(WIP) Fix kie-issues#1432: Add a SonataFlow Example for Token Exchange

serverless-workflow-examples/pom.xml

@@ -67,6 +67,7 @@
         <module>serverless-workflow-loanbroker-showcase</module>
         <module>serverless-workflow-newsletter-subscription</module>
         <module>serverless-workflow-oauth2-orchestration-quarkus</module>
+        <module>serverless-workflow-oauth2-token-exchange-quarkus</module>
         <module>serverless-workflow-order-processing</module>
         <module>serverless-workflow-parallel-execution</module>
         <module>serverless-workflow-qas-service-showcase</module>

serverless-workflow-examples/serverless-workflow-oauth2-token-exchange-quarkus/README.md

@@ -0,0 +1,12 @@
+# Serverless Workflow OAuth2 Token Exchange Example
+
+TODO:
+
+- Create the financial application for two users to show distinct statement datas
+- Create the workflow to ask for a loan: grab the statement info and verify if the user is able to receive the loan
+
+## References
+
+- [Running Keycloak in a container](https://www.keycloak.org/server/containers)
+- [Using Keycloak Authorization Services and Policy Enforcer to Protect JAX-RS Applications](https://github.com/quarkusio/quarkus-quickstarts/tree/main/security-keycloak-authorization-quickstart)
+- [Keycloak Docs - Audience Support](https://www.keycloak.org/docs/latest/server_admin/#_audience)

serverless-workflow-examples/serverless-workflow-oauth2-token-exchange-quarkus/acme-financial-service/.gitignore

@@ -0,0 +1,45 @@
+#Maven
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+release.properties
+.flattened-pom.xml
+
+# Eclipse
+.project
+.classpath
+.settings/
+bin/
+
+# IntelliJ
+.idea
+*.ipr
+*.iml
+*.iws
+
+# NetBeans
+nb-configuration.xml
+
+# Visual Studio Code
+.vscode
+.factorypath
+
+# OSX
+.DS_Store
+
+# Vim
+*.swp
+*.swo
+
+# patch
+*.orig
+*.rej
+
+# Local environment
+.env
+
+# Plugin directory
+/.quarkus/cli/plugins/
+# TLS Certificates
+.certs/

serverless-workflow-examples/serverless-workflow-oauth2-token-exchange-quarkus/acme-financial-service/README.md

@@ -0,0 +1,19 @@
+# Serverless Workflow OAuth2 Token Exchange Example
+
+```shell
+KEYCLOAK_ADDRESS=http://192.168.106.2:32769
+
+curl -X POST "${KEYCLOAK_ADDRESS}/realms/quarkus/protocol/openid-connect/token" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "grant_type=client_credentials" \
+    -d "client_id=quarkus-app" \
+    -d "client_secret=secret"
+```
+
+## References
+
+- [Using OpenID Connect (OIDC) and Keycloak to centralize authorization](https://quarkus.io/guides/security-keycloak-authorization)
+
+## Troubleshooting
+
+Problems with Colima on MacOs: https://github.com/testcontainers/testcontainers-java/issues/6450

serverless-workflow-examples/serverless-workflow-oauth2-token-exchange-quarkus/acme-financial-service/pom.xml

@@ -0,0 +1,164 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <artifactId>acme-financial-service</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+    <name>Kogito Example :: Serverless Workflow Oauth2 Token Exchange Example :: ACME Financial Service</name>
+
+    <parent>
+        <groupId>org.acme.workflow.oauth2</groupId>
+        <artifactId>serverless-workflow-oauth2-token-exchange-quarkus</artifactId>
+        <version>1.0.0-SNAPSHOT</version>
+    </parent>
+
+    <properties>
+        <compiler-plugin.version>3.13.0</compiler-plugin.version>
+        <maven.compiler.release>17</maven.compiler.release>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
+        <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
+        <quarkus.platform.version>3.13.2</quarkus.platform.version>
+        <skipITs>true</skipITs>
+        <surefire-plugin.version>3.2.5</surefire-plugin.version>
+
+        <version.org.assertj>3.22.0</version.org.assertj>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>${quarkus.platform.group-id}</groupId>
+                <artifactId>${quarkus.platform.artifact-id}</artifactId>
+                <version>${quarkus.platform.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-arc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-resteasy</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-resteasy-jackson</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-openapi</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-keycloak-authorization</artifactId>
+        </dependency>
+        <!-- Test Dependencies -->
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-junit5</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.rest-assured</groupId>
+            <artifactId>rest-assured</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <version>${version.org.assertj}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-keycloak-server</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>${quarkus.platform.group-id}</groupId>
+                <artifactId>quarkus-maven-plugin</artifactId>
+                <version>${quarkus.platform.version}</version>
+                <extensions>true</extensions>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>build</goal>
+                            <goal>generate-code</goal>
+                            <goal>generate-code-tests</goal>
+                            <goal>native-image-agent</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>${compiler-plugin.version}</version>
+                <configuration>
+                    <parameters>true</parameters>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>${surefire-plugin.version}</version>
+                <configuration>
+                    <systemPropertyVariables>
+                        <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+                        <maven.home>${maven.home}</maven.home>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
+            <plugin>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <version>${surefire-plugin.version}</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>integration-test</goal>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <systemPropertyVariables>
+                        <native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
+                        <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+                        <maven.home>${maven.home}</maven.home>
+                    </systemPropertyVariables>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+
+    <profiles>
+        <profile>
+            <id>native</id>
+            <activation>
+                <property>
+                    <name>native</name>
+                </property>
+            </activation>
+            <properties>
+                <skipITs>false</skipITs>
+                <quarkus.native.enabled>true</quarkus.native.enabled>
+            </properties>
+        </profile>
+    </profiles>
+</project>

