Merge pull request #170 from 1223v/login

Fix: 애플 로그인 secret key 파싱 jwt 토큰 방식 변경

Author: 1223v

build.gradle

@@ -48,6 +48,15 @@ dependencies {
     // swagger
     implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.0.2'
 
+    // Bouncy Castle Provider
+    implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
+
+    // Bouncy Castle PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL
+    implementation 'org.bouncycastle:bcpkix-jdk15on:1.70'
+
+    // Apache Commons IO
+    implementation 'commons-io:commons-io:2.11.0'
+
 //    //Querydsl 추가
 //    implementation 'com.querydsl:querydsl-core:5.0.0'
 //    implementation 'com.querydsl:querydsl-jpa:5.0.0:jakarta'

src/main/java/com/readyvery/readyverydemo/config/OauthConfig.java

@@ -7,6 +7,7 @@
 @Slf4j
 @Configuration
 public class OauthConfig {
+
 	public static final String KAKAO_NAME = "kakao";
 	public static final String APPLE_NAME = "apple";
 }

src/main/java/com/readyvery/readyverydemo/config/SpringSecurityConfig.java

@@ -11,6 +11,9 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.logout.LogoutFilter;
 import org.springframework.web.cors.CorsConfiguration;
@@ -23,6 +26,7 @@
 import com.readyvery.readyverydemo.security.exception.CustomAuthenticationEntryPoint;
 import com.readyvery.readyverydemo.security.jwt.filter.JwtAuthenticationProcessingFilter;
 import com.readyvery.readyverydemo.security.jwt.service.JwtService;
+import com.readyvery.readyverydemo.security.oauth2.CustomRequestEntityConverter;
 import com.readyvery.readyverydemo.security.oauth2.handler.OAuth2LoginFailureHandler;
 import com.readyvery.readyverydemo.security.oauth2.handler.OAuth2LoginSuccessHandler;
 import com.readyvery.readyverydemo.security.oauth2.service.CustomOAuth2UserService;
@@ -70,8 +74,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// [PART 3]
 			//== 소셜 로그인 설정 ==//
 			.oauth2Login(oauth2 -> oauth2
+				.tokenEndpoint(token -> token.accessTokenResponseClient(accessTokenResponseClient())) // 토큰 엔드포인트 설정
 				.successHandler(oAuth2LoginSuccessHandler) // 동의하고 계속하기를 눌렀을 때 Handler 설정
 				.failureHandler(oAuth2LoginFailureHandler) // 소셜 로그인 실패 시 핸들러 설정
+
 				.userInfoEndpoint(userInfo -> userInfo
 					.userService(customOAuth2UserService)))
 
@@ -126,4 +132,14 @@ public JwtAuthenticationProcessingFilter jwtAuthenticationProcessingFilter() {
 			userRepository, refreshTokenRepository);
 		return jwtAuthenticationFilter;
 	}
+
+	@Bean
+	public OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
+
+		DefaultAuthorizationCodeTokenResponseClient accessTokenResponseClient =
+			new DefaultAuthorizationCodeTokenResponseClient();
+		accessTokenResponseClient.setRequestEntityConverter(new CustomRequestEntityConverter());
+
+		return accessTokenResponseClient;
+	}
 }

src/main/java/com/readyvery/readyverydemo/security/oauth2/CustomRequestEntityConverter.java

