fix(oidc): unified discovery + optional endpoint overrides#170
Merged
Conversation
…ptional overrides
Previously, SecurityConfig had two ClientRegistration paths gated on
jwk-set-uri: a fully-manual path (hardcoding {issuerUri}/authorize,
/token, /userinfo) and a discovery path that applied no overrides at
all. The manual path was added to work around Entra ID v1.0 issuer
mismatches but hardcoded endpoint URLs that are wrong for Entra (and
any other provider with non-standard paths).
With Entra ID v2.0 (/{tenant}/v2.0 issuer), the discovery document's
issuer field matches the configured issuer-uri, so the startup
assertion in ClientRegistrations passes cleanly and the manual bypass
is no longer needed.
Replace both paths with a single path that always runs OIDC discovery
via ClientRegistrations.fromIssuerLocation(), then applies any
non-blank override properties (authorization-uri, token-uri,
user-info-uri, jwk-set-uri) on top. This is idiomatic Spring Security
and keeps the code generic across providers.
Add authorizationUri to OidcAuthConfig to complete the set of
overridable endpoint properties. Update userInfoUri javadoc to document
the Entra-specific Graph endpoint problem and its fix (set user-info-uri
to login.microsoftonline.com/{tenant}/v2.0/userinfo to get
preferred_username in the UserInfo response).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
if jwk-set-uri / elsedual-pathClientRegistrationlogic inSecurityConfigwith a single path: always run OIDC discovery viaClientRegistrations.fromIssuerLocation(), then apply any non-blank override properties (authorization-uri,token-uri,user-info-uri,jwk-set-uri) on topauthorizationUritoOidcAuthConfigto complete the set of overridable endpoint propertiesuserInfoUrijavadoc to document the Entra ID Graph endpoint problem: OIDC discovery for Entra points tograph.microsoft.com/oidc/userinfowhich omitspreferred_username; fix is to setuser-info-uritohttps://login.microsoftonline.com/{tenant}/v2.0/userinfoMotivation
The manual path was originally added to work around Entra ID v1.0 issuer mismatches (
iss=https://sts.windows.net/{tenant}/), but it hardcoded endpoint URLs as{issuerUri}/authorize,{issuerUri}/token,{issuerUri}/userinfo— which are wrong for Entra and any provider with non-standard paths. With Entra ID v2.0 (/{tenant}/v2.0issuer), the discovery document's issuer field matches the configuredissuer-uri, soClientRegistrations.fromIssuerLocation()works directly and the manual bypass is no longer needed.Test plan
user-info-urioverride set tohttps://login.microsoftonline.com/{tenant}/v2.0/userinfoanduser-name-attribute: preferred_usernamepreferred_usernameis populated in the authenticated principalgroups-claim: groups🤖 Generated with Claude Code