serverless-workflow-examples/serverless-workflow-oauth2-token-exchange-quarkus/acme-financial-service/src/main/java/org/acme/workflow/financial/service/AcmeFinancialApplication.java

@@ -0,0 +1,52 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.acme.workflow.financial.service;
+
+import org.eclipse.microprofile.openapi.annotations.Components;
+import org.eclipse.microprofile.openapi.annotations.OpenAPIDefinition;
+import org.eclipse.microprofile.openapi.annotations.enums.SecuritySchemeType;
+import org.eclipse.microprofile.openapi.annotations.info.Info;
+import org.eclipse.microprofile.openapi.annotations.security.OAuthFlow;
+import org.eclipse.microprofile.openapi.annotations.security.OAuthFlows;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityScheme;
+
+/**
+ * Defines OpenAPI configurations for the Quarkus application, for more information you must see
+ * <a href="https://quarkus.io/guides/openapi-swaggerui>Using OpenAPI and Swagger UI</a>
+ */
+/**
+ * Defines OpenAPI configurations for the Quarkus application, for more information you must see
+ * <a href="https://quarkus.io/guides/openapi-swaggerui>Using OpenAPI and Swagger UI</a>
+ */
+@OpenAPIDefinition(
+        info = @Info(
+                title = "Acme Financial Service API",
+                version = "1.0.0"),
+        components = @Components(
+                securitySchemes = {
+                        @SecurityScheme(securitySchemeName = "acme-financial-oauth",
+                                type = SecuritySchemeType.OAUTH2,
+                                flows = @OAuthFlows(
+                                        clientCredentials = @OAuthFlow(
+                                                authorizationUrl = "http://localhost:9090/auth/realms/acme/protocol/openid-connect/auth",
+                                                tokenUrl = "http://localhost:9090/auth/realms/kogito/acme/openid-connect/token",
+                                                scopes = {})))
+                }))
+public class AcmeFinancialApplication extends jakarta.ws.rs.core.Application {
+}

serverless-workflow-examples/serverless-workflow-oauth2-token-exchange-quarkus/acme-financial-service/src/main/java/org/acme/workflow/financial/service/AcmeFinancialResource.java

@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.acme.workflow.financial.service;
+
+import io.quarkus.security.identity.SecurityIdentity;
+import jakarta.annotation.security.RolesAllowed;
+import jakarta.inject.Inject;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import org.eclipse.microprofile.openapi.annotations.Operation;
+import org.eclipse.microprofile.openapi.annotations.security.SecurityRequirement;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+
+@Path("financial-service")
+public class AcmeFinancialResource {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(AcmeFinancialResource.class);
+
+    @Inject
+    SecurityIdentity identity;
+
+    @Inject
+    StatementsDB statementsDB;
+
+    @GET
+    @Path("statement")
+    @Produces(MediaType.APPLICATION_JSON)
+    @Operation(operationId = "getStatement")
+    @RolesAllowed("customer")
+    @SecurityRequirement(name = "acme-financial-oauth")
+    public List<StatementEntry> getStatement() {
+        LOGGER.info("Getting statement for user {}", identity.getPrincipal());
+        return statementsDB.getStatementEntries(identity.getPrincipal().getName());
+    }
+}