Skip to content

Support OIDC login_hint for clients #5244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tnwang opened this issue Apr 18, 2018 · 7 comments
Closed

Support OIDC login_hint for clients #5244

tnwang opened this issue Apr 18, 2018 · 7 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.1.0.M2

Comments

@tnwang
Copy link

tnwang commented Apr 18, 2018
edited by jzheaux
Loading

Summary

Support applications acting as clients providing their arbitrary values for OIDC login hint. This is passed along via the login_hint parameter during the OpenID Authentication Request.

It is standard to represent the user you want to use to login, but as per spec this can be customized for use by the identity provider (spec later mentions it as a string value parameter). As such, applications could be passing dynamic values (e.g. username provided by user to client, or in the case of UAA the application may choose to perform custom logic to determine which identity provider should be used).

http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

login_hint

OPTIONAL. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion.
@jgrandja jgrandja added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) OIDC labels Apr 18, 2018
@jgrandja jgrandja added this to the 5.1.0.M2 milestone Apr 18, 2018
@jgrandja jgrandja self-assigned this Jun 12, 2018
@jgrandja
Copy link
Contributor

Related #4911

@jgrandja
Copy link
Contributor

Hi @tnwang. I'm currently looking at implementing this feature. This is what I'm thinking.

The simplest solution to allow for custom authentication request parameters would be to allow the user to provide the request parameters via the ClientRegistration configuration.

For example, if you would like to provide the login_hint in the Authentication Request, you would configure it as follows:

spring:
  security:
    oauth2:
      client:
        registration:
          uaa:
            client-id: client-id
            client-secret: secret
	    ...
	    ...
        provider:
          uaa:
            authorization-uri: https://tenant1.uaa.com/oauth2/v2/auth?login_hint=thehint
	   ...
	   ...

We would ensure that any request parameters supplied in the authorization-uri are preserved when building the Authentication Request.

Would this strategy meet your requirement?

@tnwang
Copy link
Author

tnwang commented Jun 20, 2018

I think long term the use case of the login hint would be that applications collect information up front (the basic example given in OIDC spec is the username) so that the OIDC provider doesn't need to prompt for it again. With UAA, since we support multiple identity providers, an app may implement this for selecting among different identity providers (for example, I might have a Consumer Facing SAML provider vs. an Enterprise facing SAML provider, and the user is specifying whether they are a customer or an employee logging into a support app, where login hint helps the app use the right identity provider).

I'm not sure how flexible the login_hint parameter as part of the URI in the ClientRegistration is if we wanted to update the value later when making the per-user call out to the identity provider.

@jgrandja
Copy link
Contributor

@tnwang Thanks for the detailed use case. This helps. And agreed a static login_hint provided in the authorization-uri would not suffice for your requirement. Let me give this some more thought.

@jgrandja
Copy link
Contributor

Closed via 779597a

@jgrandja
Copy link
Contributor

@tnwang This feature has been merged. Take a look at the following tests for usage:

spring-security/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java

Line 306 in 779597a

public void doFilterWhenAuthorizationRequestAndAdditionalParametersProvidedThenAuthorizationRequestIncludesAdditionalParameters() throws Exception {

spring-security/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java

Line 337 in 779597a

public void doFilterWhenAuthorizationRequestAndCustomAuthorizationRequestUriSetThenCustomAuthorizationRequestUriUsed() throws Exception {

Also, I'm planning on merging #5521 shortly as this is required in order to configure a custom OAuth2AuthorizationRequestResolver.

Please let me know how this goes and if it suits your requirements.

@tnwang
Copy link
Author

tnwang commented Jul 17, 2018

Looks good to me at a glance, especially the added ability for arbitrary request parameters. Looping in @aashah as well in case he has any thoughts.

@jgrandja jgrandja mentioned this issue Sep 5, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.0.M2
Development

No branches or pull requests
2 participants
@jgrandja @tnwang