-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Add possibility to insert extra form data parameter when getting access token with oauth2 client_credential flow #7781
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
@jpiccaluga It is already possible to customize the Access Token request. Take a look at the reference doc where you can specify a custom For the reactive side, you can supply a custom I'm going to close this issue since this capability is already available. Please let me know if I missed something. |
@jgrandja Thanks for your response.
This is not very elegant. Something like this is preferable:
What do you think? |
This is not a lot of code to change. If you agree on that it will be more readable and easier for a developer to understand how to enrich the form data, I can submit you a PR. |
Given the proposed additional configuration: additional-form-data:
audience: "http://test/api"
whatever: "toto" Which specific endpoint is posted The biggest issue with this configuration approach is that the form data is Furthermore, adding this type of application configuration causes unnecessary complexity to the |
@jgrandja
This yaml configuration should be applied in OAuth2ClientProperties.java of spring boot project here and at this level I didn't see which kind of extra complexity it will add. At the spring-security level, we only speak of adding
And adding this line to WebClientReactiveClientCredentialsTokenResponseClient#body method:
At this level I didn't see drawback when you need to derive form data from the environment/application in a dynamic way. Could you elaborate a little bit I am not sure to catch this point. IMHO keep it at configuration is much more intelligible than having one piece in the configuration and an other in an |
Not all custom form parameters are static in nature. Some of the custom form data that is required for an endpoint may need to be derived dynamically by the application. This is a very common use case. With the application property approach, you could only configure static data which is quite limiting. The current ability to add custom parameters in either the Authorization Request, Token Request or UserInfo request provides all the flexibility needed to enhance the request with any data - dynamic or static. |
First of all application properties is related to spring boot here. Secondary in spring security repo I only suggest to modifiy Finally the implementation of token endpoint from oidc/oauth2 provider to provider is very static. I means request parameter that you should provide for a specific provider will likely never change. What do you think? Could you reconsider this feature request? |
Sorry for asking on this old thread.
The audience that is referenced by @jpiccaluga from opening this issue is required to be part of the body. How could the body be manipulated within a filter so it contains additionally the audience? The only way I can see is completely copying the implementation of |
Found the answer in issue 9171:
|
@blatobi How can we use this in our code? Can you please provide little more details as to where we've use the |
Uh oh!
There was an error while loading. Please reload this page.
Summary
Some OIDC/OAuth2 provider like Auth0 requires audience parameter set in the post body when calling /oauth/token endpoint to retrieve access token with the client_credentials flow. They do this because an machine to machine client could potentially get access to multiple api resource server.
In order to make client_credentials work with OAuth2 provider specificity we need to re-implement a custom OAuth2AccessTokenResponseClient or ReactiveOAuth2AccessTokenResponseClient to include the missing require field (audience or what ever provider specificity).
It will be very appreciate if we can add free extra parameters to the request body when calling token endpoint. For example we can add an extra property as a Map<String, String> in the ClientRegistration class and add it to the body on OAuth2ClientCredentialsGrantRequestEntityConverter and WebClientReactiveClientCredentialsTokenResponseClient.
Actual Behavior
When trying client_credential flow with Auth0 I got 403 could not retrieve token because the audience parameter is not specified in the request.
Expected Behavior
Get status code 200 and retrieve access token form Auth0 provider
Configuration
application.yml
Version
spring-security -> 5.2.1
The text was updated successfully, but these errors were encountered: