added pkce authorization to the flow

Author: annahileta

src/main/java/com/docusign/DSConfiguration.java

@@ -70,6 +70,15 @@ public class DSConfiguration {
     @Value("${spring.security.oauth2.client.registration.jwt.client-id}")
     private String userId;
 
+    @Value("${spring.security.oauth2.client.registration.acg.client-secret}")
+    private String secretUserId;
+
+    @Value("${spring.security.oauth2.client.provider.acg.token-uri}")
+    private String tokenEndpoint;
+
+    @Value("${spring.security.oauth2.client.provider.acg.authorization-uri}")
+    private String authorizationEndpoint;
+
     @Value("${jwt.grant.sso.redirect-url}")
     private String jwtRedirectURL;
 
@@ -158,7 +167,8 @@ public ManifestStructure getCodeExamplesText() {
         }
 
         try {
-            codeExamplesText = new ObjectMapper().readValue(loadFileData(codeExamplesManifest), ManifestStructure.class);
+            codeExamplesText = new ObjectMapper().readValue(loadFileData(codeExamplesManifest),
+                    ManifestStructure.class);
         } catch (Exception e) {
             e.printStackTrace();
         }

src/main/java/com/docusign/WebSecurityConfig.java

@@ -28,14 +28,13 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                     try {
                         authorize
                                 .antMatchers("/", "/error**", "/assets/**", "/ds/mustAuthenticate**",
-                                        "/ds/authenticate**", "/ds/selectApi**", "/con001")
+                                        "/ds/authenticate**", "/ds/selectApi**", "/con001", "/pkce")
                                 .permitAll()
                                 .anyRequest().authenticated()
                                 .and()
                                 .exceptionHandling()
                                 .authenticationEntryPoint(
-                                        new LoginUrlAuthenticationEntryPoint("/ds/mustAuthenticate")
-                                );
+                                        new LoginUrlAuthenticationEntryPoint("/ds/mustAuthenticate"));
                     } catch (Exception e) {
                         throw new RuntimeException(e);
                     }
@@ -44,8 +43,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .oauth2Login(Customizer.withDefaults())
                 .oauth2Client(Customizer.withDefaults())
                 .logout(logout -> logout
-                        .logoutSuccessUrl("/")
-                )
+                        .logoutSuccessUrl("/"))
                 .csrf().disable();
 
         return http.build();

src/main/java/com/docusign/core/controller/IndexController.java

@@ -7,6 +7,7 @@
 import com.docusign.core.model.AuthType;
 import com.docusign.core.model.Session;
 import com.docusign.core.model.User;
+import com.docusign.core.security.acg.ACGAuthenticationMethod;
 import com.docusign.core.security.jwt.JWTAuthenticationMethod;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -112,7 +113,8 @@ public String index(ModelMap model, HttpServletResponse response) throws Excepti
     }
 
     @GetMapping(path = "/ds/mustAuthenticate")
-    public ModelAndView mustAuthenticateController(ModelMap model, HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    public ModelAndView mustAuthenticateController(ModelMap model, HttpServletRequest req, HttpServletResponse resp)
+            throws IOException {
         model.addAttribute(LAUNCHER_TEXTS, config.getCodeExamplesText().SupportingTexts);
         model.addAttribute(ATTR_TITLE, config.getCodeExamplesText().SupportingTexts.LoginPage.LoginButton);
 
@@ -125,7 +127,8 @@ public ModelAndView mustAuthenticateController(ModelMap model, HttpServletReques
             return new ModelAndView(new JWTAuthenticationMethod().loginUsingJWT(config, session, redirectURL));
         }
 
-        boolean isRedirectToMonitor = redirectURL.toLowerCase().contains("/m") && !redirectURL.toLowerCase().contains("/mae");
+        boolean isRedirectToMonitor = redirectURL.toLowerCase().contains("/m")
+                && !redirectURL.toLowerCase().contains("/mae");
         if (session.isRefreshToken() || config.getQuickstart().equals("true")) {
             config.setQuickstart("false");
 
@@ -148,8 +151,24 @@ private ModelAndView checkForMonitorRedirects(String redirectURL) {
         return new ModelAndView(new JWTAuthenticationMethod().loginUsingJWT(config, session, redirectURL));
     }
 
