Introduce RSA keys configuration properties for OAuth2 Authorization Server

Signed-off-by: Yanming Zhou <zhouyanming@gmail.com>

Author: quaff

module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java

@@ -35,10 +35,12 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
+import org.springframework.security.config.crypto.RsaKeyConversionServicePostProcessor;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
@@ -48,29 +50,44 @@
  * OAuth2 authorization server that require it (e.g. User Info, Client Registration).
  *
  * @author Steve Riesenberg
+ * @author Yanming Zhou
  * @since 4.0.0
  */
 @AutoConfiguration(after = UserDetailsServiceAutoConfiguration.class)
 @ConditionalOnClass({ OAuth2Authorization.class, JWKSource.class })
 @ConditionalOnWebApplication(type = Type.SERVLET)
+@EnableConfigurationProperties(OAuth2AuthorizationServerProperties.class)
 public final class OAuth2AuthorizationServerJwtAutoConfiguration {
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	@ConditionalOnMissingBean
-	JWKSource<SecurityContext> jwkSource() {
-		RSAKey rsaKey = getRsaKey();
+	JWKSource<SecurityContext> jwkSource(OAuth2AuthorizationServerProperties properties) {
+		RSAKey rsaKey = getRsaKey(properties.getRsa());
 		JWKSet jwkSet = new JWKSet(rsaKey);
 		return new ImmutableJWKSet<>(jwkSet);
 	}
 
-	private static RSAKey getRsaKey() {
-		KeyPair keyPair = generateRsaKey();
-		RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
-		RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
-		RSAKey rsaKey = new RSAKey.Builder(publicKey).privateKey(privateKey)
-			.keyID(UUID.randomUUID().toString())
-			.build();
+	@Bean
+	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+	@ConditionalOnMissingBean
+	static RsaKeyConversionServicePostProcessor rsaKeyConversionServicePostProcessor() {
+		return new RsaKeyConversionServicePostProcessor();
+	}
+
+	private static RSAKey getRsaKey(OAuth2AuthorizationServerProperties.Rsa rsa) {
+		RSAKey rsaKey;
+		if (rsa.getPublicKey() != null && rsa.getPrivateKey() != null) {
+			rsaKey = new RSAKey.Builder(rsa.getPublicKey()).privateKey(rsa.getPrivateKey())
+				.keyID(rsa.getKeyId() != null ? rsa.getKeyId() : UUID.randomUUID().toString())
+				.build();
+		}
+		else {
+			KeyPair keyPair = generateRsaKey();
+			RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
+			RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
+			rsaKey = new RSAKey.Builder(publicKey).privateKey(privateKey).keyID(UUID.randomUUID().toString()).build();
+		}
 		return rsaKey;
 	}
 

module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerProperties.java

@@ -16,6 +16,8 @@
 
 package org.springframework.boot.security.oauth2.server.authorization.autoconfigure.servlet;
 
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
 import java.time.Duration;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -35,6 +37,7 @@
  *
  * @author Steve Riesenberg
  * @author Florian Lemaire
+ * @author Yanming Zhou
  * @since 4.0.0
  */
 @ConfigurationProperties("spring.security.oauth2.authorizationserver")
@@ -62,6 +65,11 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean {
 	 */
 	private final Endpoint endpoint = new Endpoint();
 
+	/**
+	 * Authorization Server endpoints.
+	 */
+	private final Rsa rsa = new Rsa();
+
 	public boolean isMultipleIssuersAllowed() {
 		return this.multipleIssuersAllowed;
 	}
@@ -86,6 +94,10 @@ public Endpoint getEndpoint() {
 		return this.endpoint;
 	}
 
+	public Rsa getRsa() {
+		return this.rsa;
+	}
+
 	@Override
 	public void afterPropertiesSet() {
 		validate();
@@ -567,4 +579,50 @@ public void setIdTokenSignatureAlgorithm(String idTokenSignatureAlgorithm) {
 
