improve oauth2 implementation for nextcloud

kaleidox · kaleidox · commit afaec1b3c1cd · 2025-10-03T15:31:13.000+02:00
diff --git a/run/intellij/Prod Run.run.xml b/run/intellij/Prod Run.run.xml
@@ -0,0 +1,13 @@
+<component name="ProjectRunConfigurationManager">
+    <configuration default="false" name="Prod Run" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+        <option name="FRAME_DEACTIVATION_UPDATE_POLICY" value="UpdateClassesAndResources"/>
+        <module name="workbench.main"/>
+        <selectedOptions>
+            <option name="environmentVariables"/>
+        </selectedOptions>
+        <option name="SPRING_BOOT_MAIN_CLASS" value="de.kaleidox.workbench.WorkbenchApplication"/>
+        <method v="2">
+            <option name="Make" enabled="true"/>
+        </method>
+    </configuration>
+</component>
diff --git a/src/main/java/de/kaleidox/workbench/web/SecurityConfig.java b/src/main/java/de/kaleidox/workbench/web/SecurityConfig.java
@@ -7,9 +7,14 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.context.event.ApplicationStartedEvent;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.event.EventListener;
+import org.springframework.context.expression.MapAccessor;
 import org.springframework.core.annotation.Order;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.expression.spel.support.SimpleEvaluationContext;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
@@ -18,6 +23,7 @@
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.web.SecurityFilterChain;
 
@@ -27,7 +33,7 @@
 
 @Log
 @Configuration
-public class SecurityConfig {
+public class SecurityConfig extends DefaultOAuth2UserService {
     @Bean
     @ConditionalOnExpression("#{!(systemEnvironment['DEBUG']?:'false').equals('true')}")
     public @Nullable ClientRegistrationRepository clientRegistrationRepository(@Autowired AppConfig config) {
@@ -54,9 +60,12 @@ public class SecurityConfig {
     public SecurityFilterChain configureSecure(HttpSecurity http) throws Exception {
         log.info("Using OAuth2-based SecurityFilterChain");
         return http.authorizeHttpRequests(auth -> auth.requestMatchers("/api/**")
-                .fullyAuthenticated()
-                .anyRequest()
-                .authenticated()).oauth2Login(Customizer.withDefaults()).csrf(AbstractHttpConfigurer::disable).build();
+                        .fullyAuthenticated()
+                        .anyRequest()
+                        .authenticated())
+                .oauth2Login(oauth -> oauth.userInfoEndpoint(info -> info.userService(this)))
+                .csrf(AbstractHttpConfigurer::disable)
+                .build();
     }
 
     @Bean
@@ -70,8 +79,6 @@ public SecurityFilterChain configureInsecure(HttpSecurity http) throws Exception
                 .permitAll()).httpBasic(Customizer.withDefaults()).userDetailsService(username -> new UserDetails() {
             // token for dev: ZGV2Og==
 
-            {}
-
             @Override
             public Collection<? extends GrantedAuthority> getAuthorities() {
                 return List.of();
@@ -88,4 +95,20 @@ public String getUsername() {
             }
         }).csrf(AbstractHttpConfigurer::disable).build();
     }
+
+    @EventListener
+    public void on(ApplicationStartedEvent ignored) {
+        setAttributesConverter(input -> source -> {
+            if (!source.containsKey("ocs")) return source;
+            var userId = new SpelExpressionParser().parseRaw("ocs.data.id")
+                    .getValue(SimpleEvaluationContext.forPropertyAccessors(new MapAccessor())
+                            .withRootObject(source)
+                            .build());
+            source.put(input.getClientRegistration()
+                    .getProviderDetails()
+                    .getUserInfoEndpoint()
+                    .getUserNameAttributeName(), userId);
+            return source;
+        });
+    }
 }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -17,3 +17,9 @@ spring:
       return-body-on-create: true
       return-body-on-update: true
       enable-enum-translation: true
+logging:
+  level:
+    root: info
+    de.kaleidox: debug
+    org.comroid: debug
+    com.ampznetwork: debug