@@ -0,0 +1,89 @@
+package com.readyvery.readyverydemo.security.oauth2;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.security.PrivateKey;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.RequestEntity;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
+import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequestEntityConverter;
+import org.springframework.util.MultiValueMap;
+
+import io.jsonwebtoken.Jwts;
+import lombok.Getter;
+import lombok.extern.slf4j.Slf4j;
+
+@Slf4j
+@Getter
+public class CustomRequestEntityConverter implements Converter<OAuth2AuthorizationCodeGrantRequest, RequestEntity<?>> {
+
+	private OAuth2AuthorizationCodeGrantRequestEntityConverter defaultConverter;
+
+	public CustomRequestEntityConverter() {
+		defaultConverter = new OAuth2AuthorizationCodeGrantRequestEntityConverter();
+	}
+
+	@Value("${app.apple.url}")
+	private String appleUrl;
+
+	@Value("${app.apple.private-key}")
+	private String privateKeyString;
+	@Value("${app.apple.client-id}")
+	private String appleClientId;
+
+	@Value("${app.apple.team-id}")
+	private String appleTeamId;
+
+	@Value("${app.apple.key-id}")
+	private String appleKeyId;
+
+	@Override
+	public RequestEntity<?> convert(OAuth2AuthorizationCodeGrantRequest req) {
+		RequestEntity<?> entity = defaultConverter.convert(req);
+		String registrationId = req.getClientRegistration().getRegistrationId();
+		MultiValueMap<String, String> params = (MultiValueMap<String, String>)entity.getBody();
+		if (registrationId.contains("apple")) {
+			try {
+				params.set("client_secret", createClientSecret());
+			} catch (IOException e) {
+				throw new RuntimeException(e);
+			}
+		}
+		return new RequestEntity<>(params, entity.getHeaders(),
+			entity.getMethod(), entity.getUrl());
+	}
+
+	public PrivateKey getPrivateKey() throws IOException {
+		PEMParser pemParser = new PEMParser(new StringReader(privateKeyString));
+		PrivateKeyInfo object = (PrivateKeyInfo)pemParser.readObject();
+		JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+		return converter.getPrivateKey(object);
+	}
+
+	public String createClientSecret() throws IOException {
+		Date expirationDate = Date.from(LocalDateTime.now().plusDays(30).atZone(ZoneId.systemDefault()).toInstant());
+		Map<String, Object> jwtHeader = new HashMap<>();
+		jwtHeader.put("kid", appleKeyId);
+		jwtHeader.put("alg", "ES256");
+
+		return Jwts.builder()
+			.setHeaderParams(jwtHeader)
+			.setIssuer(appleTeamId)
+			.setIssuedAt(new Date(System.currentTimeMillis())) // 발행 시간 - UNIX 시간
+			.setExpiration(expirationDate) // 만료 시간
+			.setAudience(appleUrl)
+			.setSubject(appleClientId)
+			.signWith(getPrivateKey())
+			.compact();
+	}
+}

src/main/java/com/readyvery/readyverydemo/security/oauth2/OAuthAttributes.java

@@ -37,14 +37,11 @@ public OAuthAttributes(String nameAttributeKey, OAuth2UserInfo oauth2UserInfo) {
 	 */
 	public static OAuthAttributes of(SocialType socialType,
 		String userNameAttributeName, Map<String, Object> attributes) {
-		System.out.println("attributes = " + attributes);
+
 		if (socialType == SocialType.KAKAO) {
 			return ofKakao(userNameAttributeName, attributes);
 		}
-		if (socialType == SocialType.APPLE) {
 
-			return ofApple(userNameAttributeName, attributes);
-		}
 		return ofGoogle(userNameAttributeName, attributes);
 
 	}

src/main/java/com/readyvery/readyverydemo/security/oauth2/service/CustomOAuth2UserService.java

@@ -2,17 +2,23 @@
 
 import static com.readyvery.readyverydemo.config.OauthConfig.*;
 
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.client.userinfo.DefaultOAuth2UserService;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.user.DefaultOAuth2User;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.stereotype.Service;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.readyvery.readyverydemo.domain.SocialType;
 import com.readyvery.readyverydemo.domain.UserInfo;
 import com.readyvery.readyverydemo.domain.repository.UserRepository;
@@ -31,42 +37,58 @@ public class CustomOAuth2UserService implements OAuth2UserService<OAuth2UserRequ
 
