supertokens · rishabhpoddar · Aug 5, 2024 · Jul 29, 2024 · Jul 29, 2024 · Jul 29, 2024
diff --git a/src/main/java/io/supertokens/config/CoreConfig.java b/src/main/java/io/supertokens/config/CoreConfig.java
@@ -275,15 +275,16 @@ public class CoreConfig {
                     " address.")
     private String ip_deny_regex = null;
 
-    @ConfigYamlOnly
+    @NotConflictingInApp
     @JsonProperty
     @HideFromDashboard
     @ConfigDescription(
             "If specified, the core uses this URL to connect to the OAuth provider public service.")
     private String oauth_provider_public_service_url = null;
 
-    @ConfigYamlOnly
+    @NotConflictingInApp
     @JsonProperty
+    @HideFromDashboard
     @ConfigDescription(
             "If specified, the core uses this URL to connect to the OAuth provider admin service.")
     private String oauth_provider_admin_service_url = null;

diff --git a/src/main/java/io/supertokens/httpRequest/HttpRequest.java b/src/main/java/io/supertokens/httpRequest/HttpRequest.java
@@ -152,12 +152,12 @@ public static <T> T sendGETRequestWithResponseHeaders(Main main, String requestI
             if (version != null) {
                 con.setRequestProperty("api-version", version + "");
             }
-
+            con.setInstanceFollowRedirects(false);
             int responseCode = con.getResponseCode();
 
             con.getHeaderFields().forEach((key, value) -> {
                 if (key != null) {
-                    responseHeaders.put(key, value.get(0));
+                    responseHeaders.put(key, value.get(0)); // TODO why the first element only? What happens with Set-Cookie headers? (Those are repeated if there are multiple cookies)
                 }
             });
 

diff --git a/src/main/java/io/supertokens/inmemorydb/Start.java b/src/main/java/io/supertokens/inmemorydb/Start.java
@@ -55,6 +55,7 @@
 import io.supertokens.pluginInterface.multitenancy.exceptions.DuplicateThirdPartyIdException;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.multitenancy.sqlStorage.MultitenancySQLStorage;
+import io.supertokens.pluginInterface.oauth.sqlStorage.OAuthSQLStorage;
 import io.supertokens.pluginInterface.passwordless.PasswordlessCode;
 import io.supertokens.pluginInterface.passwordless.PasswordlessDevice;
 import io.supertokens.pluginInterface.passwordless.exception.*;
@@ -102,7 +103,7 @@ public class Start
         implements SessionSQLStorage, EmailPasswordSQLStorage, EmailVerificationSQLStorage, ThirdPartySQLStorage,
         JWTRecipeSQLStorage, PasswordlessSQLStorage, UserMetadataSQLStorage, UserRolesSQLStorage, UserIdMappingStorage,
         UserIdMappingSQLStorage, MultitenancyStorage, MultitenancySQLStorage, TOTPSQLStorage, ActiveUsersStorage,
-        ActiveUsersSQLStorage, DashboardSQLStorage, AuthRecipeSQLStorage {
+        ActiveUsersSQLStorage, DashboardSQLStorage, AuthRecipeSQLStorage, OAuthSQLStorage {
 
     private static final Object appenderLock = new Object();
     private static final String APP_ID_KEY_NAME = "app_id";
@@ -3007,4 +3008,23 @@ public int countUsersThatHaveMoreThanOneLoginMethodOrTOTPEnabledAndActiveSince(A
             throw new StorageQueryException(e);
         }
     }
+
+    @Override
+    public boolean doesClientIdExistForThisApp(AppIdentifier appIdentifier, String clientId)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.isClientIdForAppId(this, clientId, appIdentifier);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void addClientForApp(AppIdentifier appIdentifier, String clientId) throws StorageQueryException {
+        try {
+            OAuthQueries.insertClientIdForAppId(this, clientId, appIdentifier);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
 }
diff --git a/src/main/java/io/supertokens/inmemorydb/config/SQLiteConfig.java b/src/main/java/io/supertokens/inmemorydb/config/SQLiteConfig.java
@@ -164,4 +164,6 @@ public String getDashboardUsersTable() {
     public String getDashboardSessionsTable() {
         return "dashboard_user_sessions";
     }
+
+    public String getOAuthClientTable(){ return "oauth_clients"; }
 }
diff --git a/src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java b/src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java
@@ -423,6 +423,10 @@ public static void createTablesIfNotExists(Start start, Main main) throws SQLExc
             update(start, TOTPQueries.getQueryToCreateUsedCodesExpiryTimeIndex(start), NO_OP_SETTER);
         }
 
+        if (!doesTableExists(start, Config.getConfig(start).getOAuthClientTable())) {
+            getInstance(main).addState(CREATING_NEW_TABLE, null);
+            update(start, OAuthQueries.getQueryToCreateOAuthClientTable(start), NO_OP_SETTER);
+        }
     }
 
