+        <option name="value" value="default" />
+      </param>
     </additionalParameters>
     <envs>
       <env name="AWS_ACCESS_KEY_ID" value="xxx" />

README.md

@@ -25,6 +25,7 @@ Right now it is based, as said before to the latest version on spring oauth2/ope
 - access_token/id_token customization via lambda, see [here](docs/lambda.md) for more details
 - MFA
   - mail
+  - sms
   - see [here](docs/mfa.md) for more details
 - Post login flow 
   - force to reset password

local-environment/docker-compose.yml

@@ -3,6 +3,8 @@ version: "3.8"
 services:
   postgres:
     image: postgres:14-alpine
+    volumes:
+      - ./postgresql:/var/lib/postgresql
     ports:
       - "5432:5432"
     environment:
@@ -15,7 +17,10 @@ services:
       - "4566-4599:4566-4599"
       - "${PORT_WEB_UI-8050}:${PORT_WEB_UI-8080}"
     environment:
+      - PERSISTENCE=1
       - SERVICES=s3,kms,dynamodb,iam,sts,sns
+    volumes:
+      - ./localstack:/var/lib/localstack
   redis:
     image: redis
     ports:

local-environment/local-initializer/init.sh

@@ -14,4 +14,8 @@ echo "DYNAMO_DB_ENDPOINT: $DYNAMO_DB_ENDPOINT"
 
 python3 key_setup.py $MASTER_KEY $TABLES_SUFFIX
 python3 setup.py [email protected] $TABLES_SUFFIX
-python3 database_setup.py [email protected] host.docker.internal
+python3 database_setup.py [email protected] host.docker.internal
+
+aws iam create-access-key --user-name vauthenticator-local-dev --endpoint http://host.docker.internal:4566 > user-access-key.json
+echo "Local User IAM VAuthenticator AccessKeyId: "$(cat user-access-key.json | jq -r .AccessKey.AccessKeyId)
+echo "Local User IAM VAuthenticator SecretAccessKey: "$(cat user-access-key.json | jq -r .AccessKey.SecretAccessKey)

