-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consent scopes belong to multiple resource servers #9207
Comments
Apologies @chenrujun, but I'm not understanding your use case. Can you put together a minimal sample that demonstrates your use case so I can better understand. |
Hi, @jgrandja , Thank you for your response. Here is the sample:
In this configuration, |
@chenrujun The sample you provided does not qualify as a minimal reproducible sample. The only code in there is Either way, I now understand what you are trying to achieve. The 2 options are as follows: Option 1Change spring:
security:
oauth2:
client:
provider:
provider-one:
authorization-uri: blabla
token-uri: blabla
registration:
registration-one:
provider: provider-one
client-id: blabla
client_secret: blabla
scope: scope-one-one, scope-one-two, scope-two-one, scope-two-two After user is logged in then redirect to @GetMapping("/authorize-client")
public String authorizeClient(
@RegisteredOAuth2AuthorizedClient("registration-one") OAuth2AuthorizedClient authorizedClient) {
return "index";
}
Option 2Keep spring:
security:
oauth2:
client:
provider:
provider-one:
authorization-uri: blabla
token-uri: blabla
registration:
registration-one:
provider: provider-one
client-id: blabla
client_secret: blabla
scope: scope-one-one, scope-one-two
registration-two:
provider: provider-one
client-id: blabla
client_secret: blabla
scope: scope-two-one, scope-two-two After user is logged in then redirect to @GetMapping("/authorize-two-clients")
public String authorizeTwoClients(
@RegisteredOAuth2AuthorizedClient("registration-one") OAuth2AuthorizedClient authorizedClient1,
@RegisteredOAuth2AuthorizedClient("registration-two") OAuth2AuthorizedClient authorizedClient2) {
return "index";
}
For future reference, questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. I'm going to close this as both solutions will work for your use case. |
@jgrandja , Thank you for your response.
This option can NOT solve my problem. Because in
This can NOT solve my problem.
|
Option 1 can work but you will need to configure the provider. As per spec, the
The Option 2 can work as well.
I'm assuming you meant the consent screen comes up twice? If this is the case, then most providers support auto-approving scopes and/or not displaying the consent screen. Again, this is a provider configuration so you'll have to refer to the reference document on how to configure. If in fact you did mean the user has to enter credentials twice then I find this very unusual. After the user authenticates with the provider the first time then the session is authenticated and should not re-authenticate on next attempt? Either way, this is also a configuration on the provider that you will need to look into. Regardless, both options will work but looks like you need to apply some configuration on the provider side. |
I got it. Thank you very much for your suggestions. 👍 Hi, @lzc-1997-abel , could you please investigate whether Microsoft Identity support:
|
Expected Behavior
In spring-security-oauth2-client,
when multiple clientRegistrations use the same provider,
by one user-consent operation,
resource owner can consent scopes belong to multiple resource servers ,
and put multiple authorizedClients into OAuth2AuthorizedClientRepository.
Current Behavior
when multiple clientRegistrations use the same provider,
by one user-consent operation,
resource owner can consent scopes belong to only one resource servers ,
and put only one authorizedClients into OAuth2AuthorizedClientRepository.
Context
For example, develop have clientRegistration1 and clientRegistration2, both client registration the use same provider.
We have the requirement to put both clientRegistration1 and clientRegistration2 by one consent operation.
Here is a workaround to satisfy this requirement: Azure/azure-sdk-for-java@5885067
The text was updated successfully, but these errors were encountered: