Hi Spring Authorization gurus,
I'm probably "holding it wrong", but here goes.
Context
How has this issue affected you? What are you trying to accomplish?
I was hoping to utilize OAuth2AuthorizationCodeRequestAuthenticationConverter for the JWT Authorization Request (~ JAR) for a OIDC authorization code flow with a request JWT query parameter.
So I've tried wrapping OAuth2AuthorizationCodeRequestAuthenticationConverter delegation in custom JWT converter + added a HttpServletRequestWrapper to wrap the JWT claims as parameters before delegating to convert(..).
What other alternatives have you considered?
There are currently no SA alternatives as far as I can tell.
( #781 is still open)
Are you aware of any workarounds?
Creating a custom converter by duplicating OAuth2AuthorizationCodeRequestAuthenticationConverter, except the parameters filter is technically a workaround.
Albeit undesirable for long term maintenance.
Current Behavior
Unfortunately the following hard-coded filtering sidesteps the custom request wrapper.
MultiValueMap<String, String> parameters = "GET".equals(request.getMethod())
? OAuth2EndpointUtils.getQueryParameters(request) : OAuth2EndpointUtils.getFormParameters(request);
According to the specification 6.1 only some of the OAuth 2.0 query parameters are a MUST
like response_type and client_id .. scope
In my case the issue is that the PKCE parameters (among others) included in the JWT claims are excluded by the default filtering, and then SA validation triggers downstream.
Expected Behavior
If it was possible to inject custom parameters via a Supplier<MultiValueMap<String, String>> parametersSupplier ala
MultiValueMap<String, String> parameters;
if (parametersSupplier == null) {
parameters = "GET".equals(request.getMethod())
? OAuth2EndpointUtils.getQueryParameters(request) : OAuth2EndpointUtils.getFormParameters(request);
} else {
parameters = parametersSupplier.get();
}
Then it seems like it would be possible to utilize this class via orchestration 🤓
Hi Spring Authorization gurus,
I'm probably "holding it wrong", but here goes.
Context
I was hoping to utilize OAuth2AuthorizationCodeRequestAuthenticationConverter for the JWT Authorization Request (~ JAR) for a OIDC authorization code flow with a
requestJWT query parameter.So I've tried wrapping
OAuth2AuthorizationCodeRequestAuthenticationConverterdelegation in custom JWT converter + added aHttpServletRequestWrapperto wrap the JWT claims as parameters before delegating toconvert(..).There are currently no SA alternatives as far as I can tell.
( #781 is still open)
Creating a custom converter by duplicating
OAuth2AuthorizationCodeRequestAuthenticationConverter, except theparametersfilter is technically a workaround.Albeit undesirable for long term maintenance.
Current Behavior
Unfortunately the following hard-coded filtering sidesteps the custom request wrapper.
According to the specification 6.1 only some of the OAuth 2.0 query parameters are a MUST
In my case the issue is that the PKCE parameters (among others) included in the JWT claims are excluded by the default filtering, and then SA validation triggers downstream.
Expected Behavior
If it was possible to inject custom
parametersvia aSupplier<MultiValueMap<String, String>> parametersSupplieralaThen it seems like it would be possible to utilize this class via orchestration 🤓