From 9a49d4a209aa4f02a493046cffd6288f0f229914 Mon Sep 17 00:00:00 2001 From: Jan Henrik Hasselberg Date: Wed, 15 Jun 2022 14:43:01 +0200 Subject: [PATCH 1/3] Adds option to support IdP that require PKCE for confidential clients. --- .../impl/OpenIDAuthenticationBackend.java | 7 +- ...lwaysPkceAuthorizationRequestResolver.java | 93 +++++++++++++++++++ ...edOAuth2AuthorizationRequestResolver.java} | 14 ++- 3 files changed, 106 insertions(+), 8 deletions(-) create mode 100644 src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java rename src/main/java/eu/openanalytics/containerproxy/security/{FixedDefaultOAuth2AuthorizationRequestResolver.java => DelegatedOAuth2AuthorizationRequestResolver.java} (76%) diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java index 765f5ef7..0271901c 100644 --- a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java +++ b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java @@ -21,7 +21,7 @@ package eu.openanalytics.containerproxy.auth.impl; import eu.openanalytics.containerproxy.auth.IAuthenticationBackend; -import eu.openanalytics.containerproxy.security.FixedDefaultOAuth2AuthorizationRequestResolver; +import eu.openanalytics.containerproxy.security.DelegatedOAuth2AuthorizationRequestResolver; import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext; import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver; import eu.openanalytics.containerproxy.util.SessionHelper; @@ -43,7 +43,6 @@ import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService; -import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler; import org.springframework.security.oauth2.client.registration.ClientRegistration; import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository; @@ -99,6 +98,8 @@ public boolean hasAuthorization() { public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception { ClientRegistrationRepository clientRegistrationRepo = createClientRepo(); oAuth2AuthorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository(); + boolean PKCEAlways = Boolean.parseBoolean(environment.getProperty("proxy.openid.pkce-always")); + log.info("\"PKCE always\" configuration is {}.", PKCEAlways ? "enabled" : "disabled (default)"); anyRequestConfigurer.authenticated(); @@ -108,7 +109,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon .clientRegistrationRepository(clientRegistrationRepo) .authorizedClientRepository(oAuth2AuthorizedClientRepository) .authorizationEndpoint() - .authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI)) + .authorizationRequestResolver(new DelegatedOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, PKCEAlways)) .and() .failureHandler(new AuthenticationFailureHandler() { diff --git a/src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java b/src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java new file mode 100644 index 00000000..84acc729 --- /dev/null +++ b/src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java @@ -0,0 +1,93 @@ +/* + * PKCE with confidential clients will eventually become the default behavior in Spring Security, + * but for now a custom authorization request resolver is necessary. + * + * Code is based on example on Okta blog: + * https://developer.okta.com/blog/2020/01/23/pkce-oauth2-spring-boot#making-pkce-work-for-confidential-clients-in-spring-security + * + * =========================================================================== + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the Apache License as published by + * The Apache Software Foundation, either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * Apache License for more details. + * + * You should have received a copy of the Apache License + * along with this program. If not, see + */ + +package eu.openanalytics.containerproxy.security; + +import org.springframework.security.crypto.keygen.Base64StringKeyGenerator; +import org.springframework.security.crypto.keygen.StringKeyGenerator; +import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; +import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver; +import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; +import org.springframework.security.oauth2.core.endpoint.PkceParameterNames; + +import javax.servlet.http.HttpServletRequest; +import java.nio.charset.StandardCharsets; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Base64; +import java.util.HashMap; +import java.util.Map; + +public class AlwaysPkceAuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { + private final OAuth2AuthorizationRequestResolver defaultResolver; + private final StringKeyGenerator secureKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96); + + public AlwaysPkceAuthorizationRequestResolver(ClientRegistrationRepository repo, String authorizationRequestBaseUri) { + defaultResolver = new DefaultOAuth2AuthorizationRequestResolver(repo, authorizationRequestBaseUri); + } + + @Override + public OAuth2AuthorizationRequest resolve(HttpServletRequest servletRequest) { + OAuth2AuthorizationRequest req = defaultResolver.resolve(servletRequest); + return customizeAuthorizationRequest(req); + } + + @Override + public OAuth2AuthorizationRequest resolve(HttpServletRequest servletRequest, String clientRegistrationId) { + OAuth2AuthorizationRequest req = defaultResolver.resolve(servletRequest, clientRegistrationId); + return customizeAuthorizationRequest(req); + } + + private OAuth2AuthorizationRequest customizeAuthorizationRequest(OAuth2AuthorizationRequest req) { + if (req == null) { + return null; + } + + Map attributes = new HashMap<>(req.getAttributes()); + Map additionalParameters = new HashMap<>(req.getAdditionalParameters()); + addPkceParameters(attributes, additionalParameters); + return OAuth2AuthorizationRequest.from(req) + .attributes(attributes) + .additionalParameters(additionalParameters) + .build(); + } + + private void addPkceParameters(Map attributes, Map additionalParameters) { + String codeVerifier = this.secureKeyGenerator.generateKey(); + attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier); + try { + String codeChallenge = createHash(codeVerifier); + additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge); + additionalParameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256"); + } catch (NoSuchAlgorithmException e) { + additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeVerifier); + } + } + + private static String createHash(String value) throws NoSuchAlgorithmException { + MessageDigest md = MessageDigest.getInstance("SHA-256"); + byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII)); + return Base64.getUrlEncoder().withoutPadding().encodeToString(digest); + } +} diff --git a/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java b/src/main/java/eu/openanalytics/containerproxy/security/DelegatedOAuth2AuthorizationRequestResolver.java similarity index 76% rename from src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java rename to src/main/java/eu/openanalytics/containerproxy/security/DelegatedOAuth2AuthorizationRequestResolver.java index 176e947c..1c420db1 100644 --- a/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java +++ b/src/main/java/eu/openanalytics/containerproxy/security/DelegatedOAuth2AuthorizationRequestResolver.java @@ -34,12 +34,16 @@ * Without this, the Filter will eat the body of the (POST) request. As a result Undertow will not be able * to proxy the request to the container. */ -public class FixedDefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { +public class DelegatedOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { - private DefaultOAuth2AuthorizationRequestResolver delegate; - - public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri) { - delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + private final OAuth2AuthorizationRequestResolver delegate; + + public DelegatedOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean pkceAlways) { + if (pkceAlways) { + delegate = new AlwaysPkceAuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + } else { + delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + } } @Override From 6f227a85a68f8e89cedb4105383f7a7da1bf1be3 Mon Sep 17 00:00:00 2001 From: Jan Henrik Hasselberg Date: Fri, 17 Jun 2022 13:42:37 +0200 Subject: [PATCH 2/3] Update option to support IdP that require PKCE for confidential clients. --- .../impl/OpenIDAuthenticationBackend.java | 8 +- ...lwaysPkceAuthorizationRequestResolver.java | 93 ------------------- ...ltOAuth2AuthorizationRequestResolver.java} | 18 ++-- 3 files changed, 15 insertions(+), 104 deletions(-) delete mode 100644 src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java rename src/main/java/eu/openanalytics/containerproxy/security/{DelegatedOAuth2AuthorizationRequestResolver.java => FixedDefaultOAuth2AuthorizationRequestResolver.java} (67%) diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java index 0271901c..1b263559 100644 --- a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java +++ b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java @@ -21,7 +21,7 @@ package eu.openanalytics.containerproxy.auth.impl; import eu.openanalytics.containerproxy.auth.IAuthenticationBackend; -import eu.openanalytics.containerproxy.security.DelegatedOAuth2AuthorizationRequestResolver; +import eu.openanalytics.containerproxy.security.FixedDefaultOAuth2AuthorizationRequestResolver; import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext; import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver; import eu.openanalytics.containerproxy.util.SessionHelper; @@ -98,8 +98,8 @@ public boolean hasAuthorization() { public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception { ClientRegistrationRepository clientRegistrationRepo = createClientRepo(); oAuth2AuthorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository(); - boolean