feat: support for Azure B2C Provider

Updated to handle Azure B2C separately when building ClientRegistration. This is necessary because the issuer returned by Azure B2C openid-configuration does not match the requested issuer, causing a mismatch error to be thrown.

A new factory method was introduced (spring-projects/spring-security#15716) for similar issue and will be available in Spring Security 6.4.0. For now we have borrowed the implementation and necessary helpers into our own code and will upgrade the dependency once the stable version is released and we've been able to properly test it.

JIRA: LX-614
risk: high

Author: chrisbonilla95

gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationUtils.kt

@@ -13,9 +13,11 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
+@file:Suppress("TooManyFunctions")
 package com.gooddata.oauth2.server
 
 import com.gooddata.oauth2.server.OAuthConstants.GD_USER_GROUPS_SCOPE
+import com.gooddata.oauth2.server.oauth2.client.fromOidcConfiguration
 import com.nimbusds.jose.JWSAlgorithm
 import com.nimbusds.jose.jwk.JWKSet
 import com.nimbusds.jose.jwk.source.JWKSecurityContextJWKSet
@@ -28,16 +30,20 @@ import com.nimbusds.jwt.proc.BadJWTException
 import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier
 import com.nimbusds.jwt.proc.DefaultJWTProcessor
 import com.nimbusds.jwt.proc.JWTClaimsSetVerifier
+import com.nimbusds.oauth2.sdk.ParseException
 import com.nimbusds.oauth2.sdk.Scope
 import com.nimbusds.openid.connect.sdk.OIDCScopeValue
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata
 import java.security.MessageDigest
 import java.time.Instant
 import net.minidev.json.JSONObject
+import org.springframework.core.ParameterizedTypeReference
 import org.springframework.core.convert.ConversionService
 import org.springframework.core.convert.TypeDescriptor
 import org.springframework.core.convert.converter.Converter
 import org.springframework.http.HttpStatus
+import org.springframework.http.RequestEntity
+import org.springframework.http.client.SimpleClientHttpRequestFactory
 import org.springframework.security.core.Authentication
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken
 import org.springframework.security.oauth2.client.registration.ClientRegistration
@@ -50,8 +56,12 @@ import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter
 import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder
 import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken
+import org.springframework.web.client.RestTemplate
 import org.springframework.web.server.ResponseStatusException
+import org.springframework.web.util.UriComponentsBuilder
 import reactor.core.publisher.Mono
+import java.net.URI
+import java.util.Collections
 
 /**
  * Constants for OAuth type authentication which are not directly available in the Spring Security.
@@ -65,8 +75,24 @@ object OAuthConstants {
      */
     const val REDIRECT_URL_BASE = "{baseUrl}/{action}/oauth2/code/"
     const val GD_USER_GROUPS_SCOPE = "urn.gooddata.scope/user_groups"
+    const val OIDC_METADATA_PATH = "/.well-known/openid-configuration"
+    const val CONNECTION_TIMEOUT = 30_000
+    const val READ_TIMEOUT = 30_000
 }
 