 	}
 
+	/**
+	 * RSA keys for JWK.
+	 */
+	public static class Rsa {
+
+		/**
+		 * RSA key ID.
+		 */
+		private @Nullable String keyId;
+
+		/**
+		 * RSA public key.
+		 */
+		private @Nullable RSAPublicKey publicKey;
+
+		/**
+		 * RSA private key.
+		 */
+		private @Nullable RSAPrivateKey privateKey;
+
+		public @Nullable String getKeyId() {
+			return this.keyId;
+		}
+
+		public void setKeyId(String keyId) {
+			this.keyId = keyId;
+		}
+
+		public @Nullable RSAPublicKey getPublicKey() {
+			return this.publicKey;
+		}
+
+		public void setPublicKey(RSAPublicKey publicKey) {
+			this.publicKey = publicKey;
+		}
+
+		public @Nullable RSAPrivateKey getPrivateKey() {
+			return this.privateKey;
+		}
+
+		public void setPrivateKey(RSAPrivateKey privateKey) {
+			this.privateKey = privateKey;
+		}
+
+	}
+
 }

module/spring-boot-security-oauth2-authorization-server/src/test/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerJwtAutoConfigurationTests.java

@@ -16,6 +16,8 @@
 
 package org.springframework.boot.security.oauth2.server.authorization.autoconfigure.servlet;
 
+import com.nimbusds.jose.jwk.JWKSet;
+import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
@@ -36,6 +38,7 @@
  * Tests for {@link OAuth2AuthorizationServerJwtAutoConfiguration}.
  *
  * @author Steve Riesenberg
+ * @author Yanming Zhou
  */
 class OAuth2AuthorizationServerJwtAutoConfigurationTests {
 
@@ -91,6 +94,22 @@ void jwkSourceBacksOffWhenBeanPresent() {
 		});
 	}
 
+	@Test
+	void jwkSetShouldUseConfiguredRsaKeys() {
+		this.contextRunner
+			.withPropertyValues("spring.security.oauth2.authorizationserver.rsa.key-id=test",
+					"spring.security.oauth2.authorizationserver.rsa.public-key=classpath:rsa/public.pem",
+					"spring.security.oauth2.authorizationserver.rsa.private-key=classpath:rsa/private.pem")
+			.run((context) -> {
+				OAuth2AuthorizationServerProperties.Rsa rsa = context.getBean(OAuth2AuthorizationServerProperties.class)
+					.getRsa();
+				JWKSet jwkSet = context.getBean(ImmutableJWKSet.class).getJWKSet();
+				RSAKey rsaKey = jwkSet.getKeyByKeyId("test").toRSAKey();
+				assertThat(rsaKey.toRSAPublicKey()).isEqualTo(rsa.getPublicKey());
+				assertThat(rsaKey.toRSAPrivateKey()).isEqualTo(rsa.getPrivateKey());
+			});
+	}
+
 	@Configuration
 	static class TestJwtDecoderConfiguration {
 

