Migrate and use OAuth 2.0 Login

README.adoc

@@ -52,6 +52,34 @@ security.oauth2.main.clientSecret=Value from Client Secret
 security.oauth2.pivotal-cla.tokenSecret=A Personal Access Token with public_repo scope
 ----
 
+== Configure properties for OAuth 2.0 Login
+
+This application uses the https://docs.spring.io/spring-security/site/docs/5.0.0.RELEASE/reference/htmlsingle/#jc-oauth2login[OAuth 2.0 Login] feature in Spring Security 5.
+
+Modify *application-local.properties* and append the following properties:
+
+.src/main/resources/application-local.properties
+[source]
+----
+security.oauth2.main.clientId=Value from Client ID
+security.oauth2.main.clientSecret=Value from Client Secret
+security.oauth2.pivotal-cla.tokenSecret=A Personal Access Token with public_repo scope
+
+spring.security.oauth2.client.registration.cla-user.provider=github
+spring.security.oauth2.client.registration.cla-user.clientId=${security.oauth2.main.clientId}
+spring.security.oauth2.client.registration.cla-user.clientSecret=${security.oauth2.main.clientSecret}
+spring.security.oauth2.client.registration.cla-user.redirectUriTemplate={baseUrl}/login/oauth2/github
+spring.security.oauth2.client.registration.cla-user.scope=user:email
+spring.security.oauth2.client.registration.cla-user.clientName=GitHub
+
+spring.security.oauth2.client.registration.cla-admin.provider=github
+spring.security.oauth2.client.registration.cla-admin.clientId=${security.oauth2.main.clientId}
+spring.security.oauth2.client.registration.cla-admin.clientSecret=${security.oauth2.main.clientSecret}
+spring.security.oauth2.client.registration.cla-admin.redirectUriTemplate={baseUrl}/login/oauth2/github
+spring.security.oauth2.client.registration.cla-admin.scope=user:email, repo:status, admin:repo_hook, admin:org_hook, read:org
+spring.security.oauth2.client.registration.cla-admin.clientName=GitHub Admin
+----
+
 == Setup ngrok
 
 If you are needing to test receiving GitHub events, you will probably want to setup https://ngrok.com/#download[ngrok].

build.gradle

@@ -48,6 +48,7 @@ dependencies {
 	compile('org.springframework.cloud:spring-cloud-spring-service-connector')
  	compile('org.springframework.cloud:spring-cloud-cloudfoundry-connector')
 	compile('org.springframework.session:spring-session-data-redis')
+	compile('org.springframework.security:spring-security-oauth2-client')
 	compile('org.eclipse.mylyn.github:org.eclipse.egit.github.core:2.1.5')
 	compile('org.webjars:webjars-locator-core')
 	compile('org.webjars:bootstrap:3.3.6')

src/main/java/io/pivotal/cla/config/SecurityConfig.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,14 +15,12 @@
  */
 package io.pivotal.cla.config;
 
-import java.io.IOException;
-import java.util.LinkedHashMap;
-
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
+import io.pivotal.cla.data.User;
+import io.pivotal.cla.mvc.util.UrlBuilder;
+import io.pivotal.cla.security.GitHubAuthenticationSuccessHandler;
+import io.pivotal.cla.service.github.GitHubOAuth2UserService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
@@ -32,9 +30,13 @@
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
+import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
 import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint;
@@ -43,8 +45,11 @@
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.web.cors.CorsUtils;
 
-import io.pivotal.cla.data.User;
-import io.pivotal.cla.security.GitHubAuthenticationEntryPoint;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.LinkedHashMap;
 
