Support authorization_code grant for OAuth2 client

This commit also refactors OAuth2 client properties. With
the added support for authorization_code clients, client
registrations are now divided into `login` and `authorization_code`.
An environment post processor is used for backward compatibility with
old Open ID Connect login clients.

Closes gh-13812
This commit is contained in:
Madhura Bhave
2018-08-22 14:04:10 -07:00
parent 5af7835e83
commit f5deebf0cb
18 changed files with 725 additions and 193 deletions

View File

@@ -3219,36 +3219,18 @@ https://oauth.net/2/[OAuth2] is a widely used authorization framework that is su
Spring.
[[boot-features-security-oauth2-client]]
==== Client
If you have `spring-security-oauth2-client` on your classpath, you can take advantage of
some auto-configuration to make it easy to set up an OAuth2 Client. This configuration
makes use of the properties under `OAuth2ClientProperties`. The same properties are applicable
for both servlet and reactive applications.
some auto-configuration to make it easy to set up an OAuth2/Open ID Connect clients. This configuration
makes use of the properties under `OAuth2ClientProperties`.
You can register multiple OAuth2 clients and providers under the
`spring.security.oauth2.client` prefix, as shown in the following example:
You can register multiple OAuth2/OpenID Connect providers under the `spring.security.oauth2.client.provider`
prefix, as shown in the following example:
[source,properties,indent=0]
----
spring.security.oauth2.client.registration.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.my-client-1.client-secret=password
spring.security.oauth2.client.registration.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-1.scope=user
spring.security.oauth2.client.registration.my-client-1.redirect-uri-template=http://my-redirect-uri.com
spring.security.oauth2.client.registration.my-client-1.client-authentication-method=basic
spring.security.oauth2.client.registration.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.my-client-2.client-secret=password
spring.security.oauth2.client.registration.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.my-client-2.scope=email
spring.security.oauth2.client.registration.my-client-2.redirect-uri-template=http://my-redirect-uri.com
spring.security.oauth2.client.registration.my-client-2.client-authentication-method=basic
spring.security.oauth2.client.registration.my-client-2.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.my-oauth-provider.authorization-uri=http://my-auth-server/oauth/authorize
spring.security.oauth2.client.provider.my-oauth-provider.token-uri=http://my-auth-server/oauth/token
spring.security.oauth2.client.provider.my-oauth-provider.user-info-uri=http://my-auth-server/userinfo
@@ -3257,6 +3239,48 @@ You can register multiple OAuth2 clients and providers under the
spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=name
----
For OpenID Connect providers that support https://openid.net/specs/openid-connect-discovery-1_0.html[OpenID Connect discovery],
the configuration can be further simplified. The provider needs to be configured with an `issuer-uri` which is the
URI that the it asserts as its Issuer Identifier. For example, if the
`issuer-uri` provided is "https://example.com", then an `OpenID Provider Configuration Request`
will be made to "https://example.com/.well-known/openid-configuration". The result is expected
to be an `OpenID Provider Configuration Response`. The following example shows how an OpenID Connect
Provider can be configured with the `issuer-uri`:
[source,properties,indent=0]
----
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/
----
[[boot-features-security-oauth2-login-client-registration]]
===== OpenID Connect Login client registration
You can register multiple Open ID Connect clients under the
`spring.security.oauth2.client.registration.login` prefix, as shown in the following example:
[source,properties,indent=0]
----
spring.security.oauth2.client.registration.login.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.login.my-client-1.client-secret=password
spring.security.oauth2.client.registration.login.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.login.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.login.my-client-1.scope=user
spring.security.oauth2.client.registration.login.my-client-1.redirect-uri-template=http://localhost:8080/login/oauth2/code/my-client-1
spring.security.oauth2.client.registration.login.my-client-1.client-authentication-method=basic
spring.security.oauth2.client.registration.login.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.login.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.login.my-client-2.client-secret=password
spring.security.oauth2.client.registration.login.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.login.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.login.my-client-2.scope=email