+private val rest: RestTemplate by lazy {
+    val requestFactory = SimpleClientHttpRequestFactory().apply {
+        setConnectTimeout(OAuthConstants.CONNECTION_TIMEOUT)
+        setReadTimeout(OAuthConstants.READ_TIMEOUT)
+    }
+    RestTemplate().apply {
+        this.requestFactory = requestFactory
+    }
+}
+
+private val typeReference: ParameterizedTypeReference<Map<String, Any>> = object :
+    ParameterizedTypeReference<Map<String, Any>>() {}
+
 /**
  * Builds [ClientRegistration] from [Organization] retrieved from [AuthenticationStoreClient].
  *
@@ -82,31 +108,136 @@ fun buildClientRegistration(
     organization: Organization,
     properties: HostBasedClientRegistrationRepositoryProperties,
     clientRegistrationBuilderCache: ClientRegistrationBuilderCache,
-): ClientRegistration =
-    if (organization.oauthIssuerLocation != null) {
-        clientRegistrationBuilderCache.get(organization.oauthIssuerLocation) {
-            try {
-                ClientRegistrations.fromIssuerLocation(organization.oauthIssuerLocation)
-            } catch (ex: RuntimeException) {
-                when (ex) {
-                    is IllegalArgumentException,
-                    is IllegalStateException,
-                    -> throw ResponseStatusException(
-                        HttpStatus.UNAUTHORIZED,
-                        "Authorization failed for given issuer \"${organization.oauthIssuerLocation}\". ${ex.message}"
-                    )
-
-                    else -> throw ex
-                }
+): ClientRegistration {
+    val issuerLocation = organization.oauthIssuerLocation
+        ?: return dexClientRegistration(registrationId, properties, organization)
+
+    return clientRegistrationBuilderCache.get(issuerLocation) {
+        try {
+            if (issuerLocation.toUri().isAzureB2C()) {
+                handleAzureB2CClientRegistration(issuerLocation)
+            } else {
+                ClientRegistrations.fromIssuerLocation(issuerLocation)
             }
-        }
-            .registrationId(registrationId)
-            .withRedirectUri(organization.oauthIssuerId)
+        } catch (ex: RuntimeException) {
+            handleRuntimeException(ex, issuerLocation)
+        } as ClientRegistration.Builder
+    }
+        .registrationId(registrationId)
+        .withRedirectUri(organization.oauthIssuerId)
+        .buildWithIssuerConfig(organization)
+}
+
+/**
+ * Provides a DEX [ClientRegistration.Builder] for the given [registrationId] and [organization].
+ *
+ * @param registrationId Identifier for the client registration.
+ * @param properties Properties for host-based client registration repository.
+ * @param organization The organization for which to build the client registration.
+ * @return A [ClientRegistration.Builder] configured with a default Dex configuration.
+ */
+private fun dexClientRegistration(
+    registrationId: String,
+    properties: HostBasedClientRegistrationRepositoryProperties,
+    organization: Organization
+): ClientRegistration = ClientRegistration
+    .withRegistrationId(registrationId)
+    .withDexConfig(properties)
+    .buildWithIssuerConfig(organization)
+
+/**
+ * Handles client registration for Azure B2C by validating issuer metadata and building the registration.
+ *
+ * @param issuerLocation The issuer location URL as a string.
+ * @return A configured [ClientRegistration] instance for Azure B2C.
+ * @throws ResponseStatusException if the metadata endpoints do not match the issuer location.
+ */
+private fun handleAzureB2CClientRegistration(
+    issuerLocation: String
+): ClientRegistration.Builder {
+    val uri = buildMetadataUri(issuerLocation)
+    val configuration = retrieveOidcConfiguration(uri)
+
+    return if (isValidAzureB2CMetadata(configuration, uri)) {
+        fromOidcConfiguration(configuration)
     } else {
-        ClientRegistration
-            .withRegistrationId(registrationId)
-            .withDexConfig(properties)
-    }.buildWithIssuerConfig(organization)
+        throw ResponseStatusException(
+            HttpStatus.UNAUTHORIZED,
+            "Authorization failed for given issuer \"$issuerLocation\". Metadata endpoints do not match."
+        )
+    }
+}
+
+/**
+ * Builds metadata retrieval URI based on the provided [issuerLocation].
+ *
+ * @param issuerLocation The issuer location URL as a string.
+ * @return The constructed [URI] for metadata retrieval.
+ */
+internal fun buildMetadataUri(issuerLocation: String): URI {
+    val issuer = URI.create(issuerLocation)
+    return UriComponentsBuilder.fromUri(issuer)
+        .replacePath(issuer.path + OAuthConstants.OIDC_METADATA_PATH)
+        .build(Collections.emptyMap<String, String>())
+}
+
+/**
+ * Retrieves the OpenID Connect configuration from the specified metadata [uri].
+ *
+ * @param uri The URI from which to retrieve the configuration metadata
+ * @return The OIDC configuration as a [Map] of [String] to [Any].
+ * @throws ResponseStatusException if the configuration metadata cannot be retrieved.
+ */
+internal fun retrieveOidcConfiguration(uri: URI): Map<String, Any> {
+    val request: RequestEntity<Void> = RequestEntity.get(uri).build()
+    return rest.exchange(request, typeReference).body
+        ?: throw ResponseStatusException(
+            HttpStatus.UNAUTHORIZED,
+            "Authorization failed: unable to retrieve configuration metadata from \"$uri\"."
+        )
+}
+
+/**
+ * As the issuer in metadata returned from Azure B2C provider is not the same as the configured issuer location,
+ * we must instead validate that the endpoint URLs in the metadata start with the configured issuer location.
+ *
+ * @param configuration The OIDC configuration metadata.
+ * @param uri The issuer location URI to validate against.
+ * @return `true` if all endpoint URLs in the metadata match the configured issuer location; `false` otherwise.
+ */
+internal fun isValidAzureB2CMetadata(
+    configuration: Map<String, Any>,
+    uri: URI
+): Boolean {
+    val metadata = parse(configuration, OIDCProviderMetadata::parse)
+    val issuerASCIIString = uri.toASCIIString()
+    return listOf(
+        metadata.authorizationEndpointURI,
+        metadata.tokenEndpointURI,
+        metadata.endSessionEndpointURI,
+        metadata.jwkSetURI,
+        metadata.userInfoEndpointURI
+    ).all { it.toASCIIString().startsWith(issuerASCIIString) }
+}
+
+/**
+ * Handles [RuntimeException]s that may occur during client registration building
+ *
+ * @param ex The exception that was thrown.
+ * @param issuerLocation The issuer location URL as a string, used for error messaging.
+ * @throws ResponseStatusException with `UNAUTHORIZED` status for known exception types.
+ * @throws RuntimeException for any other exceptions.
+ */
+private fun handleRuntimeException(ex: RuntimeException, issuerLocation: String) {
+    when (ex) {
+        is IllegalArgumentException,
+        is IllegalStateException -> throw ResponseStatusException(
+            HttpStatus.UNAUTHORIZED,
+            "Authorization failed for given issuer \"$issuerLocation\". ${ex.message}"
+        )
+        else -> throw ex
+    }
+}
 
