Add OAuth2redirectTest

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2/authorizationservice/MembraneAuthorizationService.java

@@ -165,6 +165,8 @@ private void parseSrc(InputStream resolve) throws IOException {
 
         // without checks
         tokenEndpoint = (String) json.get("token_endpoint");
+        if (tokenEndpoint == null)
+            throw new RuntimeException("No token_endpoint could be detected.");
         userInfoEndpoint = (String) json.get("userinfo_endpoint");
         authorizationEndpoint = (String) json.get("authorization_endpoint");
         revocationEndpoint = (String) json.get("revocation_endpoint");

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/OAuth2CallbackRequestHandler.java

@@ -25,7 +25,9 @@
 import com.predic8.membrane.core.interceptor.oauth2client.*;
 import com.predic8.membrane.core.interceptor.oauth2client.rf.token.*;
 import com.predic8.membrane.core.interceptor.session.*;
+import com.predic8.membrane.core.transport.http.HttpClient;
 import com.predic8.membrane.core.util.*;
+import org.apache.http.impl.client.DefaultHttpClient;
 import org.slf4j.*;
 
 import java.math.*;
@@ -38,6 +40,7 @@
 import static com.predic8.membrane.core.interceptor.oauth2client.rf.JsonUtils.isJson;
 import static com.predic8.membrane.core.interceptor.oauth2client.rf.StateManager.*;
 import static com.predic8.membrane.core.interceptor.oauth2client.temp.OAuth2Constants.*;
+import static java.util.List.of;
 
 public class OAuth2CallbackRequestHandler {
     private static final Logger log = LoggerFactory.getLogger(OAuth2CallbackRequestHandler.class);
@@ -196,16 +199,20 @@ private Map<String, Object> exchangeCodeForToken(String tokenEndpoint, String pu
         });
     }
 
-    private static void doRedirect(Exchange exc, AbstractExchangeSnapshot originalRequest, Session session) throws JsonProcessingException {
-        if (originalRequest.getRequest().getMethod().equals("GET")) {
-            exc.setResponse(Response.redirect(originalRequest.getOriginalRequestUri(), false).build());
-        } else {
-            String oa2redirect = new BigInteger(130, new SecureRandom()).toString(32);
-
-            session.put(OAuthUtils.oa2redictKeyNameInSession(oa2redirect), new ObjectMapper().writeValueAsString(originalRequest));
-
-            String delimiter = originalRequest.getOriginalRequestUri().contains("?") ? "&" : "?";
-            exc.setResponse(Response.redirect(originalRequest.getOriginalRequestUri() + delimiter + OA2REDIRECT + "=" + oa2redirect, false).build());
+    private static void doRedirect(Exchange exc, AbstractExchangeSnapshot originalRequest, Session session) throws Exception {
+        try (HttpClient hc = new HttpClient()) {
+            Exchange ogExc = (Exchange) originalRequest.toAbstractExchange();
+            //exc.setResponse(Response.redirect(originalRequest.getOriginalRequestUri(), false).build());
+            if (originalRequest.getRequest().getMethod().equals("POST")) {
+                String oa2redirect = new BigInteger(130, new SecureRandom()).toString(32);
+                session.put(OAuthUtils.oa2redictKeyNameInSession(oa2redirect), new ObjectMapper().writeValueAsString(originalRequest));
+                String delimiter = ogExc.getOriginalRequestUri().contains("?") ? "&" : "?";
+
+                String ogDest = ogExc.getDestinations().get(0);
+                ogExc.setDestinations(new ArrayList<>(of(ogDest + delimiter + OA2REDIRECT + "=" + oa2redirect)));
+            }
+            hc.call(ogExc);
+            exc.setResponse(ogExc.getResponse());
         }
     }
 }

core/src/main/java/com/predic8/membrane/core/interceptor/oauth2client/rf/StateManager.java

@@ -19,12 +19,15 @@
 import org.jetbrains.annotations.NotNull;
 
 import java.math.BigInteger;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.security.SecureRandom;
 import java.util.Arrays;
 import java.util.Map;
 import java.util.Optional;
 
 import static com.predic8.membrane.core.interceptor.session.SessionManager.SESSION_VALUE_SEPARATOR;
+import static java.nio.charset.StandardCharsets.UTF_8;
 
 public class StateManager {
 
@@ -39,7 +42,7 @@ public static String getSecurityTokenFromState(String state2) {
         if (state2 == null)
             throw new RuntimeException("No CSRF token.");
 
-        Map<String, String> param = URLParamUtil.parseQueryString(state2, URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR);
+        Map<String, String> param = URLParamUtil.parseQueryString(URLDecoder.decode(state2, UTF_8), URLParamUtil.DuplicateKeyOrInvalidFormStrategy.ERROR);
 
         if (!param.containsKey("security_token"))
             throw new RuntimeException("No CSRF token.");

core/src/test/java/com/predic8/membrane/core/IntegrationTestsWithoutInternet.java