+    @GetMapping("/pkce")
+    public RedirectView pkce(String code, String state, HttpServletRequest req, HttpServletResponse resp)
+            throws Exception {
+        String redirectURL = getRedirectURLForJWTAuthentication(req, resp);
+        RedirectView redirect;
+        try {
+            redirect = new ACGAuthenticationMethod().exchangeCodeForToken(code, config, session, redirectURL);
+        } catch (Exception e) {
+            redirect = getRedirectView(AuthType.AGC);
+            this.session.setIsPKCEWorking(false);
+        }
+
+        return redirect;
+    }
+
     @PostMapping("/ds/authenticate")
-    public RedirectView authenticate(ModelMap model, @RequestBody MultiValueMap<String, String> formParams, HttpServletRequest req, HttpServletResponse resp) throws IOException {
+    public RedirectView authenticate(ModelMap model, @RequestBody MultiValueMap<String, String> formParams,
+            HttpServletRequest req, HttpServletResponse resp) throws Exception {
         if (!formParams.containsKey("selectAuthType")) {
             model.addAttribute("message", "Select option with selectAuthType name must be provided.");
             return new RedirectView("pages/error");
@@ -165,14 +184,18 @@ public RedirectView authenticate(ModelMap model, @RequestBody MultiValueMap<Stri
             return new JWTAuthenticationMethod().loginUsingJWT(config, session, redirectURL);
         } else {
             this.session.setAuthTypeSelected(AuthType.AGC);
-            return getRedirectView(authTypeSelected);
+            if (this.session.getIsPKCEWorking()) {
+                return new ACGAuthenticationMethod().initiateAuthorization(config);
+            } else {
+                return getRedirectView(authTypeSelected);
+            }
         }
     }
 
     private String getRedirectURLForJWTAuthentication(HttpServletRequest req, HttpServletResponse resp) {
         SavedRequest savedRequest = requestCache.getRequest(req, resp);
 
-        String[] examplesCodes = new String[]{
+        String[] examplesCodes = new String[] {
                 ApiIndex.CLICK.getExamplesPathCode(),
                 ApiIndex.ESIGNATURE.getExamplesPathCode(),
                 ApiIndex.MONITOR.getExamplesPathCode(),
@@ -185,10 +208,10 @@ private String getRedirectURLForJWTAuthentication(HttpServletRequest req, HttpSe
             Integer indexOfExampleCodeInRedirect = StringUtils.indexOfAny(savedRequest.getRedirectUrl(), examplesCodes);
 
             if (indexOfExampleCodeInRedirect != -1) {
-                Boolean hasNumbers = savedRequest.getRedirectUrl().substring(indexOfExampleCodeInRedirect).matches(".*\\d.*");
+                Boolean hasNumbers = savedRequest.getRedirectUrl().substring(indexOfExampleCodeInRedirect)
+                        .matches(".*\\d.*");
 
-                return "GET".equals(savedRequest.getMethod()) && hasNumbers ?
-                        savedRequest.getRedirectUrl() : "/";
+                return "GET".equals(savedRequest.getMethod()) && hasNumbers ? savedRequest.getRedirectUrl() : "/";
             }
         }
 
@@ -197,8 +220,8 @@ private String getRedirectURLForJWTAuthentication(HttpServletRequest req, HttpSe
 
     @GetMapping(path = "/ds-return")
     public String returnController(@RequestParam(value = ATTR_STATE, required = false) String state,
-                                   @RequestParam(value = ATTR_EVENT, required = false) String event,
-                                   @RequestParam(required = false) String envelopeId, ModelMap model) {
+            @RequestParam(value = ATTR_EVENT, required = false) String event,
+            @RequestParam(required = false) String envelopeId, ModelMap model) {
         model.addAttribute(LAUNCHER_TEXTS, config.getCodeExamplesText().SupportingTexts);
         model.addAttribute(ATTR_TITLE, "Return from DocuSign");
         model.addAttribute(ATTR_EVENT, event);

src/main/java/com/docusign/core/model/Session.java

@@ -12,8 +12,7 @@
 import java.util.UUID;
 
