From c5fd646afc45979faecf52095eec0f5c636afc0d Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Fri, 20 Sep 2019 19:00:16 -0400 Subject: [PATCH] Update ref doc for OAuth2AuthorizationRequestResolver Fixes gh-7405 --- .../servlet/preface/oauth2-client.adoc | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc index bb8fc4c6c1..006ab1bb66 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc @@ -407,6 +407,28 @@ A request with the base path `/oauth2/authorization/okta` will initiate the Auth The `AuthorizationCodeOAuth2AuthorizedClientProvider` is an implementation of `OAuth2AuthorizedClientProvider` for the Authorization Code grant, which also initiates the Authorization Request redirect by the `OAuth2AuthorizationRequestRedirectFilter`. +The `DefaultOAuth2AuthorizationRequestResolver` also supports `URI` template variables for the `redirect-uri` using `UriComponentsBuilder`. + +The following configuration uses all the supported `URI` template variables: + +[source,yaml] +---- +spring: + security: + oauth2: + client: + registration: + okta: + ... + redirect-uri: "{baseScheme}{baseHost}{basePort}{basePath}/authorized/{registrationId}" + ... +---- + +[NOTE] +`{baseUrl}` resolves to `{baseScheme}{baseHost}{basePort}{basePath}` + +Configuring the `redirect-uri` with `URI` template variables is especially useful when the OAuth 2.0 Client is running behind a <>. +This ensures that the `X-Forwarded-*` headers are used when expanding the `redirect-uri`. ===== Customizing the Authorization Request @@ -504,6 +526,20 @@ public class CustomAuthorizationRequestResolver implements OAuth2AuthorizationRe [TIP] `OAuth2AuthorizationRequest.Builder.build()` constructs the `OAuth2AuthorizationRequest.authorizationRequestUri`, which represents the complete Authorization Request URI including all query parameters using the `application/x-www-form-urlencoded` format. +For the simple use case, where the additional request parameter is always the same for a specific provider, it can be added directly in the `authorization-uri`. + +For example, if the value for the request parameter `prompt` is always `consent` for the provider `okta`, than simply configure as follows: + +[source,yaml] +---- +spring: + security: + oauth2: + client: + provider: + okta: + authorization-uri: https://dev-1234.oktapreview.com/oauth2/v1/authorize?prompt=consent +---- The preceding example shows the common use case of adding a custom parameter on top of the standard parameters. Alternatively, if your requirements are more advanced, than you can take full control in building the Authorization Request URI by simply overriding the `OAuth2AuthorizationRequest.authorizationRequestUri` property.