Spring-security: Make #buildFormParameters in the oauth2 client auth converters protected

Created on 10 May 2019  ·  10Comments  ·  Source: spring-projects/spring-security

I was working with making a custom converter for the "OAuth2AuthorizationCodeGrantRequest" to add support for the PKCE spec. However, I still wanted the base functionality of "OAuth2AuthorizationCodeGrantRequestEntityConverter", and just wanted to add some parameters.

The way to do this, per the official documentation, is to just create a new class implementing "Converter>" and then keep an instance of "OAuth2AuthorizationCodeGrantRequestEntityConverter" inside that class and do some magic like this:

@Override
public RequestEntity<?> convert(OAuth2AuthorizationCodeGrantRequest request) {
    RequestEntity<?> entity = this.defaultConverter.convert(request);

    // Create PKCE request parameters.
    MultiValueMap<String, String> params = (MultiValueMap<String,String>) entity.getBody();
    params.add("code_verifier", "verifier");

    return new RequestEntity<>(params, entity.getHeaders(), entity.getMethod(), entity.getUrl());
}

This looks very ugly when you can just make buildFormParameters inside "OAuth2AuthorizationCodeGrantRequestEntityConverter" protected, and then we can override it inside a class extending it and modify/add parameters such as this:

@Override
protected MultiValueMap<String, String> buildFormParameters(OAuth2AuthorizationCodeGrantRequest req) {
    // Call to super to get parameters
    MultiValueMap<String, String> params = super.buildFormParameters(req);

    // Modify/edit
    params.put("code_verifier", "verifer");

    // Return added params
    return params;
}

The "convert" method which is already defined in the super-class will then do the rest. Much cleaner and easier.

Thanks for taking the time to read this!

oauth2
Source
picture ExpDev07

Most helpful comment

@ExpDev07 I'll try Snapchat on my end and see what I come up with. Give me a couple days though as I'm about to travel to a conference.

picture jgrandja on 14 May 2019
🚀11 🎉1 👍1

All 10 comments

@ExpDev07 Are you aware that PKCE client support has already been added via #6485.

jgrandja picture jgrandja on 13 May 2019

@jgrandja Oh no, I did not see that. Any documentation on how to use it?

ExpDev07 picture ExpDev07 on 13 May 2019

@jgrandja I can't seem to find it. I am using: https://mvnrepository.com/artifact/org.springframework.security/spring-security-oauth2-client/5.1.5.RELEASE (latest) and it's not there? Must I use another version?

ExpDev07 picture ExpDev07 on 13 May 2019

@ExpDev07 As indicated in #6485, it's been released in 5.2.0.M2.

You can find documentation in the reference:

OAuth 2.0 Login
OAuth 2.0 Client

NOTE: The PKCE parameters will automatically be added if the ClientRegistration does not have a spring.security.oauth2.client.registration.[registrationId].client-secret configured and the authorization-grant-type is authorization_code. You can see the logic in DefaultOAuth2AuthorizationRequestResolver.

I'm going to close this issue given that this feature is available in the latest milestone release.

jgrandja picture jgrandja on 13 May 2019
1

@jgrandja Per Snapchat Kit's definition, I must include client-secret and have PKCE flow (https://docs.snapchat.com/docs/login-kit#web). This would then not be possible with this milestone?

ExpDev07 picture ExpDev07 on 14 May 2019

@ExpDev07

I must include client-secret and have PKCE flow

I cannot see the requirement for client-secret in the link you provided.

I only see

Requirements
Client ID from the developer portal

Can you provide the exact link and text where the client-secret with PKCE requirement is stated?

jgrandja picture jgrandja on 14 May 2019

@jgrandja it’s states under “2.5 Exchange authorization code for refresh and access token” in that link I provided (you have to scroll down a bit).

ExpDev07 picture ExpDev07 on 14 May 2019

@ExpDev07 For public (PKCE) clients, the token endpoint request requires the code_verifier parameter as well and there is no mention of it in the section you pointed out. The link you provided makes no reference to PKCE either?

jgrandja picture jgrandja on 14 May 2019

@jgrandja I know it doesn't make any reference to it, because Snapchat has decided not to document it. However, when you make requests without the PKCE parameters, you get "PKCE parameters are missing".

So is it any way for me to make the current Spring oauth2-client work with Snapchat authentication? It's really difficult to figure anything out due to the poor job Snapchat has done with documentation.

ExpDev07 picture ExpDev07 on 14 May 2019

@ExpDev07 I'll try Snapchat on my end and see what I come up with. Give me a couple days though as I'm about to travel to a conference.

jgrandja picture jgrandja on 14 May 2019
🚀11 🎉1 👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mageddo picture mageddo  ·  4Comments
mstoecklmayr picture mstoecklmayr  ·  3Comments
mraible picture mraible  ·  3Comments
kazuki43zoo picture kazuki43zoo  ·  4Comments
cipriandumitrel picture cipriandumitrel  ·  3Comments