-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support POST for authorization code request flow #1811
Comments
@sylvain-costanzo Can you provide more details regarding:
As specified in 3.1 Authorization Endpoint:
Hence This is the very first request asking to support However, before a decision is made, I would like to understand why changing things on your end to a |
Hello @jgrandja and thank you for your answer The main issue comes from our custom implementation of the We understand that our implementation may be sub-optimal, and that it is the first time someone request this feature. |
@sylvain-costanzo I don't think we want to expose a setter for |
@jgrandja I think the best way to do it is to remove the |
@sylvain-costanzo A PR for this enhancement would be greatly appreciated.
I think that will work. |
Closes spring-projectsgh-1811 Signed-off-by: sylvain-costanzo <sylvain.costanzo1@decathlon.com>
…enticationConverter Closes spring-projectsgh-1811 Signed-off-by: sylvain-costanzo <sylvain.costanzo1@decathlon.com>
Expected Behavior
A POST /authorize without the
openid
scope should be accepted by the authorization serverCurrent Behavior
A POST /authorize without the openid scope returns a 404 with the following error log :
Context
Our implementation allow to not pass the scope parameter during the first /authorize request, as allowed by the oauth2 specification
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 and https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
In this case our server act as if every scopes were requested.
There is no issue with spring authorization server when using a GET, but our implementation replays the /authorize request with a POST after a /login.
The
authorizationEndpointMatcher
ofOAuth2AuthorizationEndpointFilter
only match POST /authorize requests who have theopenid
scope : https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java#L156I guess this is because the oauth2 spec states that the authorization server MAY support the use of POST https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
while openid spec states that the server MUST support GET and POST https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
Unfortunately we cannot submit this second /authorize with a GET as it would break other parts of our system.
We considered tinkering with the RequestCache to add every scopes of the client in the SavedRequest, but a modification in spring authorization server would be simpler because we can just handle this use case in the token generators.
Is it possible to allow the customization of this matcher, or to remove the
openid
scope matcher for POST in OAuth2AuthorizationEndpointFilter ?The text was updated successfully, but these errors were encountered: