Spring-security: Add OAuth2AuthorizationRequestResolver

Created on 13 Dec 2017 · 11Comments · Source: spring-projects/spring-security

Summary

When using a 3rd party OAuth provider such as Auth0 or Okta it would be very useful to allow developers to hook into the Authorization Request URI build process in order to add custom query parameters. This is because the providers mentioned above have added additional parameters on top of the specification to allow for more functionality.

Examples

Auth0

audience: The unique identifier of the target API you want to access.

This parameter impacts the format of the access token

Okta

idp: The Identity provider used to do the authentication.

This parameter instructs Okta to either use itself as the Identity Provider or to use another identity provider connected to the Okta Authorization Server.

A simple hook into the building of the URI should provide sufficient flexibility for these custom parameters and any others that are introduced in the future.

oauth2 enhancement

Source

andersonkyle

Most helpful comment

@andersonkyle Ok. I'll ensure a hook is provided that will allow for dynamic parameters.

jgrandja on 21 Jun 2018

🎉2

All 11 comments

@andersonkyle Makes sense. We'll aim to add this for 5.1

jgrandja on 13 Dec 2017

👍1

@andersonkyle I'm finally circling back to address this requirement.

The simplest solution to allow for custom authorization request parameters would be to allow the user to provide the request parameters via the ClientRegistration configuration.

For example, if you would like to provide the audience and idp in the Authorization Request, you would configure it as follows:

spring:
  security:
    oauth2:
      client:
        registration:
          okta:
            client-id: client-id
            client-secret: secret
        ...
        ...
        provider:
          okta:
            authorization-uri: https://tenant1.okta.com/oauth2/v2/auth?audience=resource1&idp=https://provider2.com
       ...
       ...

We would ensure that any request parameters supplied in the authorization-uri are preserved when building the Authorization Request.

Would this strategy meet your requirement?

jgrandja on 20 Jun 2018

Yeah, that should do the trick. Thanks!

The same flexibility is needed for the token request:

{
    "grant_type":"http://auth0.com/oauth/grant-type/password-realm",
    "username": "[email protected]",
    "password": "password",
    "realm": "UserDatabase5",
    "audience": "https://api.example.com",
    "scope": "openid email profile",
    "client_id": "1234",
    "client_secret": "5678"
}

^ the above example POST /oauth/token body for a Resource Owner Password Credentials grant includes 2 additional parameters: audience, realm as well as a custom value for grant_type.

This may be worthy of a separate ticket but thought I'd mention it while you're looking at this.

Both of these improvements will make working with 3rd party providers (who love to add functionality on top of the spec) much easier!

andersonkyle on 20 Jun 2018

@andersonkyle Yes, please add a new ticket for the custom token request parameters. I'll keep this in mind.

jgrandja on 20 Jun 2018

👍1

@jgrandja Thought about the proposal a little more and while it works for simple use cases, it doesn't allow the values to be dynamic.

Here's an example:

A Client has access to multiple identity providers (Active Directory, Google and Okta's Universal Directory). The additional idp parameter allows a Client to switch between them dynamically. If we bake it into the properties file it essentially becomes static.

Perhaps a callback mechanism would work a little better?

andersonkyle on 20 Jun 2018

@andersonkyle Ok. I'll ensure a hook is provided that will allow for dynamic parameters.

jgrandja on 21 Jun 2018

🎉2

Hi,

Maybe I shouldn't be using Security OAauth to do this (as the API say that they use a "variant of OAuth2") but:

I'm trying to use the Pocket API and they request just requires the "consumer_key" and "redirect_url" to get the token.

As pointed out by @andersonkyle would be good to customize the URI and add parameters, but also remove unnecessary. When I'm creating a ClientRegistration the builder forces me to set some parameters that are not mandatory to this specific API.

If I did not provide enough information, please just let me know.
Tks

thiagotgo90 on 5 Jul 2018

@andersonkyle This feature has been merged. Take a look at the following tests for usage:

https://github.com/spring-projects/spring-security/blob/779597af2a6ed777707f08ae8106818e0b8e299e/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java#L306

Also, I'm planning on merging #5521 shortly as this is required in order to configure a custom OAuth2AuthorizationRequestResolver.

Please let me know how this goes and if it suits your requirements.

jgrandja on 16 Jul 2018

@jgrandja This looks great. This additional flexibility makes it simple to satisfy any OAuth provider's specific requirements. 👍

andersonkyle on 21 Jul 2018

Yeah I'm pretty happy how it turned out. The OAuth2AuthorizationRequestResolver is simple yet provides the flexibility to fulfill various use cases.

jgrandja on 23 Jul 2018

@jgrandja @andersonkyle I put some polish on this code to remove a tangle. See 938dbbf

rwinch on 17 Aug 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Provide support for refresh_token grant

jgrandja · 4Comments

Support OAuth2 Login with WebFlux

unlimitedsola · 4Comments

any difference between @Autowired AuthenticationManager and @Override configure(AuthenticationManagerBuilder auth)

lexburner · 3Comments

Extra DaoAuthenticationProvider is created, despite I created own implementation

muzuro · 3Comments

GrantedAuthorityDefaults does not apply on ExpressionInterceptUrlRegistry#hasRole

kazuki43zoo · 4Comments