Skip to content

Lack of OAuth2 device flow client authentication handling #1522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ReLive27 opened this issue Jan 23, 2024 · 1 comment
Closed

Lack of OAuth2 device flow client authentication handling #1522

ReLive27 opened this issue Jan 23, 2024 · 1 comment
Assignees
@jgrandja
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@ReLive27
Copy link

Current Behavior
OAuth2ClientAuthenticationFilter handles OAuth 2.0 client authentication requests. However, the corresponding AuthenticationConverter implementation class and AuthenticationProvider implementation class are not provided for the OAuth2 device flow.

Expected behavior
This requires us to customize the corresponding AuthenticationConverter implementation class and AuthenticationProvider implementation class, but I think this should be a function of Spring Authorization Server
@ReLive27 ReLive27 added the type: enhancement A general enhancement label Jan 23, 2024
@jgrandja
Copy link
Collaborator

@ReLive27

This requires us to customize the corresponding AuthenticationConverter implementation class and AuthenticationProvider implementation class, but I think this should be a function of Spring Authorization Server

Yes, this is correct. The consuming application is responsible for customizing client authentication to allow for public client ("unauthenticated") access.

Spring Authorization Server cannot provide this capability out-of-the-box as it would not adhere to the secure by default principle, since the token endpoint would be "open" allowing a client to obtain an access token simply by providing the client_id parameter only.

For further context, see this comment.

See gh-1157 and related commit as it shows how to customize public client authentication.

@jgrandja jgrandja self-assigned this Jan 24, 2024
@jgrandja jgrandja added status: declined A suggestion or change that we don't feel we should currently apply and removed type: enhancement A general enhancement labels Jan 24, 2024
@jgrandja jgrandja mentioned this issue Jan 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @ReLive27