Adds option to support IdP that require PKCE for confidential clients.

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -43,7 +43,6 @@
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
-import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
@@ -99,6 +98,8 @@ public boolean hasAuthorization() {
 	public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestConfigurer) throws Exception {
 		ClientRegistrationRepository clientRegistrationRepo = createClientRepo();
 		oAuth2AuthorizedClientRepository = new HttpSessionOAuth2AuthorizedClientRepository();
+		boolean withPKCE = Boolean.parseBoolean(environment.getProperty("proxy.openid.with-pkce"));
+		log.info("\"with-pkce\" configuration is {}.", withPKCE ? "enabled" : "disabled (default)");
 
 		anyRequestConfigurer.authenticated();
 
@@ -108,7 +109,7 @@ public void configureHttpSecurity(HttpSecurity http, AuthorizedUrl anyRequestCon
 				.clientRegistrationRepository(clientRegistrationRepo)
 				.authorizedClientRepository(oAuth2AuthorizedClientRepository)
 				.authorizationEndpoint()
-					.authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI))
+				.authorizationRequestResolver(new FixedDefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepo, OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI, withPKCE))
 				.and()
 				.failureHandler(new AuthenticationFailureHandler() {
 

src/main/java/eu/openanalytics/containerproxy/security/FixedDefaultOAuth2AuthorizationRequestResolver.java

@@ -24,6 +24,7 @@
 
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestCustomizers;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestResolver;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 
@@ -36,10 +37,17 @@
  */
 public class FixedDefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {
 
-	private DefaultOAuth2AuthorizationRequestResolver delegate;
+	private final DefaultOAuth2AuthorizationRequestResolver delegate;
 
 	public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri) {
-		delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri);
+		this.delegate = new DefaultOAuth2AuthorizationRequestResolver(clientRegistrationRepository, authorizationRequestBaseUri);
+	}
+
+	public FixedDefaultOAuth2AuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository, String authorizationRequestBaseUri, boolean withPKCE) {
+		this(clientRegistrationRepository, authorizationRequestBaseUri);
+		if (withPKCE) {
+			this.delegate.setAuthorizationRequestCustomizer(OAuth2AuthorizationRequestCustomizers.withPkce());
+		}
 	}
 
 	@Override