diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java index 765f5ef7..835f8a6f 100644 --- a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java +++ b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java @@ -43,7 +43,6 @@ import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService; -import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; @@ -99,6 +98,8 @@ public boolean hasAuthorization() { public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception { ClientRegistrationRepository clientRegistrationRepo = createClientRepo(); oAuth2AuthorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository(); + boolean withPKCE = Boolean.parseBoolean(environment.getProperty("proxy.openid.with-pkce")); + log.info("\"with-pkce\" configuration is {}.", withPKCE ? "enabled" : "disabled (default)"); anyRequestConfigurer.authenticated(); @@ -108,7 +109,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon .clientRegistrationRepository(clientRegistrationRepo) .authorizedClientRepository(oAuth2AuthorizedClientRepository) .authorizationEndpoint() - .authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI)) + .authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, withPKCE)) .and() .failureHandler(new AuthenticationFailureHandler() { diff --git a/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java b/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java index 176e947c..f52689f9 100644 --- a/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java +++ b/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java @@ -24,6 +24,7 @@ import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers; import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; @@ -36,10 +37,17 @@ */ public class FixedDefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { - private DefaultOAuth2AuthorizationRequestResolver delegate; + private final DefaultOAuth2AuthorizationRequestResolver delegate; public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri) { - delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + this.delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + } + + public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean withPKCE) { + this(clientRegistrationRepository, authorizationRequestBaseUri); + if (withPKCE) { + this.delegate.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce()); + } } @Override