Support for custom parameters when redirecting for authorization (getRedirectForAuthorization) will be useful some some OAuth2 implementation that are not entirely standard.
One example of this is Reddit - which requires a duration parameter (the Reddit API).
You can do this already with a custom OAuth2ClientContextFilter.redirectUser(). I'm looking at what might make sense for 2.0.7 as well.
You can also already extend AuthorizationCodeResourceDetails.getRedirectUri(). This seems like exactly the level of customization you need for reddit (specific to the provider, a.k.a. resource details).
UPDATE: I mean getUserAuthorizationUri() (of course). Example
@Bean
protected OAuth2ProtectedResourceDetails resource() {
AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails() {
@Override
public String getUserAuthorizationUri() {
return super.getUserAuthorizationUri() + "?duration=temporary";
}
};
resource.setAccessTokenUri(tokenUrl);
resource.setUserAuthorizationUri(authorizeUrl);
resource.setClientId(clientId);
resource.setClientSecret(clientSecret);
resource.setScope(Arrays.asList("identity"));
resource.setPreEstablishedRedirectUri("http://localhost:8080");
resource.setUseCurrentUri(false);
return resource ;
}
@dsyer
I tried to extend the AuthorizationCodeResourceDetails but am running into the following issue.
In the OAuth2ProtectedResourceDetailsConfiguration class in the org.springframework.boot.autoconfigure.security.oauth2.client package the AuthorizationCodeResourceDetails bean is annotated w/ @Primary.
Furthermore, the OAuth2ProtectedResourceDetailsConfiguration is not a public class meaning it can't be excluded from the component scan.
I realize this thread is 2 years old, is there now a different recommended way of accomplishing this.
馃憤 @Sghazzawi
I have a similar issue.
@paulfournel
me too
me four. I'd like to use this to pass a GUID to handle the callbackURL on a stateless server.
Most helpful comment
@dsyer
I tried to extend the AuthorizationCodeResourceDetails but am running into the following issue.
In the OAuth2ProtectedResourceDetailsConfiguration class in the org.springframework.boot.autoconfigure.security.oauth2.client package the AuthorizationCodeResourceDetails bean is annotated w/ @Primary.
Furthermore, the OAuth2ProtectedResourceDetailsConfiguration is not a public class meaning it can't be excluded from the component scan.
I realize this thread is 2 years old, is there now a different recommended way of accomplishing this.