spring.security.oauth2.client.registration.login.my-client-2.redirect-uri-template=http://localhost:8080/login/oauth2/code/my-client-2
spring.security.oauth2.client.registration.login.my-client-2.client-authentication-method=basic
spring.security.oauth2.client.registration.login.my-client-2.authorization-grant-type=authorization_code
----
By default, Spring Security's `OAuth2LoginAuthenticationFilter` only processes URLs
matching `/login/oauth2/code/*`. If you want to customize the `redirect-uri-template` to
use a different pattern, you need to provide configuration to process that custom pattern.
@@ -3280,6 +3304,40 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
}
----
The same properties are applicable to both servlet and reactive applications.
[[boot-features-security-oauth2-authorization-code-client-registration]]
===== OAuth2 Authorization Code client registration
You can register multiple OAuth2 `authorization_code` clients under the
`spring.security.oauth2.client.registration.authorization-code` prefix, as shown in the following example:
[source,properties,indent=0]
----
spring.security.oauth2.client.registration.authorization-code.my-client-1.client-id=abcd
spring.security.oauth2.client.registration.authorization-code.my-client-1.client-secret=password
spring.security.oauth2.client.registration.authorization-code.my-client-1.client-name=Client for user scope
spring.security.oauth2.client.registration.authorization-code.my-client-1.provider=my-oauth-provider
spring.security.oauth2.client.registration.authorization-code.my-client-1.scope=user
spring.security.oauth2.client.registration.authorization-code.my-client-1.redirect-uri=http://my-redirect-uri.com
spring.security.oauth2.client.registration.authorization-code.my-client-1.client-authentication-method=basic
spring.security.oauth2.client.registration.authorization-code.my-client-1.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.authorization-code.my-client-2.client-id=abcd
spring.security.oauth2.client.registration.authorization-code.my-client-2.client-secret=password
spring.security.oauth2.client.registration.authorization-code.my-client-2.client-name=Client for email scope
spring.security.oauth2.client.registration.authorization-code.my-client-2.provider=my-oauth-provider
spring.security.oauth2.client.registration.authorization-code.my-client-2.scope=email
spring.security.oauth2.client.registration.authorization-code.my-client-2.redirect-uri=http://my-redirect-uri.com
spring.security.oauth2.client.registration.authorization-code.my-client-2.client-authentication-method=basic
spring.security.oauth2.client.registration.authorization-code.my-client-2.authorization-grant-type=authorization_code
----
[[boot-features-security-oauth2-common-providers]]
===== OAuth2 client registration for common providers
For common OAuth2 and OpenID providers, including Google, Github, Facebook, and Okta,
we provide a set of provider defaults (`google`, `github`, `facebook`, and `okta`,
respectively).
@@ -3292,27 +3350,12 @@ In other words, the two configurations in the following example use the Google p
[source,properties,indent=0]
----
spring.security.oauth2.client.registration.my-client.client-id=abcd
spring.security.oauth2.client.registration.my-client.client-secret=password
spring.security.oauth2.client.registration.my-client.provider=google
spring.security.oauth2.client.registration.login.my-client.client-id=abcd
spring.security.oauth2.client.registration.login.my-client.client-secret=password
spring.security.oauth2.client.registration.login.my-client.provider=google
spring.security.oauth2.client.registration.google.client-id=abcd
spring.security.oauth2.client.registration.google.client-secret=password
----
For OpenID Connect providers that support https://openid.net/specs/openid-connect-discovery-1_0.html[OpenID Connect discovery],
the configuration can be further simplified. The provider needs to be configured with an `issuer-uri` which is the
URI that the it asserts as its Issuer Identifier. For example, if the
`issuer-uri` provided is "https://example.com", then an `OpenID Provider Configuration Request`
will be made to "https://example.com/.well-known/openid-configuration". The result is expected
to be an `OpenID Provider Configuration Response`. The following example shows how an OpenID Connect
Provider can be configured with the `issuer-uri`:
[source,properties,indent=0]
----
spring.security.oauth2.client.registration.oidc-provider.client-id=abcd
spring.security.oauth2.client.registration.oidc-provider.client-secret=password
spring.security.oauth2.client.provider.oidc-provider.issuer-uri=https://dev-123456.oktapreview.com/oauth2/default/
spring.security.oauth2.client.registration.login.google.client-id=abcd
spring.security.oauth2.client.registration.login.google.client-secret=password
----