Allow customization of auth2 client to support strong authentication via acr_values parameter

[fschollmeyer]

Summary

The OpenID specification describes usage of an URL parameter (acr_values) that can be used to request strong authentication from an OAuth2 server.

The spring-seucrity-oauth2-client is not customizable to set this parameter.

Actual Behavior

When I use ServerHttpSecurity.oauth2Login(), an OAuth2AuthorizationRequestRedirectWebFilter is setup automatically, that uses an DefaultServerOAuth2AuthorizationRequestResolver to create a redirect to a login service. DefaultServerOAuth2AuthorizationRequestResolver.authorizationRequest() creates a redirect request, that does not allow to specify additional URL parameters like e.g. the acr_values parameter.

It is neither possible to modify the behavior of DefaultServerOAuth2AuthorizationRequestResolver nor is it possible to prevent its instantiation by providing an alternative bean for it.

Expected Behavior

ClientRegistration.Builder should allow to either directly specify acr_values or more generally to set values for the additionalAttributes parameters, that DefaultServerOAuth2AuthorizationRequestResolver should consider.

Configuration

ClientRegistration clientRegistration = ClientRegistrations
    .fromOidcIssuerLocation(oidcIssuer)
    .registrationId(registrationId)
    .clientId(clientId)
    .clientSecret(clientSecret)
    .scope("openid")
    .acrValues("strongAuth")  // <------- this is missing
    .build()

Version

spring-security-oauth2-client:5.1.5.RELEASE

Sample

The following addition to ... would do the trick:

       private OAuth2AuthorizationRequest authorizationRequest(ServerWebExchange exchange, ClientRegistration clientRegistration) {
        String redirectUriStr = this.expandRedirectUri(exchange.getRequest(), clientRegistration);
        Map<String, Object> additionalParameters = new HashMap();
        // either this way: 
        additionalParameters.put("acr_values", clientRegistration.getAcrValues());
        // or something like this
        additionalParameters.putAll(clientRegistration.getAdditionalValues());

        additionalParameters.put("registration_id", clientRegistration.getRegistrationId());

        Builder builder;
        if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(clientRegistration.getAuthorizationGrantType())) {
            builder = OAuth2AuthorizationRequest.authorizationCode();
        } else {
            if (!AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
                throw new IllegalArgumentException("Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue() + ") for Client Registration with Id: " + clientRegistration.getRegistrationId());
            }

            builder = OAuth2AuthorizationRequest.implicit();
        }

        return builder.clientId(clientRegistration.getClientId()).authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri()).redirectUri(redirectUriStr).scopes(clientRegistration.getScopes()).state(this.stateGenerator.generateKey()).additionalParameters(additionalParameters).build();
    }

[fschollmeyer]

Method in the code sample is from DefaultServerOAuth2AuthorizationRequestResolver.

[jgrandja]

@fschollmeyer A custom implementation of ServerOAuth2AuthorizationRequestResolver can provide the ability to customize the Authentication Request with additional parameters above the standard parameters, such as acr_values. There is a complete sample in the reference that demonstrates a delegation-based strategy implementation. NOTE: This sample is Servlet-based, however, the implementation pattern would be the same for ServerOAuth2AuthorizationRequestResolver.

FYI, we added OAuth2LoginSpec.authorizationRequestResolver(ServerOAuth2AuthorizationRequestResolver resolver) in #5598 and has been available since 5.2.0.M2 - 5.2.0 GA is expected to be released on Sep 19.

A custom implementation of ServerOAuth2AuthorizationRequestResolver is handy when the parameter name and/or values are dynamic in nature. However, if the parameter value(s) is static than the simplest approach would be to add the request parameters directly to authorization-uri in application.yml, e.g.

authorization-uri: "https://provider.com/oauth2/authorize?acr_values=value1"

I'm going to close this issue as I feel I have answered your question. We can always re-open the issue if you have further things to discuss.