Support POST for authorization code request flow #1874
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
|
The removal of the oidc scope matcher now allow OAuth2AuthorizationEndpointFilter to send POST /authorize request without the openid scope to the converters. But I see two issues with this development: 1- The default converter Tackling this issue seems a bit out of scope for this PR so I didn't touch anything, and it can be surely be solved with some custom converters. 2- Another minor issue I see is that the oauth2 specification is saying that a /authorize request (GET or POST) is supposed to have the parameters in the query string,
contradicting the OIDC spec saying that POST requests must use the body
So this way of getting the request parameters may have to be updated, but again it can be solved with a custom converter, so it also felt out of scope of this PR. Considering these 2 issues, I am not sure the PR is answering the "Support POST for authorization code request flow", and I would like your opinion on this |
|
Rewording my thoughts, I don't think these issues are completely out of scope, but they need significant refactor with more regression risks than the small change here. |
jgrandja
added
type: enhancement
jgrandja
changed the title
| String scope = request.getParameter(OAuth2ParameterNames.SCOPE); | ||
| return StringUtils.hasText(scope) && scope.contains(OidcScopes.OPENID); | ||
| }; | ||
| RequestMatcher responseTypeParameterMatcher = ( |
There was a problem hiding this comment.
responseTypeParameterMatcher should not be removed as it will break the Authorization Consent flow. Only remove openidScopeMatcher here as well as in OAuth2AuthorizationCodeRequestAuthenticationConverter
Closes gh-1811