OIDC config Refactoring (helidon-io#3277)

* OIDC support for client secret post authentication method (+ refactoring to WebClient)
* Fix web client services - not impacted by new changes to builder
* The correct authentication type is Basic, not basic.
* IDCS role mapper based on reactive code
* Fix bearer test, first letter should be capitalized

Signed-off-by: Tomas Langer <tomas.langer@oracle.com>

Author: tomas-langer

config/yaml/pom.xml

@@ -50,13 +50,6 @@
             <groupId>jakarta.annotation</groupId>
             <artifactId>jakarta.annotation-api</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.microprofile.config</groupId>
-            <artifactId>microprofile-config-api</artifactId>
-            <!-- this does not work correctly with JPMS and usage of service loader -->
-<!--            <scope>provided</scope>-->
-<!--            <optional>true</optional>-->
-        </dependency>
         <dependency>
             <groupId>io.helidon.config</groupId>
             <artifactId>helidon-config-testing</artifactId>

docs/mp/guides/05_security-oidc.adoc

@@ -246,7 +246,7 @@ security:
     - abac:
       # Adds ABAC Provider - it does not require any configuration
     - oidc:
-        redirect-uri: "/oidc/redirect/*"
+        redirect-uri: "/oidc/redirect"
         audience: "account"
         client-id: "myClientID"   // <1>
         client-secret: "Client secret generated into Keycloak client credential"  // <2>

examples/security/idcs-login/pom.xml

@@ -82,14 +82,13 @@
             <artifactId>helidon-security-integration-webserver</artifactId>
         </dependency>
         <dependency>
-            <!-- Config API + yaml support -->
-            <groupId>io.helidon.bundles</groupId>
-            <artifactId>helidon-bundles-config</artifactId>
+            <!-- Encryption of secrets -->
+            <groupId>io.helidon.config</groupId>
+            <artifactId>helidon-config-encryption</artifactId>
         </dependency>
         <dependency>
-            <!-- Encryption of secrets + reference support in Config -->
             <groupId>io.helidon.config</groupId>
-            <artifactId>helidon-config-encryption</artifactId>
+            <artifactId>helidon-config-yaml</artifactId>
         </dependency>
         <dependency>
             <groupId>org.jboss</groupId>

examples/security/idcs-login/src/main/resources/logging.properties

@@ -15,6 +15,10 @@
 #
 
 handlers=io.helidon.common.HelidonConsoleHandler
+
+# HelidonConsoleHandler uses a SimpleFormatter subclass that replaces "!thread!" with the current thread
+java.util.logging.SimpleFormatter.format=%1$tY.%1$tm.%1$td %1$tH:%1$tM:%1$tS %4$s %3$s !thread!: %5$s%6$s%n
+
 .level=INFO
 AUDIT.level=FINEST
 io.helidon.security.providers.oidc.level=FINEST

security/integration/webserver/src/main/java/io/helidon/security/integration/webserver/SecurityHandler.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@
 import java.util.logging.Logger;
 
 import io.helidon.common.http.Http;
+import io.helidon.common.http.HttpRequest;
 import io.helidon.config.Config;
 import io.helidon.security.AuditEvent;
 import io.helidon.security.AuthenticationResponse;
@@ -46,6 +47,7 @@
 import io.helidon.security.SecurityRequest;
 import io.helidon.security.SecurityRequestBuilder;
 import io.helidon.security.SecurityResponse;
+import io.helidon.security.Subject;
 import io.helidon.security.integration.common.AtnTracing;
 import io.helidon.security.integration.common.AtzTracing;
 import io.helidon.security.integration.common.SecurityTracing;
@@ -577,16 +579,21 @@ private CompletionStage<AtxResult> processAuthorization(ServerRequest req,
         Set<String> rolesSet = rolesAllowed.orElse(Set.of());
 
         if (!rolesSet.isEmpty()) {
+            /*
+            As this part bypasses authorization providers, audit logging is not done, we need to explicitly audit this!
+             */
             // first validate roles - RBAC is supported out of the box by security, no need to invoke provider
             if (explicitAuthorizer.isPresent()) {
                 if (rolesSet.stream().noneMatch(role -> context.isUserInRole(role, explicitAuthorizer.get()))) {
+                    auditRoleMissing(context, req.path(), context.user(), rolesSet);
                     abortRequest(res, null, Http.Status.FORBIDDEN_403.code(), Map.of());
                     future.complete(AtxResult.STOP);
                     atzTracing.finish();
                     return future;
                 }
             } else {
                 if (rolesSet.stream().noneMatch(context::isUserInRole)) {
+                    auditRoleMissing(context, req.path(), context.user(), rolesSet);
                     abortRequest(res, null, Http.Status.FORBIDDEN_403.code(), Map.of());
                     future.complete(AtxResult.STOP);
                     atzTracing.finish();
@@ -643,6 +650,18 @@ private CompletionStage<AtxResult> processAuthorization(ServerRequest req,
         return future;
     }
 
