refactor: 토큰을 Stateless하게 관리하기 위한 Redis 적용 및 토큰 관리 과정 수정 / #61

build.gradle

@@ -28,6 +28,7 @@ repositories {
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-actuator'
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+	implementation 'org.springframework.boot:spring-boot-starter-data-redis'
 	implementation 'org.springframework.boot:spring-boot-starter-oauth2-authorization-server'
     implementation 'me.paulschwarz:spring-dotenv:4.0.0'
     implementation 'org.springframework.security:spring-security-crypto'

src/main/java/org/creditto/authserver/auth/authentication/CertificateGrantAuthenticationProvider.java

@@ -4,6 +4,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.creditto.authserver.auth.constants.ClaimConstants;
 import org.creditto.authserver.auth.jwt.CertificateOAuth2TokenGenerator;
+import org.creditto.authserver.auth.token.service.RefreshTokenService;
 import org.creditto.authserver.certificate.entity.Certificate;
 import org.creditto.authserver.certificate.service.CertificateService;
 import org.creditto.authserver.user.entity.User;
@@ -40,6 +41,7 @@ public class CertificateGrantAuthenticationProvider implements AuthenticationPro
     private final RegisteredClientRepository registeredClientRepository;
     private final OAuth2AuthorizationService authorizationService;
     private final CertificateOAuth2TokenGenerator tokenGenerator;
+    private final RefreshTokenService refreshTokenService;
 
     @Override
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
@@ -53,7 +55,8 @@ public Authentication authenticate(Authentication authentication) throws Authent
         // 2. 인증서 기반 인증 수행
         String certificateSerial = certificateToken.getCertificateSerial();
         String simplePassword = certificateToken.getCredentials();
-        Certificate certificate = authenticateWithCertificate(certificateToken, certificateSerial, simplePassword);
+        RequestClientInfo clientInfo = extractClientInfo(certificateToken);
+        Certificate certificate = authenticateWithCertificate(certificateSerial, simplePassword, clientInfo);
         User user = certificate.getUser();
 
         // 3. Principal 생성 (OAuth2ClientAuthenticationToken 생성) / 인증된 주체 정보
@@ -80,6 +83,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
         if (refreshToken != null) {
             authorizationBuilder.refreshToken(refreshToken);
+            refreshTokenService.store(user, certificate, registeredClient, refreshToken, clientInfo);
         }
 
         // 8. OAuth2Authorization 저장
@@ -115,21 +119,22 @@ private static void clientNullCheck(RegisteredClient registeredClient, String cl
 
     /**
      * 인증서 기반 인증
-     * @param certificateToken 인증 객체 (Authorization)
      * @param certificateSerial 인증서 SerialNumber
      * @param simplePassword 인증서 간편 비밀번호
      * @return Certificate
      */
-    private Certificate authenticateWithCertificate(CertificateAuthenticationToken certificateToken, String certificateSerial, String simplePassword) {
-        String ipAddress = null;
-        String userAgent = null;
+    private Certificate authenticateWithCertificate(String certificateSerial, String simplePassword, RequestClientInfo clientInfo) {
+        String ipAddress = clientInfo != null ? clientInfo.ipAddress() : null;
+        String userAgent = clientInfo != null ? clientInfo.userAgent() : null;
+        return certificateService.authenticateWithCertificate(certificateSerial, simplePassword, ipAddress, userAgent);
+    }
+
+    private RequestClientInfo extractClientInfo(CertificateAuthenticationToken certificateToken) {
         Object details = certificateToken.getDetails();
         if (details instanceof RequestClientInfo info) {
-            ipAddress = info.ipAddress();
-            userAgent = info.userAgent();
+            return info;
         }
-
-        return certificateService.authenticateWithCertificate(certificateSerial, simplePassword, ipAddress, userAgent);
+        return null;
     }
 
