Support for custom success handling in case of oauth2 client

[mucsi96]

Expected Behavior

Would great to have something similar to defaultSuccessUrl as in case of OAuth2 login for OAuth2 client flow as well instead of redirecting to previous request from request cache after successful authentication of oauth2 client.

Current Behavior

Currently it's not possible to customize the flow in OAuth2AuthorizationCodeGrantFilter after successful authentication of oauth2 client.

Context

I have a REST base microservice in Kubernetes cluster consuming OAuth2 provider with authorization code grant flow using Spring OAuth2 client. I would like to respond with redirection to a URL which is not handled by Spring (not in request cache). I need to redirect to public root URL of SPA after successful authentication of oauth2 client.

The only workaround I am aware of is

1. create custom authorized client repository
2. throw a custom dummy error in save method
3. add a custom Filter before OAuth2AuthorizationCodeGrantFilter which would catch the custom dummy error and do the custom redirection to URL outside Spring scope (SPA root page)

[sjohnr]

Hi @mucsi96!

Would great to have something similar to defaultSuccessUrl as in case of OAuth2 login for OAuth2 client flow as well instead of redirecting to previous request from request cache after successful authentication of oauth2 client.

I would like to respond with redirection to a URL which is not handled by Spring (not in request cache). I need to redirect to public root URL of SPA after successful authentication of oauth2 client.

I wonder how you are initiating the flow to authorize the client? If you launch the flow in your application today, where does it redirect to?

If you begin the flow to authorize the client from a specific URL, that URL should be what you return to. In a typical setup, this would be an application-specific URL where you can perform any action. For example:

@RestController
public class AuthorizationController {

    @GetMapping("/authorize")
    public void authorize(
            @RegisteredOAuth2AuthorizedClient("my-client-registration-id")
                    OAuth2AuthorizedClient authorizedClient,
            HttpServletResponse response) throws IOException {
        response.sendRedirect("..."); // Redirect to SPA
    }

}

This example utilizes the OAuth2AuthorizedClientManager. The docs also cover how you can supply your own OAuth2AuthorizationSuccessHandler if needed. The default provided by the framework simply saves the OAuth2AuthorizedClient. A custom implementation could presumably perform a redirect after saving the client. However, this doesn't seem necessary.

Currently it's not possible to customize the flow in OAuth2AuthorizationCodeGrantFilter after successful authentication of oauth2 client.

Perhaps I'm misunderstanding your request. Can you elaborate on why you feel this is impossible?

[mucsi96]

The flow start from 401 error response from REST endpoint.

{
  "_links": {
    "oauth2Login": {
      "href": "http://localhost:8080/oauth2/authorization/withings-client"
    }
  }
}

After this SPA using provided link redirect to Spring's built-in endpoint /oauth2/authorization/{registrationId} which redirect to third party authorization server and it redirects back to Spring built-in endpoint /authorize/oauth2/code/{registrationId} which is responsible for getting the authorization token from authorization server using the received code. This flow is driver by OAuth2AuthorizationCodeGrantFilter

The issue is that I see not way to escape from this filter in elegant way to avoid redirecting back to previous request in request cache. I want to redirect to URL which is outside of Spring context (SPA root url).

[mucsi96]

Thx a lot for giving an example. I thing it would work. But I see few minor issues with it:

• it requires creating an unnecessary non REST endpoint as Spring has a built-in endpoint /oauth2/authorization/{registrationId} already in place
• Using @RegisteredOAuth2AuthorizedClient("my-client-registration-id") OAuth2AuthorizedClient authorizedClient seems to be a bit weird as I don't need the authorizedClient here. So I would add it just to kick-in the flow. So I see this not too elegant
• I don't think that it would be straight forward for any developer that it's required to create a custom /authorize to make this flow work just because of "baked-in" logic of redirecting back to previous request in request cache.

[jgrandja]

@mucsi96 This looks like a duplicate of gh-11069 cc/ @sjohnr

[sjohnr]

Hi @mucsi96, thanks for the reply! We'll keep thinking about integrating SPAs into a Spring Security backend.

@mucsi96 This looks like a duplicate of gh-11069 cc/ @sjohnr

Thanks @jgrandja, I'm going to close this issue as a duplicate.