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
@@ -77,7 +82,27 @@ protected void configure(HttpSecurity http) throws Exception {
 				.anyRequest().authenticated()
 				.and()
 			.logout()
-				.logoutSuccessUrl("/?logout");
+				.logoutSuccessUrl("/?logout")
+				.and()
+			.oauth2Login()
+				.redirectionEndpoint()
+					.baseUri("/login/oauth2/*")
+					.and()
+				.userInfoEndpoint()
+					.userService(this.gitHubOAuth2UserService())
+					.and()
+				.successHandler(this.gitHubAuthenticationSuccessHandler());
+
+	}
+
+	@Bean
+	public OAuth2UserService<OAuth2UserRequest, OAuth2User> gitHubOAuth2UserService() {
+		return new GitHubOAuth2UserService();
+	}
+
+	@Bean
+	public AuthenticationSuccessHandler gitHubAuthenticationSuccessHandler() {
+		return new GitHubAuthenticationSuccessHandler();
 	}
 
 	static class AdminRequestedAccessDeniedHandler implements AccessDeniedHandler {
@@ -117,16 +142,17 @@ private User getUser(Authentication authentication) {
 		}
 	}
 
-
 	private AuthenticationEntryPoint entryPoint() {
 		LinkedHashMap<RequestMatcher, AuthenticationEntryPoint> entryPoints = new LinkedHashMap<>();
 		entryPoints.put(new AntPathRequestMatcher("/github/hooks/**"), new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
-		entryPoints.put(new AntPathRequestMatcher("/admin/**"), new GitHubAuthenticationEntryPoint(oauthConfig.getMain(), "user:email,repo:status,admin:repo_hook,admin:org_hook,read:org"));
+		entryPoints.put(new AntPathRequestMatcher("/admin/**"),
+				(request, response, authException) -> response.sendRedirect(UrlBuilder.fromRequest(request).authorizationUrl("cla-admin")));
+
 		BasicAuthenticationEntryPoint basicEntryPoint = new BasicAuthenticationEntryPoint();
 		basicEntryPoint.setRealmName("Pivotal CLA");
 		entryPoints.put(new AntPathRequestMatcher("/manage/**"), basicEntryPoint);
 		DelegatingAuthenticationEntryPoint entryPoint = new DelegatingAuthenticationEntryPoint(entryPoints);
-		entryPoint.setDefaultEntryPoint(new GitHubAuthenticationEntryPoint(oauthConfig.getMain(), "user:email"));
+		entryPoint.setDefaultEntryPoint((request, response, authException) -> response.sendRedirect(UrlBuilder.fromRequest(request).authorizationUrl("cla-user")));
 		return entryPoint;
 	}
-}
+}

src/main/java/io/pivotal/cla/data/User.java

@@ -40,7 +40,8 @@ public class User implements Serializable {
 	@Column(name = "github_login")
 	String gitHubLogin;
 
-	String name;
+	@Column(name = "name")
+	String fullName;
 
 	String accessToken;
 

src/main/java/io/pivotal/cla/mvc/CclaController.java

@@ -70,7 +70,7 @@ public String claForm(@AuthenticationPrincipal User user, SignCorporateClaForm s
 		}
 
 		signCorporateClaForm.setSigned(signed != null);
-		signCorporateClaForm.setName(user.getName());
+		signCorporateClaForm.setName(user.getFullName());
 		signCorporateClaForm.setClaId(cla.getId());
 		signCorporateClaForm.setRepositoryId(repositoryId);
 		signCorporateClaForm.setPullRequestId(pullRequestId);

src/main/java/io/pivotal/cla/mvc/IclaController.java

@@ -59,7 +59,7 @@ public String claForm(@AuthenticationPrincipal User user, @ModelAttribute SignCl
 			cla = cla.getSupersedingCla();
 		}
 		signClaForm.setSigned(signed != null);
-		signClaForm.setName(user.getName());
+		signClaForm.setName(user.getFullName());
 		signClaForm.setClaId(cla.getId());
 		model.put("cla", cla);
 

src/main/java/io/pivotal/cla/mvc/util/UrlBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,8 +43,8 @@ private UrlBuilder(HttpServletRequest request) {
 		this.request = request;
 	}
 
-	public String callbackUrl() {
-		return path("/login/oauth2/github").build();
+	public String authorizationUrl(String registrationId) {
+		return path("/oauth2/authorization/" + registrationId).build();
 	}
 
 	public UrlBuilder param(String name, String value) {