PKCEAlways = Boolean.parseBoolean(environment.getProperty("proxy.openid.pkce-always")); - log.info("\"PKCE always\" configuration is {}.", PKCEAlways ? "enabled" : "disabled (default)"); + boolean enablePKCEConfidentialClients = Boolean.parseBoolean(environment.getProperty("proxy.openid.pkce-confidential-clients")); + log.info("\"pkce-confidential-clients\" configuration is {}.", enablePKCEConfidentialClients ? "enabled" : "disabled (default)"); anyRequestConfigurer.authenticated(); @@ -109,7 +109,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon .clientRegistrationRepository(clientRegistrationRepo) .authorizedClientRepository(oAuth2AuthorizedClientRepository) .authorizationEndpoint() - .authorizationRequestResolver(new DelegatedOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, PKCEAlways)) + .authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, enablePKCEConfidentialClients)) .and() .failureHandler(new AuthenticationFailureHandler() { diff --git a/src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java b/src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java deleted file mode 100644 index 84acc729..00000000 --- a/src/main/java/eu/openanalytics/containerproxy/security/AlwaysPkceAuthorizationRequestResolver.java +++ /dev/null @@ -1,93 +0,0 @@ -/* - * PKCE with confidential clients will eventually become the default behavior in Spring Security, - * but for now a custom authorization request resolver is necessary. - * - * Code is based on example on Okta blog: - * https://developer.okta.com/blog/2020/01/23/pkce-oauth2-spring-boot#making-pkce-work-for-confidential-clients-in-spring-security - * - * =========================================================================== - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the Apache License as published by - * The Apache Software Foundation, either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * Apache License for more details. - * - * You should have received a copy of the Apache License - * along with this program. If not, see - */ - -package eu.openanalytics.containerproxy.security; - -import org.springframework.security.crypto.keygen.Base64StringKeyGenerator; -import org.springframework.security.crypto.keygen.StringKeyGenerator; -import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; -import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver; -import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver; -import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; -import org.springframework.security.oauth2.core.endpoint.PkceParameterNames; - -import javax.servlet.http.HttpServletRequest; -import java.nio.charset.StandardCharsets; -import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; -import java.util.Base64; -import java.util.HashMap; -import java.util.Map; - -public class AlwaysPkceAuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { - private final OAuth2AuthorizationRequestResolver defaultResolver; - private final StringKeyGenerator secureKeyGenerator = new Base64StringKeyGenerator(Base64.getUrlEncoder().withoutPadding(), 96); - - public AlwaysPkceAuthorizationRequestResolver(ClientRegistrationRepository repo, String authorizationRequestBaseUri) { - defaultResolver = new DefaultOAuth2AuthorizationRequestResolver(repo, authorizationRequestBaseUri); - } - - @Override - public OAuth2AuthorizationRequest resolve(HttpServletRequest servletRequest) { - OAuth2AuthorizationRequest req = defaultResolver.resolve(servletRequest); - return customizeAuthorizationRequest(req); - } - - @Override - public OAuth2AuthorizationRequest resolve(HttpServletRequest servletRequest, String clientRegistrationId) { - OAuth2AuthorizationRequest req = defaultResolver.resolve(servletRequest, clientRegistrationId); - return customizeAuthorizationRequest(req); - } - - private OAuth2AuthorizationRequest customizeAuthorizationRequest(OAuth2AuthorizationRequest req) { - if (req == null) { - return null; - } - - Map attributes = new HashMap<>(req.getAttributes()); - Map additionalParameters = new HashMap<>(req.getAdditionalParameters()); - addPkceParameters(attributes, additionalParameters); - return OAuth2AuthorizationRequest.from(req) - .attributes(attributes) - .additionalParameters(additionalParameters) - .build(); - } - - private void addPkceParameters(Map attributes, Map additionalParameters) { - String codeVerifier = this.secureKeyGenerator.generateKey(); - attributes.put(PkceParameterNames.CODE_VERIFIER, codeVerifier); - try { - String codeChallenge = createHash(codeVerifier); - additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeChallenge); - additionalParameters.put(PkceParameterNames.CODE_CHALLENGE_METHOD, "S256"); - } catch (NoSuchAlgorithmException e) { - additionalParameters.put(PkceParameterNames.CODE_CHALLENGE, codeVerifier); - } - } - - private static String