wip

src/main/java/stirling/software/SPDF/config/security/CustomLogoutSuccessHandler.java

@@ -156,8 +156,7 @@ public class CustomLogoutSuccessHandler extends SimpleUrlLogoutSuccessHandler {
         String clientId = null;
         OAUTH2 oauth = applicationProperties.getSecurity().getOauth2();
 
-        if (authentication instanceof OAuth2AuthenticationToken) {
+        if (authentication instanceof OAuth2AuthenticationToken oauthToken) {
-            OAuth2AuthenticationToken oauthToken = (OAuth2AuthenticationToken) authentication;
             registrationId = oauthToken.getAuthorizedClientRegistrationId();
 
             try {

src/main/java/stirling/software/SPDF/config/security/oauth2/CustomOAuth2UserService.java

@@ -43,6 +43,7 @@ public class CustomOAuth2UserService implements OAuth2UserService<OidcUserReques
     public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
         OAUTH2 oauth2 = applicationProperties.getSecurity().getOauth2();
         String usernameAttribute = oauth2.getUseAsUsername();
+
         if (usernameAttribute == null || usernameAttribute.trim().isEmpty()) {
             Client client = oauth2.getClient();
             if (client != null && client.getKeycloak() != null) {

src/main/java/stirling/software/SPDF/config/security/oauth2/OAuth2Configuration.java

@@ -31,10 +31,7 @@ import stirling.software.SPDF.model.provider.KeycloakProvider;
 
 @Configuration
 @Slf4j
-@ConditionalOnProperty(
+@ConditionalOnProperty(value = "security.oauth2.enabled", havingValue = "true")
-        value = "security.oauth2.enabled",
-        havingValue = "true"
-)
 public class OAuth2Configuration {
 
     private final ApplicationProperties applicationProperties;
@@ -47,16 +44,14 @@ public class OAuth2Configuration {
     }
 
     @Bean
-    @ConditionalOnProperty(
+    @ConditionalOnProperty(value = "security.oauth2.enabled", havingValue = "true")
-            value = "security.oauth2.enabled",
-            havingValue = "true",
-            matchIfMissing = false)
     public ClientRegistrationRepository clientRegistrationRepository() {
         List<ClientRegistration> registrations = new ArrayList<>();
         githubClientRegistration().ifPresent(registrations::add);
         oidcClientRegistration().ifPresent(registrations::add);
         googleClientRegistration().ifPresent(registrations::add);
         keycloakClientRegistration().ifPresent(registrations::add);
+
         if (registrations.isEmpty()) {
             log.error("At least one OAuth2 provider must be configured");
             System.exit(1);
@@ -168,6 +163,10 @@ public class OAuth2Configuration {
                         .scope(oauth.getScopes())
                         .userNameAttributeName(oauth.getUseAsUsername())
                         .clientName("OIDC")
+                        .redirectUri("{baseUrl}/login/oauth2/code/oidc")
+                        .authorizationGrantType(
+                                org.springframework.security.oauth2.core.AuthorizationGrantType
+                                        .AUTHORIZATION_CODE)
                         .build());
     }
 

src/main/resources/settings.yml.template

@@ -12,16 +12,16 @@
 
 
 security:
-  enableLogin: false # set to 'true' to enable login
+  enableLogin: true # set to 'true' to enable login
   csrfDisabled: false # set to 'true' to disable CSRF protection (not recommended for production)
   loginAttemptCount: 5 # lock user account after 5 tries; when using e.g. Fail2Ban you can deactivate the function with -1
   loginResetTimeMinutes: 120 # lock account for 2 hours after x attempts
-  loginMethod: all # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2) 
+  loginMethod: oauth2 # Accepts values like 'all' and 'normal'(only Login with Username/Password), 'oauth2'(only Login with OAuth2) or 'saml2'(only Login with SAML2)
   initialLogin:
     username: '' # initial username for the first login
     password: '' # initial password for the first login
   oauth2:
-    enabled: false # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
+    enabled: true # set to 'true' to enable login (Note: enableLogin must also be 'true' for this to work)
     client:
       keycloak:
         issuer: '' # URL of the Keycloak realm's OpenID Connect Discovery endpoint
@@ -39,14 +39,14 @@ security:
         clientSecret: '' # client secret for GitHub OAuth2
         scopes: read:user # scope for GitHub OAuth2
         useAsUsername: login # field to use as the username for GitHub OAuth2
-    issuer: '' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) endpoint
+    issuer: 'https://authentik.dev.stirlingpdf.com/application/o/stirlingpdf-oauth/' # set to any provider that supports OpenID Connect Discovery (/.well-known/openid-configuration) endpoint
-    clientId: '' # client ID from your provider
+    clientId: '5ibI9Ud5cRNFIcS1gIJME0shO6VZOy6Ae6XUrZL0' # client ID from your provider
-    clientSecret: '' # client secret from your provider
+    clientSecret: 'DFSD3B7MKLkWuEAasxxm2hghuzulPr37jdkrojPsGBz9MGwkfc' # client secret from your provider
     autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users
     blockRegistration: false # set to 'true' to deny login with SSO without prior registration by an admin
     useAsUsername: email # default is 'email'; custom fields can be used as the username
     scopes: openid, profile, email # specify the scopes for which the application will request permissions
-    provider: google # set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
+    provider: authentik # set this to your OAuth provider's name, e.g., 'google' or 'keycloak'
   saml2:
     enabled: false # Only enabled for paid enterprise clients (enterpriseEdition.enabled must be true)
     autoCreateUser: true # set to 'true' to allow auto-creation of non-existing users