local-environment/readme.md

@@ -59,16 +59,11 @@ client_id=admin&client_secret=secret
 client id: vauthenticator-management-ui
 client secret: secret
 client_id=vauthenticator-management-ui&client_secret=secret
+Local User IAM VAuthenticator AccessKeyId: LKIAQAAAAAAABPAIE4RX
+Local User IAM VAuthenticator SecretAccessKey: U2lSO7CfwtxQJdAyoP15ccz9y4PEFtTm/bK+8SKw
 
 ```
 
-in order to get IAM access key you can use the following command:
-
-```shell
-
-aws iam create-access-key --user-name vauthenticator-local-dev --endpoint http://localhost:4566
-
-```
 ### ui and mail template local environment
 In order to make simple the ui assets build for local development take in consideration to enable the following spring configuration properties:
 

src/main/kotlin/com/vauthenticator/server/config/AuthorizationServerConfig.kt

@@ -23,15 +23,20 @@ import com.vauthenticator.server.oidc.token.IdTokenEnhancer
 import com.vauthenticator.server.oidc.userinfo.UserInfoEnhancer
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.beans.factory.annotation.Value
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Profile
 import org.springframework.core.Ordered
 import org.springframework.core.annotation.Order
 import org.springframework.data.redis.core.RedisTemplate
+import org.springframework.jdbc.core.JdbcTemplate
+import org.springframework.jdbc.support.lob.DefaultLobHandler
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.oauth2.jwt.JwtDecoder
 import org.springframework.security.oauth2.jwt.JwtEncoder
 import org.springframework.security.oauth2.jwt.NimbusJwtEncoder
+import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration
@@ -93,11 +98,22 @@ class AuthorizationServerConfig {
         return ClientAppRegisteredClientRepository(storeClientApplication, clientRepository)
     }
 
-    @Bean
-    fun oAuth2AuthorizationService(redisTemplate: RedisTemplate<Any, Any>): OAuth2AuthorizationService {
+    @Bean("oAuth2AuthorizationService")
+    @Profile("!experimental_database_persistence")
+    fun redisOAuth2AuthorizationService(redisTemplate: RedisTemplate<Any, Any>): OAuth2AuthorizationService {
         return RedisOAuth2AuthorizationService(redisTemplate)
     }
 
+
+    @Bean("oAuth2AuthorizationService")
+    @Profile("experimental_database_persistence")
+    fun jdbcOAuth2AuthorizationService(
+        jdbcTemplate : JdbcTemplate,
+        registeredClientRepository : RegisteredClientRepository
+    ): OAuth2AuthorizationService {
+        return JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository, DefaultLobHandler())
+    }
+
     @Bean
     fun providerSettings(): AuthorizationServerSettings =
         AuthorizationServerSettings.builder().issuer(oidcIss).build()

src/main/resources/data/schema.sql

@@ -36,3 +36,40 @@ CREATE TABLE ACCOUNT_ROLE
     FOREIGN KEY (account_username) REFERENCES ACCOUNT(username) on delete cascade,
     FOREIGN KEY (role_name) REFERENCES ROLE (name) on delete cascade
 );
+
+CREATE TABLE oauth2_authorization (
+                                      id varchar(100) NOT NULL,
+                                      registered_client_id varchar(100) NOT NULL,
+                                      principal_name varchar(200) NOT NULL,
+                                      authorization_grant_type varchar(100) NOT NULL,
+                                      authorized_scopes varchar(1000) DEFAULT NULL,
+                                      attributes text DEFAULT NULL,
+                                      state varchar(500) DEFAULT NULL,
+                                      authorization_code_value text DEFAULT NULL,
+                                      authorization_code_issued_at timestamp DEFAULT NULL,
+                                      authorization_code_expires_at timestamp DEFAULT NULL,
+                                      authorization_code_metadata text DEFAULT NULL,
+                                      access_token_value text DEFAULT NULL,
+                                      access_token_issued_at timestamp DEFAULT NULL,
+                                      access_token_expires_at timestamp DEFAULT NULL,
+                                      access_token_metadata text DEFAULT NULL,
+                                      access_token_type varchar(100) DEFAULT NULL,
+                                      access_token_scopes varchar(1000) DEFAULT NULL,
+                                      oidc_id_token_value text DEFAULT NULL,
+                                      oidc_id_token_issued_at timestamp DEFAULT NULL,
+                                      oidc_id_token_expires_at timestamp DEFAULT NULL,
+                                      oidc_id_token_metadata text DEFAULT NULL,
+                                      refresh_token_value text DEFAULT NULL,
+                                      refresh_token_issued_at timestamp DEFAULT NULL,
+                                      refresh_token_expires_at timestamp DEFAULT NULL,
+                                      refresh_token_metadata text DEFAULT NULL,
+                                      user_code_value text DEFAULT NULL,
+                                      user_code_issued_at timestamp DEFAULT NULL,
+                                      user_code_expires_at timestamp DEFAULT NULL,
+                                      user_code_metadata text DEFAULT NULL,
+                                      device_code_value text DEFAULT NULL,
+                                      device_code_issued_at timestamp DEFAULT NULL,
+                                      device_code_expires_at timestamp DEFAULT NULL,
+                                      device_code_metadata text DEFAULT NULL,
+                                      PRIMARY KEY (id)
+);

src/test/kotlin/com/vauthenticator/server/support/JdbcUtils.kt

@@ -1,11 +1,14 @@
 package com.vauthenticator.server.support
 
 import org.postgresql.Driver
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
 import org.springframework.jdbc.core.JdbcTemplate
 import org.springframework.jdbc.datasource.SimpleDriverDataSource
 import java.nio.file.Files
 import java.nio.file.Paths
 
+val logger: Logger = LoggerFactory.getLogger(JdbcUtils::class.java)
 
 object JdbcUtils {
 
@@ -24,9 +27,10 @@ object JdbcUtils {
             jdbcTemplate.execute("DROP TABLE IF EXISTS ROLE CASCADE;")
             jdbcTemplate.execute("DROP TABLE IF EXISTS ACCOUNT CASCADE;")
             jdbcTemplate.execute("DROP TABLE IF EXISTS ACCOUNT_ROLE;")
+            jdbcTemplate.execute("DROP TABLE IF EXISTS oauth2_authorization;")
             jdbcTemplate.execute(Files.readString(Paths.get("src/main/resources/data/schema.sql")))
         } catch (e: java.lang.Exception) {
-            println(e)
+            logger.error(e.message)
         }
     }
 

tenant-installer.Dockerfile

@@ -4,7 +4,8 @@ RUN yum install -y yum-utils && \
     yum-config-manager --add-repo https://rpm.releases.hashicorp.com/AmazonLinux/hashicorp.repo && \
     yum -y install terraform && \
     yum update && yum install -y python3-pip && \
-    yum install -y unzip
+    yum install -y unzip && \
+    yum install -y jq
 
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \
      unzip awscliv2.zip && \