ADD: bearer configuration so a user can login via the api

Author: wiemanboy

src/main/java/com/wiemanboy/wiemanapi/SecurityConfig.java

@@ -0,0 +1,28 @@
+package com.wiemanboy.wiemanapi.config;
+
+import com.okta.commons.lang.Assert;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+import java.util.List;
+
+class AudienceValidator implements OAuth2TokenValidator<Jwt> {
+    private final String audience;
+
+    AudienceValidator(String audience) {
+        Assert.hasText(audience, "audience is null or empty");
+        this.audience = audience;
+    }
+
+    public OAuth2TokenValidatorResult validate(Jwt jwt) {
+        List<String> audiences = jwt.getAudience();
+        if (audiences.contains(this.audience)) {
+            return OAuth2TokenValidatorResult.success();
+        }
+        OAuth2Error err = new OAuth2Error(OAuth2ErrorCodes.INVALID_TOKEN);
+        return OAuth2TokenValidatorResult.failure(err);
+    }
+}

src/main/java/com/wiemanboy/wiemanapi/config/AudienceValidator.java

@@ -0,0 +1,55 @@
+package com.wiemanboy.wiemanapi.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.*;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+
+    @Value("${okta.oauth2.audience}")
+    private String audience;
+
+    @Value("${okta.oauth2.issuer}")
+    private String issuer;
+
+    @Bean
+    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+        return http
+                .authorizeHttpRequests(authorize -> authorize
+                        .requestMatchers(HttpMethod.GET, "/services/profiles/actuator/**").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/api/profiles/{id}").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/api/profiles/{name}/{locale}").permitAll()
+                        .anyRequest().authenticated()
+                )
+                .oauth2Login(oauth2Login -> oauth2Login
+                        .defaultSuccessUrl("/services/profiles/docs/")
+                        .failureUrl("/")
+                )
+                .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer
+                        .jwt(jwt -> jwt.decoder(jwtDecoder()))
+                )
+                .build();
+    }
+
+    @Bean
+    JwtDecoder jwtDecoder() {
+        NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);
+
+        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
+        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
+        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
+
+        jwtDecoder.setJwtValidator(withAudience);
+
+        return jwtDecoder;
+    }
+}

src/main/java/com/wiemanboy/wiemanapi/config/SecurityConfig.java

@@ -13,4 +13,5 @@ spring.data.mongodb.authentication-database=${MONGO_AUTH_DB:admin}
 spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration
 okta.oauth2.issuer=https://${AUTH0_BASE_URL}/
 okta.oauth2.client-id=${AUTH0_CLIENT_ID}
-okta.oauth2.client-secret=${AUTH0_CLIENT_SECRET}
+okta.oauth2.client-secret=${AUTH0_CLIENT_SECRET}
+okta.oauth2.audience=${AUTH0_AUDIENCE}