+    private void auditRoleMissing(SecurityContext context,
+                                  HttpRequest.Path path,
+                                  Optional<Subject> user,
+                                  Set<String> rolesSet) {
+
+        context.audit(SecurityAuditEvent.failure(AuditEvent.AUTHZ_TYPE_PREFIX + ".authorize",
+                                                 "User is not in any of the required roles: %s. Path %s. Subject %s")
+                              .addParam(AuditEvent.AuditParam.plain("roles", rolesSet))
+                              .addParam(AuditEvent.AuditParam.plain("path", path))
+                              .addParam(AuditEvent.AuditParam.plain("subject", user)));
+    }
+
     /**
      * List of query parameter handlers.
      *
@@ -839,6 +858,7 @@ private AtxResult(SecurityRequest ignored) {
     // WARNING: builder methods must not have side-effects, as they are used to build instance from configuration
     // if you want side effects, use methods on SecurityHandler
     private static final class Builder implements io.helidon.common.Builder<SecurityHandler> {
+        private final List<QueryParamHandler> queryParamHandlers = new LinkedList<>();
         private Optional<Set<String>> rolesAllowed = Optional.empty();
         private Optional<ClassToInstanceStore<Object>> customObjects = Optional.empty();
         private Optional<Config> config = Optional.empty();
@@ -850,7 +870,6 @@ private static final class Builder implements io.helidon.common.Builder<Security
         private Optional<Boolean> audited = Optional.empty();
         private Optional<String> auditEventType = Optional.empty();
         private Optional<String> auditMessageFormat = Optional.empty();
-        private final List<QueryParamHandler> queryParamHandlers = new LinkedList<>();
         private boolean combined;
 
         private Builder() {
@@ -1030,10 +1049,10 @@ Builder audit(boolean audited) {
 
         Builder rolesAllowed(Collection<String> roles) {
             rolesAllowed.ifPresentOrElse(strings -> strings.addAll(roles),
-                                                              () -> {
-                                                                  Set<String> newRoles = new HashSet<>(roles);
-                                                                  rolesAllowed = Optional.of(newRoles);
-                                                              });
+                                         () -> {
+                                             Set<String> newRoles = new HashSet<>(roles);
+                                             rolesAllowed = Optional.of(newRoles);
+                                         });
             return this;
         }
     }

security/providers/http-auth/src/main/java/io/helidon/security/providers/httpauth/HttpBasicOutboundConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 Oracle and/or its affiliates.
+ * Copyright (c) 2020, 2021 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,7 +36,7 @@ public class HttpBasicOutboundConfig {
      */
     public static final TokenHandler DEFAULT_TOKEN_HANDLER = TokenHandler.builder()
             .tokenHeader("Authorization")
-            .tokenPrefix("basic ")
+            .tokenPrefix("Basic ")
             .build();
 
     private final TokenHandler tokenHandler;

security/providers/idcs-mapper/pom.xml

@@ -76,7 +76,7 @@
         </dependency>
         <dependency>
             <groupId>org.hamcrest</groupId>
-            <artifactId>hamcrest-core</artifactId>
+            <artifactId>hamcrest-all</artifactId>
             <scope>test</scope>
         </dependency>
     </dependencies>

security/providers/idcs-mapper/src/main/java/io/helidon/security/providers/idcs/mapper/IdcsMtRoleMapperProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2019, 2020 Oracle and/or its affiliates.
+ * Copyright (c) 2019, 2021 Oracle and/or its affiliates.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,7 +49,10 @@
 /**
  * {@link io.helidon.security.spi.SubjectMappingProvider} to obtain roles from IDCS server for a user.
  * Supports multi tenancy in IDCS.
+ *
+ * @deprecated use {@link io.helidon.security.providers.idcs.mapper.IdcsMtRoleMapperRxProvider} instead
  */
+@Deprecated(forRemoval = true, since = "2.4.0")
 public class IdcsMtRoleMapperProvider extends IdcsRoleMapperProviderBase {
     /**
      * Name of the header containing the IDCS tenant. This is the default used, can be overriden