Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider configuring OAuth2AuthorizationRequestResolver by publishing a bean #15236

Closed
sjohnr opened this issue Jun 12, 2024 · 3 comments
Closed

Consider configuring OAuth2AuthorizationRequestResolver by publishing a bean #15236

sjohnr opened this issue Jun 12, 2024 · 3 comments
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement

Comments

@sjohnr
Copy link
Member

sjohnr commented Jun 12, 2024
edited
Loading

We should consider adding support for configuring OAuth2AuthorizationRequestResolver by publishing a bean. This would simplify this customization and allow for the following configuration:

@Bean
public OAuth2AuthorizationRequestResolver authorizationRequestResolver(
		ClientRegistrationRepository clientRegistrationRepository) {

	var authorizationRequestResolver =
		new DefaultOAuth2AuthorizationRequestResolver(
			clientRegistrationRepository,
			OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI);
	authorizationRequestResolver.setAuthorizationRequestCustomizer(
		OAuth2AuthorizationRequestCustomizers.withPkce());

	return authorizationRequestResolver;
}

The same would apply with the reactive stack and ServerOAuth2AuthorizationRequestResolver. See this comment for additional context. cc @randomstuff
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: ideal-for-contribution An issue that we actively are looking for someone to help us with labels Jun 12, 2024
franticticktick pushed a commit to franticticktick/spring-security that referenced this issue Jun 12, 2024
Add support configuring OAuth2AuthorizationRequestResolver as bean
c780d65 
Closes spring-projectsgh-15236
@franticticktick franticticktick mentioned this issue Jun 12, 2024
Closed
@sjohnr sjohnr closed this as completed in 4e52eda Jun 13, 2024
@knoobie
Copy link

knoobie commented Jul 31, 2024

@sjohnr Sorry for hijacking this issue.. because it's quite recent - I was thinking abour asking here before creating a new one because it is somehow related.

We are currently supporting multiple client registrations for our application and each client registration requires us to customize the Request with e.g. amr values. Because each client requires different amr values, we have some dirty hack in place because the customizer has no access to the currentClient it has to be build for.. With multiple Beans this issue might occur more frequently for people as well.

  private Consumer<Builder> authorizationRequestCustomizer() {
    return customizer -> {

      // We need something to distinguish between the registrations (which is not accessible from the builder without building the config
      var tempConfig = customizer.build();
      if (!tempConfig.getAttributes().containsKey(OAuth2ParameterNames.REGISTRATION_ID)) {
        return;
      }
      switch (tempConfig.getAttributes().get(OAuth2ParameterNames.REGISTRATION_ID).toString()) {
        case "a" -> {
          customizer.attributes(Map.of("amr", "a"));
        }
        case "b" -> {
          customizer.attributes(Map.of("amr", "b"));
        }
      }
    };
  }

@sjohnr
Copy link
Member Author

sjohnr commented Jul 31, 2024

@knoobie you can also access the attributes via the builder method that takes a Consumer, like so:

private static Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer() {
	return (builder) -> builder.attributes((attributes) -> {
		if (!attributes.containsKey(OAuth2ParameterNames.REGISTRATION_ID)) {
			return;
		}

		String registrationId = attributes.get(OAuth2ParameterNames.REGISTRATION_ID).toString();
		// ...
	});
}

@knoobie
Copy link

knoobie commented Jul 31, 2024

Oh... Interesting idea! Thanks!

@ToxicMushroom ToxicMushroom mentioned this issue Nov 24, 2024
Open
@rwinch rwinch mentioned this issue Jan 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support configuring OAuth2AuthorizationRequestResolver as bean franticticktick/spring-security
2 participants
@knoobie @sjohnr