search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.84k stars 1.27k forks source link

OidcClientRegistrationEndpointFilter need a principal, but OAuth2ClientAuthenticationFilter does not handle OidcClientRegistrationEndpointFilter request #1639

Closed sadanyoyo closed 4 months ago

sadanyoyo commented 4 months ago

I set up my security config with this:

    @Bean
    @Order(1)
    fun securityChain(http: HttpSecurity): SecurityFilterChain {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer::class.java).apply {
            oidc {
                it.clientRegistrationEndpoint(Customizer.withDefaults())
            }
        }

        return http.build()
    }

and start my app.

OidcClientRegistrationEndpointFilter will be registed at the end of the security filter chain, after AuthorizationFilter, which mean it need a authentication (provided by OAuth2ClientAuthenticationFilter, I guess). image

BUT! OAuth2ClientAuthenticationFilter does not handle OidcClientRegistrationEndpointFilter request, because it only handle this four request: image

How can I do? I cannot modify requestMathcer in OAuth2ClientAuthenticationFilter , and I cannot modify OAuth2ClientAuthenticationConfigurer.

Please help.

sadanyoyo commented 4 months ago

My mistake, I forgot config oauth2ResourceServer part. This work:

@Bean
    @Order(1)
    fun securityChain(http: HttpSecurity): SecurityFilterChain {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer::class.java).apply {
            this.clientAuthentication { }
            oidc {
                it.clientRegistrationEndpoint(Customizer.withDefaults())
            }
        }
        http.oauth2ResourceServer {
            it.jwt(Customizer.withDefaults())
        }
        return http.build()
    }