createHash(String value) throws NoSuchAlgorithmException { - MessageDigest md = MessageDigest.getInstance("SHA-256"); - byte[] digest = md.digest(value.getBytes(StandardCharsets.US_ASCII)); - return Base64.getUrlEncoder().withoutPadding().encodeToString(digest); - } -} diff --git a/src/main/java/eu/openanalytics/containerproxy/security/DelegatedOAuth2AuthorizationRequestResolver.java b/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java similarity index 67% rename from src/main/java/eu/openanalytics/containerproxy/security/DelegatedOAuth2AuthorizationRequestResolver.java rename to src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java index 1c420db1..0536e499 100644 --- a/src/main/java/eu/openanalytics/containerproxy/security/DelegatedOAuth2AuthorizationRequestResolver.java +++ b/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java @@ -24,6 +24,7 @@ import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository; import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver; +import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers; import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; @@ -34,15 +35,18 @@ * Without this, the Filter will eat the body of the (POST) request. As a result Undertow will not be able * to proxy the request to the container. */ -public class DelegatedOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { +public class FixedDefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver { - private final OAuth2AuthorizationRequestResolver delegate; + private final DefaultOAuth2AuthorizationRequestResolver delegate; + + public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri) { + this.delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + } - public DelegatedOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean pkceAlways) { - if (pkceAlways) { - delegate = new AlwaysPkceAuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); - } else { - delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); + public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean enablePKCEConfidentialClients) { + this(clientRegistrationRepository, authorizationRequestBaseUri); + if (enablePKCEConfidentialClients) { + this.delegate.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce()); } } From c523277d2e65cc02a052824d9fe7834ea42f8b86 Mon Sep 17 00:00:00 2001 From: Jan Henrik Hasselberg Date: Fri, 17 Jun 2022 14:34:02 +0200 Subject: [PATCH 3/3] Renamed option to support IdP that require PKCE for confidential clients to "with-pkce". --- .../auth/impl/OpenIDAuthenticationBackend.java | 6 +++--- .../FixedDefaultOAuth2AuthorizationRequestResolver.java | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java index 1b263559..835f8a6f 100644 --- a/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java +++ b/src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java @@ -98,8 +98,8 @@ public boolean hasAuthorization() { public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception { ClientRegistrationRepository clientRegistrationRepo = createClientRepo(); oAuth2AuthorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository(); - boolean enablePKCEConfidentialClients = Boolean.parseBoolean(environment.getProperty("proxy.openid.pkce-confidential-clients")); - log.info("\"pkce-confidential-clients\" configuration is {}.", enablePKCEConfidentialClients ? "enabled" : "disabled (default)"); + boolean withPKCE = Boolean.parseBoolean(environment.getProperty("proxy.openid.with-pkce")); + log.info("\"with-pkce\" configuration is {}.", withPKCE ? "enabled" : "disabled (default)"); anyRequestConfigurer.authenticated(); @@ -109,7 +109,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon .clientRegistrationRepository(clientRegistrationRepo) .authorizedClientRepository(oAuth2AuthorizedClientRepository) .authorizationEndpoint() - .authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, enablePKCEConfidentialClients)) + .authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, withPKCE)) .and() .failureHandler(new AuthenticationFailureHandler() { diff --git a/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java b/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java index 0536e499..f52689f9 100644 --- a/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java +++ b/src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java @@ -43,9 +43,9 @@ public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationReposito this.delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri); } - public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean enablePKCEConfidentialClients) { + public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean withPKCE) { this(clientRegistrationRepository, authorizationRequestBaseUri); - if (enablePKCEConfidentialClients) { + if (withPKCE) { this.delegate.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce()); } }