Configurable HTTP status for responses to authorization_code flow initiation, authorization-code callback and logout

ch4mpy / spring-addons

Ease spring OAuth2 resource-servers configuration and testing

Apache License 2.0

521 stars 84 forks source link

Configurable HTTP status for responses to authorization_code flow initiation, authorization-code callback and logout #155

Closed ch4mpy closed 9 months ago

ch4mpy commented 9 months ago

Is your feature request related to a problem? Please describe. I have quite a lot of configuration to write to configure a Spring OAuth2 client as BFF, and this configuration is different for single page and mobile applications which don't need the same HTTP status for the responses it receives from the BFF during authorization_code flow and RP-Initiated Logout.

Describe the solution you'd like It would be great to configure default HTTP status for the responses sent

when initiating authorization_code flow
after the client is successfully authorized and the flow ends by returning into the app
when the user was just logged out from the client and the user needs to be redirected to the authorization server to end the session he has there too

It would also be nice that the different endpoints to which are sent the requests (authorization_code flow initiation, authorization-code callback and logout) accept a parameter to override the response status.

ch4mpy commented 9 months ago

From 7.1.15, default OAuth2 response status (302 Found) can be overridden with:

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        client:
          oauth2-redirections:
            pre-authorization-code: FOUND
            post-authorization-code: FOUND
            rp-initiated-logout: ACCEPTED

A per-request override can be done by setting X-RESPONSE-STATUS header with either a status code or label (for instance, both 201 and ACCEPTED are accepted as value).