Skip to content
This repository was archived by the owner on May 31, 2022. It is now read-only.

Incompatible change between versions 5.1.2 and 5.0.9 regarding configuration urls such as authorizationUri #1561

Closed
codefiddler opened this issue Jan 18, 2019 · 1 comment
Closed

Incompatible change between versions 5.1.2 and 5.0.9 regarding configuration urls such as authorizationUri #1561

codefiddler opened this issue Jan 18, 2019 · 1 comment
Assignees
@jgrandja
Labels
status: duplicate

Comments

@codefiddler
Copy link

In Spring Security version 5.0.9, URLs taken from the configuration (application.properties) were built using the class OAuth2AuthorizationRequestUriBuilder. As I understand it, in the version 5.1.2, this has been refactored into the class OAuth2AuthorizationRequest but using an implementation with assumptions that are not always true (my case in point).

My company's OAuth server requires that it is possible to have parameters in the authorizationUri and Token URI with the following structure:

aservername.com/nidp/oauth/nam/authz?resourceServer=aName

(I cannot change this requirement)

With the version 5.0.9 this worked, however, when we upgraded Spring Boot (from 2.0.6 to 2.1.1) the new version of the spring-security-oauth (version 5.1.2) implementation started to produce the following:

aservername.com/nidp/oauth/nam/authz?resourceServer=aName?response_type=code&client_id=myClientid&scope=myscope1

(notice the two question marks)

This is not understood (as I would expect) from our OAuth server.

Unfortunately, I do not see a way to cleanly resolve this. Therefore it would be great if the spring implementation of OAuth could handle URLs with parameters in the future like it did in the past.

I added a test to this ticket:

BugFixTest.txt

Cheers!
@jgrandja jgrandja self-assigned this Jan 19, 2019
@jgrandja
Copy link
Contributor

@codefiddler FYI, this issue should have been reported to the Spring Security issue tracking.

This issue was originally reported in spring-security#5760 and was fixed in spring-security#6299, which made it into last week's release of 5.2.0.M1. However, the backport to 5.1.3 was missed. So thank you for reporting this! I have now pushed the patch to 5.1.x via spring-security#6465, which will be released in 5.1.4 (not scheduled yet).

Your options for getting this working now, until 5.1.4 is released, are as follows:

  • Update spring-security to 5.1.4.BUILD-SNAPSHOT
  • Update spring-security to 5.2.0.M1
  • Remain on your current version 5.1.2 and add the parameter resourceServer=aName as an additional custom parameter using OAuth2AuthorizationRequestResolver.

Thanks again for reporting this. Let me know if you have any questions.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jgrandja jgrandja

Labels
status: duplicate
Milestone
No milestone
Development

No branches or pull requests
2 participants
@codefiddler @jgrandja