@@ -19,6 +19,7 @@
 import com.predic8.membrane.core.interceptor.RegExReplaceInterceptorTest;
 import com.predic8.membrane.core.interceptor.rest.REST2SOAPInterceptorIntegrationTest;
 import com.predic8.membrane.core.interceptor.server.WSDLPublisherTest;
+import com.predic8.membrane.core.oauth2.OAuth2RedirectTest;
 import com.predic8.membrane.core.resolver.ResolverTest;
 import com.predic8.membrane.core.rules.ProxySSLTest;
 import com.predic8.membrane.core.rules.SOAPProxyIntegrationTest;
@@ -47,7 +48,8 @@
         IllegalCharactersInURLTest.class,
         ProxySSLTest.class,
         SessionManager.class,
-        OpenApiRewriteIntegrationTest.class
+        OpenApiRewriteIntegrationTest.class,
+        OAuth2RedirectTest.class
 })
 public class IntegrationTestsWithoutInternet {
 }

core/src/test/java/com/predic8/membrane/core/oauth2/OAuth2AuthFlowClient.java

@@ -0,0 +1,155 @@
+package com.predic8.membrane.core.oauth2;
+
+import io.restassured.response.Response;
+import org.jetbrains.annotations.NotNull;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import static io.restassured.RestAssured.given;
+import static org.apache.http.HttpHeaders.LOCATION;
+import static org.hamcrest.text.MatchesPattern.matchesPattern;
+
+public class OAuth2AuthFlowClient {
+
+    private static final String CLIENT_BASE_URL = "http://localhost:2000";
+    private static final String CLIENT_URL = CLIENT_BASE_URL + "/a?b=c&d= ";
+    private static final String AUTH_SERVER_URL = "http://localhost:2002";
+
+    Map<String, String> cookies = new HashMap<>();
+    Map<String, String> memCookies = new HashMap<>();
+
+    // @formatter:off
+    @NotNull Response step1originalRequestGET() {
+        Response response =
+                given()
+                    .redirects().follow(false)
+                .when()
+                    .get(CLIENT_URL)
+                .then()
+                    .statusCode(307)
+                    .header(LOCATION, matchesPattern(AUTH_SERVER_URL + ".*"))
+                    .extract().response();
+        memCookies.putAll(response.getCookies());
+        return response;
+    }
+
+    @NotNull Response step1originalRequestPOST() {
+        Response response =
+                given()
+                    .redirects().follow(false)
+                .when()
+                    .post(CLIENT_URL)
+                .then()
+                    .statusCode(307)
+                    .header(LOCATION, matchesPattern(AUTH_SERVER_URL + ".*"))
+                    .extract().response();
+        memCookies.putAll(response.getCookies());
+        return response;
+    }
+
+    @NotNull String step2sendAuthToOAuth2Server(Response response) {
+        Response formRedirect =
+                given()
+                    .redirects().follow(false)
+                    .cookies(cookies)
+                    .urlEncodingEnabled(false)
+                .when()
+                    .get(response.getHeader(LOCATION))
+                .then()
+                    .statusCode(307)
+                    .header(LOCATION, matchesPattern("/login.*"))
+                    .extract().response();
+        cookies.putAll(formRedirect.getCookies());
+        return formRedirect.getHeader(LOCATION);
+    }
+
+    void step3openLoginPage(String location) {
+        given()
+            .redirects().follow(true)
+            .cookies(cookies)
+        .when()
+            .get(AUTH_SERVER_URL + location)
+        .then()
+            .statusCode(200)
+            .extract().response();
+    }
+
+    void step4submitLogin(String location) {
+        given()
+            .redirects().follow(false)
+            .cookies(cookies)
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .header("Accept-Charset", "UTF-8")
+            .formParam("username", "user")
+            .formParam("password", "password")
+        .when()
+            .post(AUTH_SERVER_URL + location)
+        .then()
+            .statusCode(200)
+            .header(LOCATION, "/")
+            .extract().response();
+    }
+
+    String step5redirectToConsent() {
+        return given()
+                .redirects().follow(false)
+                .cookies(cookies)
+            .when()
+                .get(AUTH_SERVER_URL)
+            .then()
+                .statusCode(307)
+                .header(LOCATION, matchesPattern("/login/consent.*"))
+                .extract().response().getHeader(LOCATION);
+    }
+
+    void step6openConsentDialog(String location) {
+        given()
+            .redirects().follow(false)
+            .cookies(cookies)
+        .when()
+            .get(AUTH_SERVER_URL + location)
+        .then()
+            .statusCode(200)
+            .extract().response();
+    }
+
+    void step7submitConsent(String location) {
+        given()
+            .redirects().follow(false)
+            .cookies(cookies)
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .header("Accept-Charset", "UTF-8")
+            .formParam("consent", "Accept")
+        .when()
+            .post(AUTH_SERVER_URL + location)
+        .then()
+            .statusCode(200)
+            .header(LOCATION, "/")
+            .extract().response();
+    }
+
+    String step8redirectToClient() {
+        return given()
+                .redirects().follow(false)
+                .cookies(cookies)
+            .when()
+                .post(AUTH_SERVER_URL)
+            .then()
+                .statusCode(307)
+                .header(LOCATION, matchesPattern(CLIENT_BASE_URL + ".*"))
+                .extract().response().getHeader(LOCATION);
+    }
+
+    void step9exchangeCodeForToken(String location) {
+        given()
+            .redirects().follow(false)
+            .cookies(memCookies)
+        .when()
+            .post(location)
+        .then()
+            .statusCode(200)
+            .extract().response();
+    }
+    // @formatter:on
+}