 /**
  * Prepares [NimbusReactiveJwtDecoder] that decodes incoming JWTs and validates these against JWKs from [jwkSet] and
@@ -263,6 +394,15 @@ private fun ClientRegistration.Builder.withDexConfig(
     .userInfoAuthenticationMethod(AuthenticationMethod.HEADER)
     .jwkSetUri("${properties.localAddress}/dex/keys")
 
+@Suppress("TooGenericExceptionThrown")
+fun <T> parse(body: Map<String, Any>, parser: (JSONObject) -> T): T {
+    return try {
+        parser(JSONObject(body))
+    } catch (ex: ParseException) {
+        throw RuntimeException(ex)
+    }
+}
+
 /**
  * Remove illegal characters from string according to OAuth2 specification
  */

gooddata-server-oauth2-autoconfigure/src/main/kotlin/UriExtensions.kt

@@ -40,3 +40,18 @@ fun URI.isCognito(): Boolean {
     val lowerCasedHost = host?.lowercase() ?: return false
     return lowerCasedHost.endsWith("amazonaws.com") && lowerCasedHost.startsWith("cognito-idp")
 }
+
+/**
+ * Check if URI is Azure B2C issuer
+ */
+@Suppress("ReturnCount")
+fun URI.isAzureB2C(): Boolean {
+    val lowerCasedHost = host?.lowercase() ?: return false
+    val path = path?.lowercase() ?: return false
+
+    val azureB2CPattern = Regex(
+        pattern = "^https://([a-zA-Z0-9-]+)\\.b2clogin\\.com/\\1\\.onmicrosoft\\.com/[a-zA-Z0-9-_]+(/v2\\.0)?/?$"
+    )
+
+    return azureB2CPattern.matches("$scheme://$lowerCasedHost$path")
+}

gooddata-server-oauth2-autoconfigure/src/main/kotlin/oauth2/client/CustomClientRegistrations.kt