 @Component
-@Scope(value = WebApplicationContext.SCOPE_SESSION,
-        proxyMode = ScopedProxyMode.TARGET_CLASS)
+@Scope(value = WebApplicationContext.SCOPE_SESSION, proxyMode = ScopedProxyMode.TARGET_CLASS)
 @Data
 public class Session implements Serializable {
     private static final long serialVersionUID = 2695379118371574037L;
@@ -75,4 +74,6 @@ public class Session implements Serializable {
     private String instanceId;
 
     private Boolean isWorkflowPublished = false;
+
+    private Boolean isPKCEWorking = true;
 }

…ign/core/security/jwt/JWTOAuth2User.java …ocusign/core/security/JWTOAuth2User.javasrc/main/java/com/docusign/core/security/jwt/JWTOAuth2User.java renamed to src/main/java/com/docusign/core/security/JWTOAuth2User.java src/main/java/com/docusign/core/security/jwt/JWTOAuth2User.java renamed to src/main/java/com/docusign/core/security/JWTOAuth2User.java

@@ -1,4 +1,4 @@
-package com.docusign.core.security.jwt;
+package com.docusign.core.security;
 
 import com.docusign.esign.client.auth.OAuth;
 import com.fasterxml.jackson.databind.ObjectMapper;

src/main/java/com/docusign/core/security/SecurityHelpers.java

@@ -0,0 +1,67 @@
+package com.docusign.core.security;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
+import java.util.Random;
+
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import com.docusign.core.model.ApiType;
+import com.docusign.core.model.Session;
+import com.docusign.esign.client.auth.OAuth;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+
+public class SecurityHelpers {
+    public static List<String> getScopeList() {
+        List<String> scopes = new ArrayList<>();
+        for (ApiType scope : ApiType.values()) {
+            scopes.addAll(Arrays.asList(scope.getScopes()));
+        }
+        return scopes;
+    }
+
+    public static String generateCodeVerifier() {
+        byte[] randomBytes = new byte[32];
+        new Random().nextBytes(randomBytes);
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(randomBytes);
+    }
+
+    public static String generateCodeChallenge(String codeVerifier) throws NoSuchAlgorithmException {
+        MessageDigest digest = MessageDigest.getInstance("SHA-256");
+        byte[] hash = digest.digest(codeVerifier.getBytes(StandardCharsets.UTF_8));
+        return Base64.getUrlEncoder().withoutPadding().encodeToString(hash);
+    }
+
+    public static String parseJsonField(String jsonResponse, String field) throws IOException {
+        ObjectMapper mapper = new ObjectMapper();
+        JsonNode jsonNode = mapper.readTree(jsonResponse);
+        return jsonNode.get(field).asText();
+    }
+
+    public static void setSpringSecurityAuthentication(List<String> scopes, String oAuthToken, OAuth.UserInfo userInfo,
+            String accountId, Session session, String expiresIn) {
+        JWTOAuth2User principal = new JWTOAuth2User();
+        principal.setAuthorities(scopes);
+        principal.setCreated(userInfo.getCreated());
+        principal.setName(userInfo.getName());
+        principal.setGivenName(userInfo.getGivenName());
+        principal.setFamilyName(userInfo.getFamilyName());
+        principal.setSub(userInfo.getSub());
+        principal.setEmail(userInfo.getEmail());
+        principal.setAccounts(userInfo.getAccounts());
+        principal.setAccessToken(new OAuth.OAuthToken().accessToken(oAuthToken));
+
+        session.setTokenExpirationTime(System.currentTimeMillis() + Integer.parseInt(expiresIn) * 1000L);
+
+        OAuth2AuthenticationToken token = new OAuth2AuthenticationToken(principal, principal.getAuthorities(),
+                accountId);
+        SecurityContextHolder.getContext().setAuthentication(token);
+    }
+}