module/spring-boot-security-oauth2-authorization-server/src/test/resources/rsa/private.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCo9lH30na5xR21
+XociQCQyXvMNwaIs9NnvfYnXp5WdDtSGQwO1eR+nUODO5znQihkXRQ33aP8zyLJD
+cD5PQeeWRvj2qRSpG6UsKZ/GRZdkysCiCHL5pBKZJtEtFXpoY0K4HujSuBVz39W8
+txYmLCXS1s3vmOFuBbvQIieFHkdYRlyybm2L6uSj6GpNJfNVtn27gTV9l0boB/Gf
+9ruEHc5AwfNcMoD13aOJyWbVr3QtqrV6SVNN9qdvDZCFTi4NQtleYl8xGWXJsti+
+N3yje0qDD96uyrk7nN8D4reIcL8OYOVPS6HlV5RtrIVFeDKQ1faKTitt3qq864uN
+0ZeVr4G3AgMBAAECggEAPtLXx33KB2jzkuyC8olG7DPBy+ujkXO5VQMorbbyOmO5
+QfLI/kD7NAsui8AODyxKCAz1FHlF6stE/S5O/MlUgtwA1jYoKHjPAYy4i9B0alW5
+KoZZudj30VpNjKXfzdCajjtv9mncECm6H2E0Kx1fMvYLvHrr1yzqmIkaiLSpcnic
+XO4THiVEnPgLJx6ecRYnHRX+KVMS4a3KwMIBr5vvCjOFa+i45WKBHpUE0ykCbAID
+1uu+HMAcBJrjV5YeH97tuei4Od5/BMFaounN14R82TXqQ4i7K8F5AsDBn9jozouU
+N1QH8a3DSIjkickrMI/w3mQ0VJaLVK6GPGmU30kuAQKBgQDXa684CMgV4yA2O/nm
+e7/9BmSNeYo+VKdqKDNWkvE6cS6wf3o0R8jpwcdqrltLCRvjZWSDGNEIquY6eHXU
++apSNEN4HBth2hNXqOTLBcGWqPxATeEzKeUbY8fHe38E0BBJ6aNzSHrenHwjCwn8
+uYOLXjT+pzlltqpaQT2SN65h8QKBgQDIykBNFZ8qK43KhArg0Kty498EeNwozIU1
+yqpSxX70kNnc1oUmYCLG4X4qy+kygMrUglMG6l2rfdHc//iPpIUODCIS7RWfYmyU
+XmUs+tKIrVX6OWE3hj0tTybTeBMWHCWMEgeqGTAyzzZMLi8f4yOsvp5w7Ycut/1W
+gAP0dxH2JwKBgBYniPmmTY2Ssjlhqa2+hFwtUCIMod8PLbiJMd5xdkWgZkDYm2TN
+DSidOTkLfXAWG7wjLVceMkFF8i+JO/UPSCj0Hww3N8m0d9DIGd+XU/V+o5Kpb8On
+R1ytwloNpV6FV2eCk8DDb399cHbaJ8jJ+3FV2vVllU2Un6hwlTh4aYLBAoGAekAa
+ElTdybEm7Wyjqumh2ZvAB1sGwJh1aqDwPuEcQQ+IdhruisTxp6FXTftFCoi79dM7
+dfRv/5/ljOcUkXCbyke830UWaypj7ZnjhBVa5fiTZnxVIpdK3DFa9FohVM7iVXwM
+ypX3cJgU+SENdB65c83DbgJQ0jMXvfjHb6qndvUCgYEAk87No0D8UeIfJ/QmX/+W
+KD5YEbzeKdGyx9r5XMc1ZKvJESehp+13P3l/h7t/83Fh9/BtoQ0bkiMLaoxgGb7k
+GHG9x2prkzVIKOEDan+kvQgHb1rcpKdWlKBhjnk+uf6o2J8Tb8iHqcpHhn96yAnp
+a5ubNn7ip2NUFLwJGS0Vqzk=
+-----END PRIVATE KEY-----

module/spring-boot-security-oauth2-authorization-server/src/test/resources/rsa/public.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqPZR99J2ucUdtV6HIkAk
+Ml7zDcGiLPTZ732J16eVnQ7UhkMDtXkfp1Dgzuc50IoZF0UN92j/M8iyQ3A+T0Hn
+lkb49qkUqRulLCmfxkWXZMrAoghy+aQSmSbRLRV6aGNCuB7o0rgVc9/VvLcWJiwl
+0tbN75jhbgW70CInhR5HWEZcsm5ti+rko+hqTSXzVbZ9u4E1fZdG6Afxn/a7hB3O
+QMHzXDKA9d2jiclm1a90Laq1eklTTfanbw2QhU4uDULZXmJfMRllybLYvjd8o3tK
+gw/ersq5O5zfA+K3iHC/DmDlT0uh5VeUbayFRXgykNX2ik4rbd6qvOuLjdGXla+B
+twIDAQAB
+-----END PUBLIC KEY-----