 	@Override
 	public OAuth2User loadUser(OAuth2UserRequest userRequest) throws OAuth2AuthenticationException {
-		System.out.println("userRequest = " + userRequest);
+		String registrationId = userRequest.getClientRegistration().getRegistrationId();
+		OAuth2UserService<OAuth2UserRequest, OAuth2User> delegate = new DefaultOAuth2UserService();
+
+		Map<String, Object> attributes;
 		/**
 		 * DefaultOAuth2UserService 객체를 생성하여, loadUser(userRequest)를 통해 DefaultOAuth2User 객체를 생성 후 반환
 		 * DefaultOAuth2UserService의 loadUser()는 소셜 로그인 API의 사용자 정보 제공 URI로 요청을 보내서
 		 * 사용자 정보를 얻은 후, 이를 통해 DefaultOAuth2User 객체를 생성 후 반환한다.
 		 * 결과적으로, OAuth2User는 OAuth 서비스에서 가져온 유저 정보를 담고 있는 유저
 		 */
-		OAuth2UserService<OAuth2UserRequest, OAuth2User> delegate = new DefaultOAuth2UserService();
-		OAuth2User oAuth2User = delegate.loadUser(userRequest);
-
-		/**
-		 * userRequest에서 registrationId 추출 후 registrationId으로 SocialType 저장
-		 * http://localhost:8080/oauth2/authorization/kakao에서 kakao가 registrationId
-		 * userNameAttributeName은 이후에 nameAttributeKey로 설정된다.
-		 */
-		String registrationId = userRequest.getClientRegistration().getRegistrationId();
-		SocialType socialType = getSocialType(registrationId);
-
-		String userNameAttributeName = userRequest.getClientRegistration()
-			.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName(); // OAuth2 로그인 시 키(PK)가 되는 값
-		Map<String, Object> attributes = oAuth2User.getAttributes(); // 소셜 로그인에서 API가 제공하는 userInfo의 Json 값(유저 정보들)
-
-		// socialType에 따라 유저 정보를 통해 OAuthAttributes 객체 생성
-
-		OAuthAttributes extractAttributes = OAuthAttributes.of(socialType, userNameAttributeName, attributes);
-
-		UserInfo createdUser = getUser(extractAttributes, socialType); // getUser() 메소드로 User 객체 생성 후 반환
-
-		// DefaultOAuth2User를 구현한 CustomOAuth2User 객체를 생성해서 반환
-		return new CustomOAuth2User(
-			Collections.singleton(new SimpleGrantedAuthority(createdUser.getRole().getKey())),
-			attributes,
-			extractAttributes.getNameAttributeKey(),
-			createdUser.getEmail(),
-			createdUser.getRole()
-		);
+		if (registrationId.contains(APPLE_NAME)) {
+			String idToken = userRequest.getAdditionalParameters().get("id_token").toString();
+			attributes = decodeJwtTokenPayload(idToken);
+			attributes.put("id_token", idToken);
+			Map<String, Object> userAttributes = new HashMap<>();
+			userAttributes.put("resultcode", "00");
+			userAttributes.put("message", "success");
+			userAttributes.put("response", attributes);
+
+			return new DefaultOAuth2User(Collections.singleton(new SimpleGrantedAuthority("ROLE_GUEST")),
+				userAttributes, "response");
+		} else {
+			OAuth2User oAuth2User = delegate.loadUser(userRequest);
+			attributes = oAuth2User.getAttributes();
+
+			/**
+			 * userRequest에서 registrationId 추출 후 registrationId으로 SocialType 저장
+			 * http://localhost:8080/oauth2/authorization/kakao에서 kakao가 registrationId
+			 * userNameAttributeName은 이후에 nameAttributeKey로 설정된다.
+			 */
+
+			SocialType socialType = getSocialType(registrationId);
+
+			String userNameAttributeName = userRequest.getClientRegistration()
+				.getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName(); // OAuth2 로그인 시 키(PK)가 되는값
+			attributes = oAuth2User.getAttributes(); // 소셜 로그인에서 API가 제공하는 userInfo의 Json 값(유저 정보들)
+
+			// socialType에 따라 유저 정보를 통해 OAuthAttributes 객체 생성
+
+			OAuthAttributes extractAttributes = OAuthAttributes.of(socialType, userNameAttributeName, attributes);
+
+			UserInfo createdUser = getUser(extractAttributes, socialType); // getUser() 메소드로 User 객체 생성 후 반환
+
+			// DefaultOAuth2User를 구현한 CustomOAuth2User 객체를 생성해서 반환
+			return new CustomOAuth2User(
+				Collections.singleton(new SimpleGrantedAuthority(createdUser.getRole().getKey())),
+				attributes,
+				extractAttributes.getNameAttributeKey(),
+				createdUser.getEmail(),
+				createdUser.getRole()
+			);
+		}
 	}
 
 	private SocialType getSocialType(String registrationId) {
@@ -103,4 +125,23 @@ private UserInfo saveUser(OAuthAttributes attributes, SocialType socialType) {
 		UserInfo createdUser = attributes.toEntity(socialType, attributes.getOauth2UserInfo());
 		return userRepository.save(createdUser);
 	}
+
+	private Map<String, Object> decodeJwtTokenPayload(String jwtToken) {
+		Map<String, Object> jwtClaims = new HashMap<>();
+		try {
+			String[] parts = jwtToken.split("\\.");
+			Base64.Decoder decoder = Base64.getUrlDecoder();
+
+			byte[] decodedBytes = decoder.decode(parts[1].getBytes(StandardCharsets.UTF_8));
+			String decodedString = new String(decodedBytes, StandardCharsets.UTF_8);
+			ObjectMapper mapper = new ObjectMapper();
+
+			Map<String, Object> map = mapper.readValue(decodedString, Map.class);
+			jwtClaims.putAll(map);
+
+		} catch (JsonProcessingException e) {
+			//        logger.error("decodeJwtToken: {}-{} / jwtToken : {}", e.getMessage(), e.getCause(), jwtToken);
+		}
+		return jwtClaims;
+	}
 }