src/main/java/com/docusign/core/security/acg/ACGAuthenticationMethod.java

@@ -0,0 +1,92 @@
+package com.docusign.core.security.acg;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.net.URI;
+import java.net.URLEncoder;
+import java.net.http.HttpClient;
+import java.net.http.HttpRequest;
+import java.net.http.HttpResponse;
+import java.util.Base64;
+import java.util.List;
+import org.springframework.web.servlet.view.RedirectView;
+
+import com.docusign.DSConfiguration;
+import com.docusign.core.model.Session;
+import com.docusign.core.security.SecurityHelpers;
+import com.docusign.esign.client.ApiClient;
+import com.docusign.esign.client.auth.OAuth;
+
+public class ACGAuthenticationMethod {
+    private static final String REDIRECT_URI = "/pkce";
+    private static final String STATE = "random_state_string";
+    private static String codeVerifier;
+    private static String codeChallenge;
+
+    public RedirectView initiateAuthorization(DSConfiguration configuration) throws Exception {
+        List<String> scopes = SecurityHelpers.getScopeList();
+
+        codeVerifier = SecurityHelpers.generateCodeVerifier();
+        codeChallenge = SecurityHelpers.generateCodeChallenge(codeVerifier);
+
+        String authorizationURL = String.format(
+                "%s&redirect_uri=%s&scope=%s&client_id=%s&state=%s&response_type=code&code_challenge=%s&code_challenge_method=S256",
+                configuration.getAuthorizationEndpoint(),
+                URLEncoder.encode(configuration.getAppUrl() + REDIRECT_URI, StandardCharsets.UTF_8),
+                URLEncoder.encode(String.join(" ", scopes), StandardCharsets.UTF_8), configuration.getUserId(), STATE,
+                codeChallenge);
+
+        return new RedirectView(authorizationURL);
+    }
+
+    public RedirectView exchangeCodeForToken(String oAuthToken, DSConfiguration configuration, Session session,
+            String redirect)
+            throws Exception {
+        String requestBody = buildRequestBody(oAuthToken);
+        String authHeader = generateAuthHeader(configuration);
+
+        HttpClient client = HttpClient.newHttpClient();
+        HttpRequest request = HttpRequest.newBuilder()
+                .uri(URI.create(configuration.getTokenEndpoint()))
+                .header("Authorization", "Basic " + authHeader)
+                .header("Content-Type", "application/x-www-form-urlencoded")
+                .POST(HttpRequest.BodyPublishers.ofString(requestBody))
+                .build();
+
+        HttpResponse<String> response = client.send(request, HttpResponse.BodyHandlers.ofString());
+
+        if (response.statusCode() == 200) {
+            processTokenResponse(response.body(), configuration, session);
+        } else {
+            throw new IOException("Failed to exchange code for token. Status code: " + response.statusCode());
+        }
+
+        return new RedirectView(redirect);
+    }
+
+    private String buildRequestBody(String oAuthToken) throws IOException {
+        return "grant_type=authorization_code" +
+                "&code=" + URLEncoder.encode(oAuthToken, StandardCharsets.UTF_8) +
+                "&redirect_uri=" + URLEncoder.encode(REDIRECT_URI, StandardCharsets.UTF_8) +
+                "&code_verifier=" + URLEncoder.encode(codeVerifier, StandardCharsets.UTF_8);
+    }
+
+    private String generateAuthHeader(DSConfiguration configuration) {
+        return Base64.getEncoder().encodeToString(
+                (configuration.getUserId() + ":" + configuration.getSecretUserId()).getBytes(StandardCharsets.UTF_8));
+    }
+
+    private void processTokenResponse(String responseBody, DSConfiguration configuration, Session session)
+            throws Exception {
+        ApiClient apiClient = new ApiClient(configuration.getBasePath());
+        String accessToken = SecurityHelpers.parseJsonField(responseBody, "access_token");
+        String expiresIn = SecurityHelpers.parseJsonField(responseBody, "expires_in");
+
+        OAuth.UserInfo userInfo = apiClient.getUserInfo(accessToken);
+        String accountId = userInfo.getAccounts().size() > 0 ? userInfo.getAccounts().get(0).getAccountId() : "";
+
+        SecurityHelpers.setSpringSecurityAuthentication(SecurityHelpers.getScopeList(), accessToken, userInfo,
+                accountId, session,
+                expiresIn);
+    }
+}