 

diff --git a/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java b/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java
@@ -0,0 +1,67 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.inmemorydb.queries;
+
+import io.supertokens.inmemorydb.Start;
+import io.supertokens.inmemorydb.config.Config;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.List;
+
+import static io.supertokens.inmemorydb.QueryExecutorTemplate.execute;
+import static io.supertokens.inmemorydb.QueryExecutorTemplate.update;
+
+public class OAuthQueries {
+
+    public static String getQueryToCreateOAuthClientTable(Start start) {
+        String oAuth2ClientTable = Config.getConfig(start).getOAuthClientTable();
+        // @formatter:off
+        return "CREATE TABLE IF NOT EXISTS " + oAuth2ClientTable + " ("
+                + "app_id VARCHAR(64) DEFAULT 'public',"
+                + "client_id VARCHAR(128) NOT NULL,"
+                + " PRIMARY KEY (app_id, client_id),"
+                + " FOREIGN KEY(app_id) REFERENCES " + Config.getConfig(start).getAppsTable() + "(app_id) ON DELETE CASCADE);";
+        // @formatter:on
+    }
+
+    public static boolean isClientIdForAppId(Start start, String clientId, AppIdentifier appIdentifier)
+            throws SQLException, StorageQueryException {
+        String QUERY = "SELECT app_id FROM " + Config.getConfig(start).getOAuthClientTable() +
+            " WHERE client_id = ? AND app_id = ?";
+
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, clientId);
+            pst.setString(2, appIdentifier.getAppId());
+        }, ResultSet::next);
+    }
+
+    public static void insertClientIdForAppId(Start start, String clientId, AppIdentifier appIdentifier)
+            throws SQLException, StorageQueryException {
+        String INSERT = "INSERT INTO " + Config.getConfig(start).getOAuthClientTable()
+                + "(app_id, client_id) VALUES(?, ?)";
+        update(start, INSERT, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, clientId);
+        });
+    }
+
+}
diff --git a/src/main/java/io/supertokens/oauth/OAuth.java b/src/main/java/io/supertokens/oauth/OAuth.java
@@ -18,38 +18,100 @@
 
 import io.supertokens.Main;
 import io.supertokens.config.Config;
+import io.supertokens.httpRequest.HttpRequest;
+import io.supertokens.httpRequest.HttpResponseException;
+import io.supertokens.oauth.exceptions.OAuthAuthException;
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.StorageUtils;
 import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthAuthResponse;
 import io.supertokens.pluginInterface.oauth.OAuthStorage;
 
+import java.io.IOException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.*;
+
 public class OAuth {
 
-    public static void getAuthorizationUrl(Main main, AppIdentifier appIdentifier, Storage storage, String clientId,
-                                           String redirectURI, String responseType, String scope, String state)
-            throws InvalidConfigException {
-        // TODO:
-        // - validate that client_id is present for this tenant
-        // - call hydra
-        // - if location header is:
-        //     - localhost:3000, then we redirect to apiDomain
-        //     - public url for hydra, then we throw a 400 error with the right json
-        //     - else we redirect back to the client
+    private static final String LOCATION_HEADER_NAME = "Location";
+    private static final String COOKIES_HEADER_NAME = "Set-Cookie";
+    private static final String ERROR_LITERAL = "error=";
+    private static final String ERROR_DESCRIPTION_LITERAL = "error_description=";
+
+
+    public static OAuthAuthResponse getAuthorizationUrl(Main main, AppIdentifier appIdentifier, Storage storage, String clientId,
+                                                        String redirectURI, String responseType, String scope, String state)
+            throws InvalidConfigException, HttpResponseException, IOException, OAuthAuthException, StorageQueryException,
+            TenantOrAppNotFoundException {
 
         OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
 
         String redirectTo = null;
+        List<String> cookies = null;
+
+        String publicOAuthProviderServiceUrl = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderPublicServiceUrl();
 