@@ -0,0 +1,119 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ * Copyright 2024 GoodData Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Forked from https://github.com/spring-projects/spring-security/blob/6.4.0-RC1/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistrations.java
+ *
+ * The fromOidcConfiguration factory method (and necessary helper functions) has been extracted from the original class
+ * for immediate use until the Spring Security stable version containing it is released.
+ *
+ * This class and its methods are subject to removal once the Spring Security stable version containing the
+ * fromOidcConfiguration factory method is released and the dependency in the project is updated.
+ */
+package com.gooddata.oauth2.server.oauth2.client
+
+import com.gooddata.oauth2.server.parse
+import com.nimbusds.oauth2.sdk.`as`.AuthorizationServerMetadata
+import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata
+import org.springframework.security.oauth2.client.registration.ClientRegistration
+import org.springframework.security.oauth2.core.AuthorizationGrantType
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod
+import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames
+import org.springframework.util.Assert
+import java.net.URI
+
+/**
+ * Creates a {@link ClientRegistration.Builder} using the provided map representation
+ * of an <a href=
+ * "https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse">OpenID
+ * Provider Configuration Response</a> to initialize the
+ * {@link ClientRegistration.Builder}.
+ *
+ * <p>
+ * This is useful when the OpenID Provider Configuration is not available at a
+ * well-known location, or if custom validation is needed for the issuer location
+ * (e.g. if the issuer is only accessible from a back-channel URI that is different
+ * from the issuer value in the configuration).
+ * </p>
+ *
+ * <p>
+ * Example usage:
+ * </p>
+ * <pre>
+ * RequestEntity&lt;Void&gt; request = RequestEntity.get(metadataEndpoint).build();
+ * ParameterizedTypeReference&lt;Map&lt;String, Object&gt;&gt; typeReference =
+ * new ParameterizedTypeReference&lt;&gt;() {};
+ * Map&lt;String, Object&gt; configuration = rest.exchange(request, typeReference).getBody();
+ * // Validate configuration.get("issuer") as per in the OIDC specification
+ * ClientRegistration registration = ClientRegistrations.fromOidcConfiguration(configuration)
+ *     .clientId("client-id")
+ *     .clientSecret("client-secret")
+ *     .build();
+ * </pre>
+ * @param the OpenID Provider configuration map
+ * @return the {@link ClientRegistration} built from the configuration
+ */
+fun fromOidcConfiguration(configuration: Map<String, Any>): ClientRegistration.Builder {
+    val metadata: OIDCProviderMetadata = parse(configuration, OIDCProviderMetadata::parse)
+    val builder: ClientRegistration.Builder = withProviderConfiguration(metadata, metadata.issuer.value)
+    builder.jwkSetUri(metadata.jwkSetURI.toASCIIString())
+    if (metadata.userInfoEndpointURI != null) {
+        builder.userInfoUri(metadata.userInfoEndpointURI.toASCIIString())
+    }
+    return builder
+}
+
+private fun withProviderConfiguration(
+    metadata: AuthorizationServerMetadata,
+    issuer: String
+): ClientRegistration.Builder {
+    val metadataIssuer: String = metadata.issuer.value
+    Assert.state(issuer == metadataIssuer) {
+        "The Issuer \"$metadataIssuer\" provided in the configuration metadata did " +
+            "not match the requested issuer \"$issuer\""
+    }
+    val name: String = URI.create(issuer).host
+    val method: ClientAuthenticationMethod? = getClientAuthenticationMethod(metadata.tokenEndpointAuthMethods)
+    val configurationMetadata: Map<String, Any> = LinkedHashMap(metadata.toJSONObject())
+
+    return ClientRegistration.withRegistrationId(name)
+        .userNameAttributeName(IdTokenClaimNames.SUB)
+        .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+        .clientAuthenticationMethod(method)
+        .redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}")
+        .authorizationUri(metadata.authorizationEndpointURI?.toASCIIString())
+        .providerConfigurationMetadata(configurationMetadata)
+        .tokenUri(metadata.tokenEndpointURI.toASCIIString())
+        .issuerUri(issuer)
+        .clientName(issuer)
+}
+
+private fun getClientAuthenticationMethod(
+    metadataAuthMethods: List<com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod>?
+): ClientAuthenticationMethod? {
+    if (metadataAuthMethods == null || metadataAuthMethods
+            .contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+    ) {
+        // If null, the default includes client_secret_basic
+        return ClientAuthenticationMethod.CLIENT_SECRET_BASIC
+    }
+    if (metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.CLIENT_SECRET_POST)) {
+        ClientAuthenticationMethod.CLIENT_SECRET_POST
+    }
+    if (metadataAuthMethods.contains(com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod.NONE)) {
+        ClientAuthenticationMethod.NONE
+    }
+    return null
+}