adding query parameter to authorization_uri creates malformed url #5760
Comments
|
+1 |
|
Hi @jgrandja I dug into the code and found the issue. |
|
@mlevkovsky Support for custom Authorization Request parameters has been added via #4911. For usage, see the tests in this comment. Your custom Makes sense? |
jgrandja
added
status: waiting-for-feedback
|
@jgrandja Is there a reason that we cannot support the user providing a custom parameter in the URL directly? It seems like a reasonable and fairly common thing to want that we would not want the user to need to provide a custom |
|
@rwinch We certainly can provide this additional support. However, when we started work on this feature the plan was to implement exactly this way but a couple of users found this to be limiting given that it doesn't support dynamic parameters. See comments #4911 and #5244. If you still would like this additional support to be added, we can see if @mlevkovsky would like to send a PR for this? |
|
I think it is reasonable to have both layers of support. One is something we can easily provide out of the box. The other we simply provide a hook for something more advanced. |
|
@rwinch Sounds good @mlevkovsky Would you be interested in submitting a PR for this enhancement? |
|
Thanks @mlevkovsky! Please be sure to include a test too :) |
|
@rwinch absolutely :) will try to get it done over the weekend 👍 |
|
NOTE: Since we are releasing 5.1.0.RC2 on Friday and you won't get to it until this weekend I pushed this back to 5.1.0 |
|
@jgrandja I have the same issue and was about to post something similar, so I'm pleased I found this issue first. |
- Check for query parameters in the authorization uri and pass them as additional parameters to the Oauth2Authorization request builder
- fix static import
jgrandja
added
type: enhancement
|
@matthewbluezyoncom I was wondering if you had success configuring your own Oauth2AuthorizationRequestResolver and if you had an example. @jgrandja when I try to configure my custom resolver I get stuck in an endless loop constantly going back to the google login page I'm really not sure why. If you can give me a pointer where my configuration is wrong I would really appreciate it. @Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
OAuth2AuthorizationRequest.Builder builder;
builder = OAuth2AuthorizationRequest.authorizationCode();
Map<String, Object> additionalParameters = new HashMap<>();
additionalParameters.put("access_type","offline");
Set<String> scopes = new HashSet<>(Arrays.asList(SCOPES.split(",")));
OAuth2AuthorizationRequest authorizationRequest = builder
.clientId(CLIENT_ID)
.authorizationUri(AUTHORIZATION_URI)
.redirectUri(request.getScheme()+"://"+request.getServerName()+":"+request.getLocalPort()+"/login/oauth2/code/google")
.scopes(scopes)
.state(this.stateGenerator.generateKey())
.additionalParameters(additionalParameters)
.build();
return authorizationRequest;
}Thanks in advance |
|
Don't use the additionalParameters property, the Spring code places registrationId in there. |
|
I got this working so I could add access_type=offline to get a refresh token. See my code below, from the overidden I decided it was safest to create a new redirect filter based on the default filter and append the extra request parameter on the end of the authorization request uri. |
|
@matthewbluezyoncom thank you very much! It worked for me. |
|
@matthewbluezyoncom I use jdk8 and spring boot 2.1.0 M4 (spring security 5.1.0) it does not work! which your env and version? |
|
@mlevkovsky Your PR codes not in master branch, which spring security version will include your codes? |
|
@jinqinghua i haven't had time to review the PR |
|
@jinqinghua here is an example ` } The security configuration will look like this } |
|
@mlevkovsky thanks a lot. your code works. but still has a question: when my application support google, facebook, github ... uses login, parameter "access_type=offline" will post to facebook, github's api server, this is not necessary, and may occur potential issue (if the parameter "access_type=offline" if facebook, github... return unexpected result). I have following solutions, but ...
but it is private, and I must transform the code to
|
You can add additional parameters fairly easily using a delegation-based strategy for a custom Are you having an issue with this strategy? |
|
@jgrandja Awesome! thanks a lot. I share some enhancement: |
|
I'm still having issues with the method described in the OAuth2AuthorizationRequestResolver documentation you linked. No matter what I do, I if I set my own resolver in order to add a custom parameter, the authorization endpoint is never even called. If I test in Chrome, I can see the network tab in developer console keeps redirecting to "/oauth_login" a bunch of times before getting the Why would adding a custom resolver itself cause this behavior? If I comment out this line in my security config:
Then I definitely hit the You can find my project on GitHub as login-gov. I am using Kotlin, but I was also struggling with the same issue in Java. To run: Do you know what I might be doing wrong here? |
|
Just as a follow up, I if I run in the Intellij IDEA debugger, I catch a breakpoint in this function multiple times, but it never seems to run into the return statement that does the customization -- which doesn't really make any sense to me... Called multiple times: Never catches breakpoint: UPDATE: This appears to be the root cause of why my customization function is never called. Part of the issue seems to be that the How do I ensure the proper
instead of:
|
|
@forgo Looking at the sample code for OAuth2AuthorizationRequestResolver in the reference: @Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
OAuth2AuthorizationRequest authorizationRequest =
this.defaultAuthorizationRequestResolver.resolve(request);
return authorizationRequest != null ?
customAuthorizationRequest(authorizationRequest) :
null;
}If the override fun resolve(request: HttpServletRequest?): OAuth2AuthorizationRequest? {
val authorizationRequest: OAuth2AuthorizationRequest? = defaultAuthorizationRequestResolver.resolve(request)
if (authorizationRequest != null) {
return customAuthorizationRequest(authorizationRequest)
}
return null
} |
|
Thanks for your guidance and quick response! That was definitely the problem. I am still getting familiar with how Kotlin handles or does not handle nulls. Basically I needed to add a bunch of For anyone who's interested in doing the same in Kotlin, this is what my resolver ended up looking like: |
Because of this, authorization_uri can now be a fully-qualified url. Fixes: spring-projectsgh-5760
Because of this, authorization_uri can now be a fully-qualified url. Fixes: gh-5760
Because of this, authorization_uri can now be a fully-qualified url. Fixes: gh-5760
jgrandja
added
type: bug
|
I add additional parameter in CustomOAuth2AuthorizationRequestResolver, but how and where I can get it after answer from OAuth? |
Summary
When creating the authorization uri to login with google, there is the option to add a query parameter in order to get back the refresh token.
However, when the authorization_uri is set to:
The uri that I get redirect to is:
Note the ?access_type=offlince?response_type...
This url is malformed and google complains saying response_type and basic query params are not passed in.
Actual Behavior
Expected Behavior
https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&response_type=code&client_id=[my client id]&scope=[scopes]&state=[state]&redirect_uri=[redirect uri]The access_type query parameter is after the ? and following query parameters should have an & between them.
The order of the query params does not matter.
Configuration
My application.yaml
My WebSecurityConfigurationAdapter
My pom.xml (only including security and oauth2 dependencies)
The text was updated successfully, but these errors were encountered: