Skip to content

Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint#18542

Closed
Kehrlann wants to merge 1 commit intospring-projects:mainfrom
Kehrlann:dgarnier/bearer-token-entrypoint-parameters-customizer
Closed

Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint#18542
Kehrlann wants to merge 1 commit intospring-projects:mainfrom
Kehrlann:dgarnier/bearer-token-entrypoint-parameters-customizer

Conversation

@Kehrlann
Copy link
Contributor

@Kehrlann Kehrlann commented Jan 21, 2026
edited
Loading

Dynamically the resource_metadata from the incoming HTTP request in BearerTokenAuthenticationEntryPoint. This is required when you want to, say, preserve the path parameter of the incoming request, or include a query string.

See [RFC 9728 > 3.1. Protected Resource Metadata Request](https://datatracker.ietf.org/doc/html/rfc9728#section-3.1

If the resource identifier value contains a path or query component, any terminating slash (/) following the host component MUST be removed before inserting /.well-known/ and the well-known URI path suffix between the host component and the path and/or query components. The consumer of the metadata would make the following request when the resource identifier is https://resource.example.com/resource1 and the well-known URI path suffix is oauth-protected-resource to obtain the metadata, since the resource identifier contains a path component:

GET /.well-known/oauth-protected-resource/resource1 HTTP/1.1
Host: resource.example.com

Using path components enables supporting multiple resources per host. This is required in some multi-tenant hosting configurations.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 21, 2026
@Kehrlann Kehrlann force-pushed the dgarnier/bearer-token-entrypoint-parameters-customizer branch 3 times, most recently from 9d68449 to 0c7e0fb Compare January 23, 2026 16:30
@Kehrlann
Add BearerTokenAuthenticationEntryPoint#setResourceMetadataParameterR…
838b0b2 
…esolver

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
@Kehrlann Kehrlann force-pushed the dgarnier/bearer-token-entrypoint-parameters-customizer branch from 0c7e0fb to 838b0b2 Compare January 23, 2026 16:30
@Kehrlann Kehrlann marked this pull request as ready for review January 23, 2026 16:43
@Kehrlann Kehrlann changed the title Bearer token entrypoint parameters customizer Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint Jan 23, 2026
@Kehrlann Kehrlann changed the title Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint Introduce resource_metadata parameter resolver for BearerTokenAuthenticationEntryPoint Jan 23, 2026
@jgrandja jgrandja self-assigned this Feb 2, 2026
@jgrandja jgrandja added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 2, 2026
@jgrandja jgrandja added this to the 7.1.0-M2 milestone Feb 2, 2026
@jgrandja jgrandja closed this in 4957c5a Feb 2, 2026
jgrandja added a commit that referenced this pull request Feb 2, 2026
@jgrandja
Polish gh-18542
0496c02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jgrandja jgrandja

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Projects

None yet

Milestone

7.1.0-M2

Development

Successfully merging this pull request may close these issues.

3 participants

@Kehrlann @jgrandja @spring-projects-issues