     /**

src/main/java/org/creditto/authserver/auth/config/AuthorizationServerConfig.java

@@ -8,12 +8,16 @@
 import lombok.RequiredArgsConstructor;
 import org.creditto.authserver.auth.authentication.CertificateGrantAuthenticationConverter;
 import org.creditto.authserver.auth.authentication.CertificateGrantAuthenticationProvider;
+import org.creditto.authserver.auth.jwk.CachedJwkSetEndpointFilter;
+import org.creditto.authserver.auth.jwk.JwkCacheService;
 import org.creditto.authserver.auth.jwt.CertificateOAuth2TokenGenerator;
 import org.creditto.authserver.auth.jwt.RsaKeyProperties;
 import org.creditto.authserver.auth.jwt.RsaKeyUtil;
+import org.creditto.authserver.auth.token.service.RefreshTokenService;
 import org.creditto.authserver.certificate.service.CertificateService;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
@@ -112,10 +116,13 @@ public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
                         .requestMatchers("/api/user/**").permitAll()
                         .requestMatchers("/api/certificate/**").permitAll()
                         .requestMatchers("/api/client/**").permitAll()
+                        .requestMatchers("/api/auth/**").permitAll()
+                        .requestMatchers("/actuator/health").permitAll()
+                        .requestMatchers("/actuator/info").permitAll()
                         .anyRequest().authenticated()
                 )
                 .csrf(csrf -> csrf
-                        .ignoringRequestMatchers("/api/user/**", "/api/certificate/**", "/api/client/**")
+                        .ignoringRequestMatchers("/api/user/**", "/api/certificate/**", "/api/client/**", "/api/auth/token/refresh", "/actuator/**")
                 )
                 .cors(Customizer.withDefaults())
                 .exceptionHandling(exceptions -> exceptions
@@ -177,18 +184,37 @@ public CertificateGrantAuthenticationProvider certificateGrantAuthenticationProv
             CertificateService certificateService,
             RegisteredClientRepository registeredClientRepository,
             OAuth2AuthorizationService authorizationService,
-            CertificateOAuth2TokenGenerator certificateTokenGenerator
+            CertificateOAuth2TokenGenerator certificateTokenGenerator,
+            RefreshTokenService refreshTokenService
     ) {
         return new CertificateGrantAuthenticationProvider(
                 certificateService,
                 registeredClientRepository,
                 authorizationService,
-                certificateTokenGenerator
+                certificateTokenGenerator,
+                refreshTokenService
         );
     }
 
     // MVC 예외 위임
     private void handleTokenError(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) {
         handlerExceptionResolver.resolveException(request, response, null, exception);
     }
+
+    @Bean
+    public FilterRegistrationBean<CachedJwkSetEndpointFilter> cachedJwkSetEndpointFilter(
+            JWKSource<SecurityContext> jwkSource,
+            JwkCacheService jwkCacheService,
+            AuthorizationServerSettings authorizationServerSettings
+    ) {
+        CachedJwkSetEndpointFilter filter = new CachedJwkSetEndpointFilter(
+                jwkSource,
+                jwkCacheService,
+                authorizationServerSettings.getJwkSetEndpoint()
+        );
+        FilterRegistrationBean<CachedJwkSetEndpointFilter> registration = new FilterRegistrationBean<>(filter);
+        registration.setOrder(0);
+        registration.addUrlPatterns(authorizationServerSettings.getJwkSetEndpoint());
+        return registration;
+    }
 }

src/main/java/org/creditto/authserver/auth/context/ManualAuthorizationServerContext.java

@@ -0,0 +1,27 @@
+package org.creditto.authserver.auth.context;
+
+import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContext;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+
+/**
+ * Simple AuthorizationServerContext implementation for manual token issuance.
+ */
+public record ManualAuthorizationServerContext(
+        String issuer,
+        AuthorizationServerSettings authorizationServerSettings
+) implements AuthorizationServerContext {
+
+    public ManualAuthorizationServerContext(AuthorizationServerSettings authorizationServerSettings) {
+        this(authorizationServerSettings.getIssuer(), authorizationServerSettings);
+    }
+
+    @Override
+    public String getIssuer() {
+        return authorizationServerSettings.getIssuer();
+    }
+
+    @Override
+    public AuthorizationServerSettings getAuthorizationServerSettings() {
+        return authorizationServerSettings;
+    }
+}

src/main/java/org/creditto/authserver/auth/controller/AuthController.java

@@ -0,0 +1,40 @@
+package org.creditto.authserver.auth.controller;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import org.creditto.authserver.auth.dto.LogoutRequest;
+import org.creditto.authserver.auth.dto.RefreshTokenRequest;
+import org.creditto.authserver.auth.dto.TokenResponse;
+import org.creditto.authserver.auth.service.AuthService;
+import org.creditto.authserver.global.response.ApiResponseUtil;
+import org.creditto.authserver.global.response.BaseResponse;
+import org.creditto.authserver.global.response.SuccessCode;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@RequiredArgsConstructor
+@RequestMapping("/api/auth")
+public class AuthController {
+
+    private final AuthService authService;
+
+    @PostMapping("/token/refresh")
+    public ResponseEntity<BaseResponse<TokenResponse>> refreshToken(
+            @Valid @RequestBody RefreshTokenRequest request,
+            HttpServletRequest httpServletRequest
+    ) {
+        TokenResponse response = authService.refreshToken(request, httpServletRequest);
+        return ApiResponseUtil.success(SuccessCode.OK, response);
+    }
+
+    @PostMapping("/logout")
+    public ResponseEntity<BaseResponse<Void>> logout(@Valid @RequestBody LogoutRequest request) {
+        authService.logout(request);
+        return ApiResponseUtil.success(SuccessCode.OK);
+    }
+}

