Spring-security-oauth: Support additional/custom redirect parameters

Created on 28 Feb 2015  路  6Comments  路  Source: spring-projects/spring-security-oauth

Support for custom parameters when redirecting for authorization (getRedirectForAuthorization) will be useful some some OAuth2 implementation that are not entirely standard.
One example of this is Reddit - which requires a duration parameter (the Reddit API).

stackoverflow enhancement

Most helpful comment

@dsyer
I tried to extend the AuthorizationCodeResourceDetails but am running into the following issue.

In the OAuth2ProtectedResourceDetailsConfiguration class in the org.springframework.boot.autoconfigure.security.oauth2.client package the AuthorizationCodeResourceDetails bean is annotated w/ @Primary.

Furthermore, the OAuth2ProtectedResourceDetailsConfiguration is not a public class meaning it can't be excluded from the component scan.

I realize this thread is 2 years old, is there now a different recommended way of accomplishing this.

All 6 comments

You can do this already with a custom OAuth2ClientContextFilter.redirectUser(). I'm looking at what might make sense for 2.0.7 as well.

You can also already extend AuthorizationCodeResourceDetails.getRedirectUri(). This seems like exactly the level of customization you need for reddit (specific to the provider, a.k.a. resource details).

UPDATE: I mean getUserAuthorizationUri() (of course). Example

    @Bean
    protected OAuth2ProtectedResourceDetails resource() {
        AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails() {
            @Override
            public String getUserAuthorizationUri() {
                return super.getUserAuthorizationUri() + "?duration=temporary";
            }
        };
        resource.setAccessTokenUri(tokenUrl);
        resource.setUserAuthorizationUri(authorizeUrl);
        resource.setClientId(clientId);
        resource.setClientSecret(clientSecret);
        resource.setScope(Arrays.asList("identity"));
        resource.setPreEstablishedRedirectUri("http://localhost:8080");
        resource.setUseCurrentUri(false);
        return resource ;
    }

@dsyer
I tried to extend the AuthorizationCodeResourceDetails but am running into the following issue.

In the OAuth2ProtectedResourceDetailsConfiguration class in the org.springframework.boot.autoconfigure.security.oauth2.client package the AuthorizationCodeResourceDetails bean is annotated w/ @Primary.

Furthermore, the OAuth2ProtectedResourceDetailsConfiguration is not a public class meaning it can't be excluded from the component scan.

I realize this thread is 2 years old, is there now a different recommended way of accomplishing this.

馃憤 @Sghazzawi
I have a similar issue.

@paulfournel
me too

me four. I'd like to use this to pass a GUID to handle the callbackURL on a stateless server.

Was this page helpful?
0 / 5 - 0 ratings