         if (!oauthStorage.doesClientIdExistForThisApp(appIdentifier, clientId)) {
-            redirectTo = Config.getBaseConfig(main).getOAuthProviderPublicServiceUrl() +
-                    "/oauth2/fallbacks/error?error=invalid_client&error_description=Client+authentication+failed+%28e" +
-                    ".g.%2C+unknown+client%2C+no+client+authentication+included%2C+or+unsupported+authentication" +
-                    "+method%29.+The+requested+OAuth+2.0+Client+does+not+exist.";
+            throw new OAuthAuthException("invalid_client", "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The requested OAuth 2.0 Client does not exist.");
         } else {
             // we query hydra
+            Map<String, String> queryParamsForHydra = constructHydraRequestParamsForAuthorizationGETAPICall(clientId, redirectURI, responseType, scope, state);
+            Map<String, String> responseHeaders = new HashMap<>();
+
+            //TODO maybe check response status code? Have to modify sendGetRequest.. for that
+            HttpRequest.sendGETRequestWithResponseHeaders(main, "", Config.getBaseConfig(main).getOAuthProviderPublicServiceUrl() + "/oauth2/auth", queryParamsForHydra, 10000, 10000, null, responseHeaders);
+
+            if(!responseHeaders.isEmpty() && responseHeaders.containsKey(LOCATION_HEADER_NAME)) {
+                String locationHeaderValue = responseHeaders.get(LOCATION_HEADER_NAME);
+
+                if (locationHeaderValue.contains(publicOAuthProviderServiceUrl)){
+                    String error = getValueOfQueryParam(locationHeaderValue, ERROR_LITERAL);
+                    String errorDescription = getValueOfQueryParam(locationHeaderValue, ERROR_DESCRIPTION_LITERAL);
+                    throw new OAuthAuthException(error, errorDescription);
+                }
+
+                if (locationHeaderValue.contains("localhost:3000") || locationHeaderValue.contains("127.0.0.1:3000")) {
+                    redirectTo = locationHeaderValue.replace("localhost:3000", "{apiDomain}").replace("127.0.0.1:3000", "{apiDomain}");
+                } else {
+                    redirectTo = locationHeaderValue;
+                }
+            }
+            if(responseHeaders.containsKey(COOKIES_HEADER_NAME)){
+                String allCookies = responseHeaders.get(COOKIES_HEADER_NAME);
+
+                cookies = Collections.singletonList(allCookies);
+            }
         }
 
-        // TODO: parse url resposne and send appropriate reply from this API.
+        return new OAuthAuthResponse(redirectTo, cookies);
+    }
+
+    private static Map<String, String> constructHydraRequestParamsForAuthorizationGETAPICall(String clientId,
+                                                                                             String redirectURI, String responseType, String scope, String state) {
+        Map<String, String> queryParamsForHydra = new HashMap<>();
+        queryParamsForHydra.put("client_id", clientId);
+        queryParamsForHydra.put("redirect_uri", redirectURI);
+        queryParamsForHydra.put("scope", scope);
+        queryParamsForHydra.put("response_type", responseType);
+        queryParamsForHydra.put("state", state);
+        return  queryParamsForHydra;
+    }
+
+    private static String getValueOfQueryParam(String url, String queryParam){
+        String valueOfQueryParam = "";
+        if(!queryParam.endsWith("=")){
+            queryParam = queryParam + "=";
+        }
+        int startIndex = url.indexOf(queryParam) + queryParam.length(); // start after the '=' sign
+        int endIndex = url.indexOf("&", startIndex);
+        if (endIndex == -1){
+            endIndex = url.length();
+        }
+        valueOfQueryParam = url.substring(startIndex, endIndex); // substring the url from the '=' to the next '&' or to the end of the url if there are no more &s
+        return URLDecoder.decode(valueOfQueryParam, StandardCharsets.UTF_8);
     }
 }
diff --git a/src/main/java/io/supertokens/oauth/exceptions/OAuthAuthException.java b/src/main/java/io/supertokens/oauth/exceptions/OAuthAuthException.java
@@ -0,0 +1,30 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.oauth.exceptions;
+
+public class OAuthAuthException extends Exception{
+    private static final long serialVersionUID = 1836718299845759897L;
+
+    public final String error;
+    public final String errorDescription;
+
+    public OAuthAuthException(String error, String errorDescription) {
+        this.error = error;
+        this.errorDescription = errorDescription;
+    }
+
+}
diff --git a/src/main/java/io/supertokens/webserver/Webserver.java b/src/main/java/io/supertokens/webserver/Webserver.java
@@ -39,6 +39,7 @@
 import io.supertokens.webserver.api.multitenancy.*;
 import io.supertokens.webserver.api.multitenancy.thirdparty.CreateOrUpdateThirdPartyConfigAPI;
 import io.supertokens.webserver.api.multitenancy.thirdparty.RemoveThirdPartyConfigAPI;
+import io.supertokens.webserver.api.oauth.OAuthAuthAPI;
 import io.supertokens.webserver.api.passwordless.*;
 import io.supertokens.webserver.api.session.*;
 import io.supertokens.webserver.api.thirdparty.GetUsersByEmailAPI;
@@ -267,6 +268,8 @@ private void setupRoutes() {
         addAPI(new RequestStatsAPI(main));
         addAPI(new GetTenantCoreConfigForDashboardAPI(main));
 
+        addAPI(new OAuthAuthAPI(main));
+
         StandardContext context = tomcatReference.getContext();
         Tomcat tomcat = tomcatReference.getTomcat();