BE: Auth: impl opaque token auth (kafbat#948)

Author: germanosin

api/build.gradle

@@ -18,6 +18,7 @@ dependencies {
     implementation libs.spring.starter.actuator
     implementation libs.spring.starter.logging
     implementation libs.spring.starter.oauth2.client
+    implementation libs.spring.security.oauth2.resource.server
     implementation libs.spring.boot.actuator
     compileOnly libs.spring.boot.devtools
 

api/src/main/java/io/kafbat/ui/config/auth/OAuthProperties.java

@@ -6,13 +6,15 @@
 import java.util.Map;
 import java.util.Set;
 import lombok.Data;
+import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.util.Assert;
 
 @ConfigurationProperties("auth.oauth2")
 @Data
 public class OAuthProperties {
   private Map<String, OAuth2Provider> client = new HashMap<>();
+  private OAuth2ResourceServerProperties resourceServer = null;
 
   @PostConstruct
   public void init() {

api/src/main/java/io/kafbat/ui/config/auth/OAuthSecurityConfig.java

@@ -14,6 +14,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesMapper;
+import org.springframework.boot.autoconfigure.security.oauth2.resource.OAuth2ResourceServerProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -62,6 +63,20 @@ public SecurityWebFilterChain configure(ServerHttpSecurity http, OAuthLogoutSucc
         .logout(spec -> spec.logoutSuccessHandler(logoutHandler))
         .csrf(ServerHttpSecurity.CsrfSpec::disable);
 
+    if (properties.getResourceServer() != null) {
+      OAuth2ResourceServerProperties resourceServer = properties.getResourceServer();
+      if (resourceServer.getJwt() != null) {
+        builder.oauth2ResourceServer((c) -> c.jwt((j) -> j.jwkSetUri(resourceServer.getJwt().getJwkSetUri())));
+      } else if (resourceServer.getOpaquetoken() != null) {
+        OAuth2ResourceServerProperties.Opaquetoken opaquetoken = resourceServer.getOpaquetoken();
+        builder.oauth2ResourceServer(
+            (c) -> c.opaqueToken(
+              (o) -> o.introspectionUri(opaquetoken.getIntrospectionUri())
+                  .introspectionClientCredentials(opaquetoken.getClientId(), opaquetoken.getClientSecret())
+            )
+        );
+      }
+    }
 
     builder.addFilterAt(new StaticFileWebFilter(), SecurityWebFiltersOrder.LOGIN_PAGE_GENERATING);
 

gradle/libs.versions.toml

@@ -66,6 +66,7 @@ spring-boot-devtools = { module = 'org.springframework.boot:spring-boot-devtools
 spring-boot-configuration-processor = { module = 'org.springframework.boot:spring-boot-configuration-processor', version.ref = 'spring-boot' }
 
 spring-security-ldap = { module = 'org.springframework.security:spring-security-ldap' }
+spring-security-oauth2-resource-server = { module = 'org.springframework.security:spring-security-oauth2-resource-server'}
 
 swagger-integration-jakarta = { module = 'io.swagger.core.v3:swagger-integration-jakarta', version.ref = 'swagger-integration-jakarta' }
 lombok = { module = 'org.projectlombok:lombok', version.ref = 'lombok' }