Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow building a ClientRegistration from provided configuration #15716

Merged
merged 1 commit into from
Oct 2, 2024
Merged

Allow building a ClientRegistration from provided configuration #15716

merged 1 commit into from
Oct 2, 2024

Conversation

heruan
Copy link
Contributor

@heruan heruan commented Aug 31, 2024
edited
Loading

This adds the fromOidcConfiguration method to ClientRegistrations to build a ClientRegistration from a map representation of an OpenID Provider Configuration Response.

This is useful when the OpenID Provider Configuration is not available at a well-known location, or if custom validation is needed for the issuer location (e.g. if the issuer is only reachable via a back-channel URI that is different from the issuer value in the configuration).

Example usage:

RequestEntity<Void> request = RequestEntity.get(metadataEndpoint).build();
ParameterizedTypeReference<Map<String, Object>> typeReference = new ParameterizedTypeReference<>() {};
Map<String, Object> configuration = rest.exchange(request, typeReference).getBody();
// Validate configuration.get("issuer") as per in the OIDC specification
ClientRegistration registration = ClientRegistrations.fromOidcConfiguration(configuration)
    .clientId("client-id")
    .clientSecret("client-secret")
    .build();

Fixes: gh-14633

@heruan heruan mentioned this pull request Aug 31, 2024
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 31, 2024
@heruan heruan force-pushed the gh-14633 branch 2 times, most recently from a349ff4 to 0c0963a Compare August 31, 2024 11:06
@heruan heruan changed the title Allow an expected issuer to be successfully validated Allow building a ClientRegistration from provided configuration Sep 20, 2024
@heruan
Add ClientRegistrations.fromOidcConfiguration method
9dbec04 
ClientRegistrations now provides the fromOidcConfiguration
method to create a ClientRegistration.Builder from a map
representation of an OpenID Provider Configuration Response.

This is useful when the OpenID Provider Configuration is not
available at a well-known location, or if custom validation
is needed for the issuer location (e.g. if the issuer is only
reachable via a back-channel URI that is different from the
issuer value in the configuration).

Fixes: spring-projectsgh-14633
@rwinch rwinch self-assigned this Oct 1, 2024
@rwinch rwinch added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 2, 2024
@rwinch rwinch added this to the 6.4.0-RC1 milestone Oct 2, 2024
@rwinch rwinch merged commit a3fd551 into spring-projects:main Oct 2, 2024
6 checks passed
@rwinch
Copy link
Member

rwinch commented Oct 2, 2024

Thanks for the Pull Request! This is now merged into main 😄

@jzheaux jzheaux mentioned this pull request Oct 22, 2024
Closed
chrisbonilla95 added a commit to gooddata/gooddata-server-oauth2 that referenced this pull request Oct 30, 2024
@chrisbonilla95
feat: support for Azure B2C Provider
d311c84 
Updated to handle Azure B2C separately when building ClientRegistration. This is necessary because the issuer returned by Azure B2C openid-configuration does not match the requested issuer, causing a mismatch error to be thrown.

A new factory method was introduced (spring-projects/spring-security#15716) for similar issue and will be available in Spring Security 6.4.0. For now we have borrowed the implementation and necessary helpers into our own code and will upgrade the dependency once the stable version is released and we've been able to properly test it.

JIRA: LX-614
risk: high
@chrisbonilla95 chrisbonilla95 mentioned this pull request Oct 30, 2024
Merged
chrisbonilla95 added a commit to gooddata/gooddata-server-oauth2 that referenced this pull request Oct 30, 2024
@chrisbonilla95
feat: support for Azure B2C Provider
79414a6 
Updated to handle Azure B2C separately when building ClientRegistration. This is necessary because the issuer returned by Azure B2C openid-configuration does not match the requested issuer, causing a mismatch error to be thrown.

A new factory method was introduced (spring-projects/spring-security#15716) for similar issue and will be available in Spring Security 6.4.0. For now we have borrowed the implementation and necessary helpers into our own code and will upgrade the dependency once the stable version is released and we've been able to properly test it.

JIRA: LX-614
risk: high
chrisbonilla95 added a commit to gooddata/gooddata-server-oauth2 that referenced this pull request Oct 31, 2024
@chrisbonilla95
feat: support for Azure B2C Provider
e9eb1d7 
Updated to handle Azure B2C separately when building ClientRegistration. This is necessary because the issuer returned by Azure B2C openid-configuration does not match the requested issuer, causing a mismatch error to be thrown.

A new factory method was introduced (spring-projects/spring-security#15716) for similar issue and will be available in Spring Security 6.4.0. For now we have borrowed the implementation and necessary helpers into our own code and will upgrade the dependency once the stable version is released and we've been able to properly test it.

JIRA: LX-614
risk: high
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch approved these changes

Assignees

@rwinch rwinch

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
6.4.0-RC1
Development

Successfully merging this pull request may close these issues.

Support different OIDC issuer hostnames for frontend/backend endpoints
3 participants
@heruan @rwinch @spring-projects-issues