Announcement Announcement Module
Collapse
No announcement yet.
Oauth2 client with redirect uri Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Oauth2 client with redirect uri

    Hi,
    Could anyone provide me a way to define an oauth2 client with authorization_code grant type and a fix specified redirect uri?

    We have an authorization server in which redirect_uri is compulsory for all clients(hence not using one is not an option here) but I couldn't find a way for doing that.

    First i figured preEstablished-uri but due to some context parsing issue i couldn't set preEstablished-uri on AuthorizationCodeResourceDetails via xsd. (using M6 ) But creatinga a bean with that type and setting all required properties also didn't help. (as preEstablished uri is not set in request parameters anyway).

  • #2
    I think the client-side usage of registered redirect URI is a bit schizophrenic and you probably have a use case that isn't covered. I'm not 100% sure about M6, but you should find that you can manipulate the redirect uri that is sent to the remote endpoint by explicitly setting it in the AuthorizationRequest. Feel free to open a JIRA ticket with some more details about what you are trying to do and why.

    Comment


    • #3
      Thanks for the reply Dave.
      First of all I gave it another try by setting "redirect_uri" parameter in request (Redirect request to authorization endpoint of provider) manually (Runtime manipulation whilst debugging), everything goes fine except that nothing happens when server (provider) redirects user back to client with generated code (404 as no controller and/or filter are mapped to this uri).

      Has setting explicitly redirect uri in AuthorizationRequest anything to do with client or it is used only on the provider side of protocol in spring security oauth2 implementation?

      Should I mention the case explicitly again : We have an oauth 2 provider. In our provider every client should be of type "authorization grant" and should be provided with an explicit redirect uri. We want to hand our partners with a basic oauth2 client implementation of our services. Is this possible with current code base of spring security oauth2?

      Comment


      • #4
        Originally posted by naderghanbari View Post
        Thanks for the reply Dave.
        First of all I gave it another try by setting "redirect_uri" parameter in request (Redirect request to authorization endpoint of provider) manually (Runtime manipulation whilst debugging), everything goes fine except that nothing happens when server (provider) redirects user back to client with generated code (404 as no controller and/or filter are mapped to this uri).
        That sounds right. Is there a problem with that?

        Has setting explicitly redirect uri in AuthorizationRequest anything to do with client or it is used only on the provider side of protocol in spring security oauth2 implementation?
        The redirect uri can certainly be set by the client. It is validated by the provider, but as long as it matches the registered value (if there is one) the provider just sends a 302 at the end of the grant process with the uri the client has asked for.

        We want to hand our partners with a basic oauth2 client implementation of our services. Is this possible with current code base of spring security oauth2?
        Yes, but as you have discovered, the client has to explicitly set the redirect URI. By default this is done for you in the SECOAUTH client code based on the current URI of the request being handled by the app, this is often the right choice, but maybe you have a case for an enhancement for a flag to always send the registered value. I don't quite understand why the current behaviour doesn't work for you yet, but I am willing to consider the enhancement (especially if you feel like sending a pull request).

        Comment


        • #5
          Thanks again for the reply.

          Originally posted by Dave Syer View Post
          That sounds right. Is there a problem with that?
          I think that's a problem. Sorry but let me ask again :
          Consider an oauth2 client with spring security oauth2 implementation. If this client have a registered redirect_uri within the provider, then provider redirects user back to client with generated authorization code (assuming solely authorization code grant type for now). Then which part of oauth client implementation is responsible for getting this code?


          Originally posted by Dave Syer View Post
          I don't quite understand why the current behaviour doesn't work for you yet, but I am willing to consider the enhancement (especially if you feel like sending a pull request).
          With pleasure, I will send a pull request about the flag you mentioned.

          Comment


          • #6
            Originally posted by naderghanbari View Post
            Then which part of oauth client implementation is responsible for getting this code?
            The AccessTokenRequest carries the authorization code. It is up to the caller of OAuth2RestTemplate to ensure that one is present with the right properties, but if you use the <oauth:rest-template/> configuration short cut in XML it will be initialized with the request parameters automatically as long as you call from a Spring-handled servlet request (through the use of request scope).

            Comment

            Working...
            X