Allow configurable authenticationDetailsSource in OAuth2TokenRevocationEndpointFilter

spring-projects / spring-authorization-server

Spring Authorization Server

https://spring.io/projects/spring-authorization-server

Apache License 2.0

4.78k stars 1.25k forks source link

Allow configurable authenticationDetailsSource in OAuth2TokenRevocationEndpointFilter #1634

Open sealte opened 1 month ago

sealte commented 1 month ago

Expected Behavior OAuth2ClientAuthenticationFilter should use customized authenticationDetailsSource.

Current Behavior Custom authenticationDetailsSource for OAuth2ClientAuthenticationFilter can't be set from OAuth2AuthorizationServerConfigurer.

Context Perhaps OAuth2TokenRevocationEndpointFilter needs to obtain the client's IP from HttpServletRequest. I found that the code for setting WebAuthenticationDetailsSource in the revoke process has only appeared in OAuth2ClientAuthenticationFilter, so there needs to be an entry to configure OAuth2ClientAuthenticationFilter.authenticationDetailsSource.

Existing and closed issues

jgrandja commented 1 month ago

@sealte At the moment, OAuth2TokenEndpointFilter and OAuth2AuthorizationEndpointFilter expose a setAuthenticationDetailsSource().

OAuth2ClientAuthenticationFilter is not considered a "Protocol Endpoint" so we would not expose a setAuthenticationDetailsSource().

You referred to OAuth2TokenRevocationEndpointFilter...is this where you are requesting to expose setAuthenticationDetailsSource()?

sealte commented 4 weeks ago

@jgrandja Yes. Perhaps OAuth2TokenRevocationEndpointFilter exposing setAuthenticationDetailsSource would be better

jgrandja commented 3 weeks ago

@sealte Sure, we can look at adding OAuth2TokenRevocationEndpointFilter.setAuthenticationDetailsSource(). Would you be able to submit a PR for this?