OAuth 2.0 Discovery Clients #6847
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A support class for configuration that is common to the various
builders that use discovery.
The following is how you would configure ClientRegistrations to use
oauth-authorization-server discovery:
ClientRegistrations.fromIssuerLocation("https://idp.example.org",
OAuth2MetadataClientBuilder::oauth2Discovery);
Or to use OIDC Discovery as well as OAuth 2.0 Discovery do:
ClientRegistrations.fromIssuerLocation("http://idp.example.org",
client -> client.oidcDiscovery().oauth2Discovery());
jzheaux
commented
May 7, 2019
| import org.springframework.web.client.HttpClientErrorException; | ||
| import org.springframework.web.util.UriComponentsBuilder; | ||
|
|
||
| public class OAuth2MetadataClientBuilder { |
There was a problem hiding this comment.
I'm not convinced that this is the time to introduce this as a public class. However, I see no other way to share this with ClientRegistrations, JwtDecoders, and ReactiveJwtDecoders.
Some alternatives include:
- Making the constructor
protected. I don't see this as a huge win since its still a public contract that folks simply then need to extend to use. - Have two copies of this class. This seems odd, really, since there is nothing Resource Server-specific or Client Application-specific about this class. It would also mean copying this into other packages where we may want to do discovery down the road (e.g. introspection configuration)
- Narrow the class's contract down to only generating the URIs. The overlapping concerns of these three classes (
ClientRegistrations,JwtDecoders, andReactiveJwtDecoders) are the need to address a metadata endpoint using the issuer. This is the same way that Nimbus exposes this feature, and it is clearly the way that the spec outlines the contract - an issuer in exchange for metadata. While this class could more narrowly just calculate the URIs, it seems a very odd thing to expose since it seems an internal implementation detail to a metadata client (it wouldn't make sense to me to hand the fully-qualified discovery url to a discovery client since that discovery client would really prefer to calculate it itself).
For these reasons, I do lean towards keeping this class public with a URI -> Map<String, Object> contract.
Also, I'd prefer the class be final, though really this PR is in draft form and has yet some cleanup to do. My hope is to begin conversation about what is an effective consolidation of the duplicated code in these three classes, and perhaps others down the road.
|
Closing in favor of #6765 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A support class for configuration that is common to the various
builders that use discovery.
The following is how you would configure ClientRegistrations to use
oauth-authorization-server discovery:
Or to use OIDC Discovery as well as OAuth 2.0 Discovery do: