Add support for audience parameter #600
Conversation
|
|
||
| private static boolean isDefaultAudience(OktaOAuth2Properties properties) { | ||
| String audience = properties.getAudience(); | ||
| return audience == null || audience.isEmpty() || audience.equals("api://default"); |
There was a problem hiding this comment.
This means that api://default will never be sent if it's the audience. I tried to make it so it only happens when it's Auth0, but was unable to figure out how to do it.
There was a problem hiding this comment.
I guess it should not be a problem sending it for Okta too.
| // this does the same as both defaults merged together (and provides the previous behavior) | ||
| http.authorizeRequests((requests) -> requests.anyRequest().authenticated()); | ||
| Okta.configureOAuth2WithPkce(http, clientRegistrationRepository); | ||
| Okta.configureOAuth2WithAudience(http, clientRegistrationRepository, oktaOAuth2Properties); |
There was a problem hiding this comment.
The audience overrides the PKCE parameters added on the previous line. Is there a way to chain these together so both parameters are added?
| } | ||
|
|
||
| @Bean | ||
| @ConditionalOnBean(ReactiveJwtDecoder.class) |
There was a problem hiding this comment.
Removing this was necessary to invoke this configuration when no SecurityConfiguration exists.
| // this does the same as both defaults merged together (and provides the previous behavior) | ||
| http.authorizeExchange().anyExchange().authenticated(); | ||
| Okta.configureOAuth2WithPkce(http, clientRegistrationRepository); | ||
| Okta.configureOAuth2WithAudience(http, clientRegistrationRepository, properties); |
There was a problem hiding this comment.
This line clobbers the previous lines added parameters. We need to figure out a way to chain them together.
There was a problem hiding this comment.
@arvindkrishnakumar-okta It seems like we could create the DefaultServerOAuth2AuthorizationRequestResolver before passing it to Okta's static methods, but that would change the method signature for configureOAuth2WithPkce(). I believe that would be a breaking change and require a major version bump. Do you have any other ideas?
There was a problem hiding this comment.
@mraible I think that is the only way out here to resolve the clobbering.
There was a problem hiding this comment.
Would it be possible to overload the method with new signature and deprecate the current one?
| private static ServerOAuth2AuthorizationRequestResolver reactiveAuthzRequestResolver( | ||
| ReactiveClientRegistrationRepository clientRegistrationRepository, String audience) { | ||
|
|
||
| DefaultServerOAuth2AuthorizationRequestResolver authorizationRequestResolver = |
There was a problem hiding this comment.
How do you get the authorizationRequestResolver if it already exists? If I could figure that out, I could probably solve the chaining problem where the audience parameters overwrite the PKCE parameters.
|
Was this ever superseded and fixed another way? |
4 participants
No description provided.