src/main/java/org/creditto/authserver/auth/dto/LogoutRequest.java

@@ -0,0 +1,9 @@
+package org.creditto.authserver.auth.dto;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record LogoutRequest(
+        @NotBlank(message = "refreshToken은 필수입니다.")
+        String refreshToken
+) {
+}

src/main/java/org/creditto/authserver/auth/dto/RefreshTokenRequest.java

@@ -0,0 +1,11 @@
+package org.creditto.authserver.auth.dto;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record RefreshTokenRequest(
+        @NotBlank(message = "refreshToken은 필수입니다.")
+        String refreshToken,
+        @NotBlank(message = "clientId는 필수입니다.")
+        String clientId
+) {
+}

src/main/java/org/creditto/authserver/auth/dto/TokenResponse.java

@@ -0,0 +1,12 @@
+package org.creditto.authserver.auth.dto;
+
+import java.time.Instant;
+
+public record TokenResponse(
+        String tokenType,
+        String accessToken,
+        Instant accessTokenExpiresAt,
+        String refreshToken,
+        Instant refreshTokenExpiresAt
+) {
+}

src/main/java/org/creditto/authserver/auth/jwk/CachedJwkSetEndpointFilter.java

@@ -0,0 +1,77 @@
+package org.creditto.authserver.auth.jwk;
+
+import com.nimbusds.jose.jwk.JWKSelector;
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.util.List;
+
+@Slf4j
+public class CachedJwkSetEndpointFilter extends OncePerRequestFilter {
+
+    private final JWKSource<SecurityContext> jwkSource;
+    private final String endpointUri;
+    private final JWKSelector jwkSelector = new JWKSelector(new com.nimbusds.jose.jwk.JWKMatcher.Builder().build());
+    private final JwkCacheService jwkCacheService;
+
+    public CachedJwkSetEndpointFilter(
+            JWKSource<SecurityContext> jwkSource,
+            JwkCacheService jwkCacheService,
+            String endpointUri
+    ) {
+        this.jwkSource = jwkSource;
+        this.jwkCacheService = jwkCacheService;
+        this.endpointUri = endpointUri;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+        if (!matches(request)) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        try {
+            String jwkJson = jwkCacheService.getCachedJwk()
+                    .orElseGet(this::loadAndCacheJwk);
+            writeResponse(response, jwkJson);
+        } catch (Exception ex) {
+            log.error("JWK 응답 생성 실패", ex);
+            response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Unable to load JWK set");
+        }
+    }
+
+    private String loadAndCacheJwk() {
+        try {
+            List<com.nimbusds.jose.jwk.JWK> jwkList = jwkSource.get(jwkSelector, null);
+            String jwkJson = new JWKSet(jwkList).toString();
+            jwkCacheService.cacheJwk(jwkJson);
+            return jwkJson;
+        } catch (Exception ex) {
+            throw new IllegalStateException("JWK 조회에 실패했습니다: " + ex.getMessage(), ex);
+        }
+    }
+
+    private void writeResponse(HttpServletResponse response, String jwkJson) throws IOException {
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        PrintWriter writer = response.getWriter();
+        writer.write(jwkJson);
+        writer.flush();
+    }
+
+    private boolean matches(HttpServletRequest request) {
+        return "GET".equalsIgnoreCase(request.getMethod())
+                && request.getRequestURI().equals(endpointUri);
+    }
+}

src/main/java/org/creditto/authserver/auth/jwk/JwkCacheService.java

@@ -0,0 +1,40 @@
+package org.creditto.authserver.auth.jwk;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.stereotype.Service;
+import org.springframework.util.StringUtils;
+
+import java.time.Duration;
+import java.util.Optional;
+
+@Service
+public class JwkCacheService {
+
+    private static final String JWK_CACHE_KEY = "jwk:set:cache";
+
+    private final StringRedisTemplate redisTemplate;
+    private final Duration cacheTtl;
+
+    public JwkCacheService(
+            StringRedisTemplate redisTemplate,
+            @Value("${auth.jwk.cache-ttl:PT30M}") Duration cacheTtl
+    ) {
+        this.redisTemplate = redisTemplate;
+        this.cacheTtl = cacheTtl != null ? cacheTtl : Duration.ofMinutes(30);
+    }
+
+    public Optional<String> getCachedJwk() {
+        String value = redisTemplate.opsForValue().get(JWK_CACHE_KEY);
+        return StringUtils.hasText(value)
+                ? Optional.of(value)
+                : Optional.empty();
+    }
+
+    public void cacheJwk(String jwkJson) {
+        if (!StringUtils.hasText(jwkJson)) {
+            return;
+        }
+        redisTemplate.opsForValue().set(JWK_CACHE_KEY, jwkJson, cacheTtl);
+    }
+}