Make RedirectStrategy customizable in OAuth2AuthorizationEndpointFilter

[dawidkaluza]

Expected Behavior
Make it possible to inject custom implementation of RedirectStrategy (via constructor or setter) in OAuth2AuthorizationEndpointFilter, so that a developer can adjust its behavior and create login and consent pages in SPA manner.

Current Behavior
RedirectStrategy is hard-coded in OAuth2AuthorizationEndpointFilter which prevents from overriding its implementation.

Context
Currently, RedirectStrategy when used in mentioned filter sends HTTP 302 response which is automatically handled by browsers and therefore can't be controlled by web apps when requests comes from them, not from user's actions (like form submit, click on link, etc.).
This behavior becomes problematic when we want to make our login and consent page SPA pages, where one of its main advantage is no need to reload the whole page when going to another page, and where the web app should control how it's going to present the information provided by the server.
Even though we can override AuthenticationSuccessHandler and AuthenticationFailureHandler, we can not override redirect to consent page once a resource owner needs to consent access to given client. Besides that, I believe that it often would be more convenient to provide custom implementation just for redirection instead of overriding the whole handlers just to change a small piece that can be achieved much easier via DI.

[dawidkaluza]

P.S. additionally, I wanted to add that I'm happy to contribute straight to the code so if you need any help there please let me know 😀

[jgrandja]

@dawidkaluza Please see this comment:

Also, OAuth2AuthorizationEndpointFilter.redirectStrategy is used for the Authorization Response, Authorization Consent Response and Error Response, so even if we were to expose it, I'm not sure it would make sense since it's used in 3 different flows.

It is possible to use a SPA with Spring Authorization Server without having to override the redirectStrategy as a number of users have already gone through this setup.

Please take a look at How-to: Authenticate using a Single Page Application with PKCE as it might help. Otherwise, please ask on Stack Overflow as there are users using an SPA and Spring Authorization Server setup.

@sjohnr Do you have an SPA and Spring Authorization Server sample?

[dawidkaluza]

Hi @jgrandja, I've gone through all issues already and seen the How-to guide you sent. The thing is, as I understand, that in all these examples people are talking about client as SPA and authorization server as server, and trying to accomplish login onto auth server directly from client app, having login and consent pages on client side. What I'm trying to accomplish is embedding very simple SPA with login and consent pages only into auth server - I'm not thinking about sharing it with a client at all. If there are still some questions, I can create a simple POC of what I'm trying to get from spring auth server.

[jgrandja]

@dawidkaluza

I'm trying to accomplish is embedding very simple SPA with login and consent pages only into auth server - I'm not thinking about sharing it with a client at all

I don't understand what you mean by "not thinking about sharing it with a client at all" ? The OAuth2 Client initiates the Authorization Request to the authorization server for the authorization code grant flow, as per spec.

It's not clear to me what you are looking to accomplish. A simple POC would be super helpful. But please post the question on Stack Overflow as you'll have a much bigger audience to help you. And please provide a link here so I can take a look at it as well.

[dawidkaluza]

@jgrandja I could have posted this on StackOverflow, but it's the question to the authors of this project, not other developers - so that is why I'm here. Please, let me explain my use case more clearly to make sure that we are all on the same page.

I don't understand what you mean by "not thinking about sharing it with a client at all" ? The OAuth2 Client initiates the Authorization Request to the authorization server for the authorization code grant flow, as per spec.

I meant that SPA I was talking about was not supposed to be a part of client app. In my scenario, we would have it configured in this way

• resource owner - an end user
• client - a public client, doesnt matter if it's web app, mobile app, as I don't want to change anything in here
• authorization server - Spring Authorization Server customized + simple SPA to serve login and consent pages - both compiled together as single application - and that is what I'm trying to get but can't because of the issue mentioned in the title here.

As mentioned earlier, here is the POC: https://github.com/dawidkaluza/spa-in-spring-auth-server-poc

Please let me know what you think or if you have any questions once you get familiar with it. Thanks in advance!

[jgrandja]

@dawidkaluza RestfulRedirectStrategy returns a JSON response which goes against the contract of RedirectStrategy:

Encapsulates the redirection logic for all classes in the framework which perform redirects.

Instead, the extension point you should use for returning a JSON response is AuthenticationSuccessHandler. The OAuth2AccessTokenResponseAuthenticationSuccessHandler is an example of this as it returns the Access Token Response as JSON.

As far as (user) login goes, this is not a concern of Spring Authorization Server and instead is a Spring Security concern. The demo-authorizationserver and associated DefaultSecurityConfig provides the Spring Security specific configuration for user authentication so you would need to customize Spring Security to meet your requirements.

As far as authorization consent goes, could you not provide a custom consent page via authorizationServerConfigurer.authorizationEndpoint.consentPage("/custom-consent") and then in the /custom-consent @Controller you have complete control in returning anything in the response, such as JSON. I'm not familiar with React, but I would imagine that it could handle the initial redirect to "/custom-consent" and then handle the following JSON response to render the page in the SPA?

I could have posted this on StackOverflow, but it's the question to the authors of this project, not other developers

The questions you have so far are all custom behaviour that would need to be customized in your application. I don't see any changes needed in Spring Authorization Server at this point. I would bet someone has already done this custom setup already. So I would post on StackOverflow as there are other React users that can answer this question much better than I can.

[dawidkaluza]

As far as authorization consent goes, could you not provide a custom consent page via authorizationServerConfigurer.authorizationEndpoint.consentPage("/custom-consent") and then in the /custom-consent @Controller you have complete control in returning anything in the response, such as JSON. I'm not familiar with React, but I would imagine that it could handle the initial redirect to "/custom-consent" and then handle the following JSON response to render the page in the SPA?

@jgrandja I'm not sure it's going to work but will give it a shot and come back with the results.

[xiaoliuxuesheng]

If the use of window.location.href = '/oauth2/authorize?xxx=xxx', the redirectStrategy OAuth2AuthorizationEndpointFilter can be normal to jump to the authorization page, But you need to send /oauth2/authorize requests on the SPA application using XMLHttpRequest, In this case, the response status code in redirectStrategy cannot be obtained. private HttpStatus statusCode = httpStatus. FOUND

[xiaoliuxuesheng]

If the use of window.location.href = '/oauth2/authorize?xxx=xxx', the redirectStrategy OAuth2AuthorizationEndpointFilter can be normal to jump to the authorization page, But you need to send /oauth2/authorize requests on the SPA application using XMLHttpRequest, In this case, the response status code in redirectStrategy cannot be obtained. private HttpStatus statusCode = httpStatus. FOUND

[dawidkaluza]

@jgrandja

As far as authorization consent goes, could you not provide a custom consent page via authorizationServerConfigurer.authorizationEndpoint.consentPage("/custom-consent") and then in the /custom-consent @Controller you have complete control in returning anything in the response, such as JSON.

I've tried this and it works. So to sum it up, we can make the whole interaction more SPA friendly by configuring in authorizationEndpoint:

• custom authorizationResponseHandler and errorResponseHandler handlers, that are mostly the same as original handlers but eventually will send REST response instead of redirecting response;
• custom consent page to be /custom-consent served by the server via @controller ant returning custom JSON response.
  POC, if anyone is interested: https://github.com/dawidkaluza/spa-in-spring-auth-server-poc/tree/redirectViaController

Nevertheless, in my opinion, the solution has its design flaws:

• copy-pasting most handlers' implementation, since they are encapsulated and reusing them is not available;
• implementation unnecessarly being spread to many classes in consent page case (send response which is a redirect to another page served by the server just to send different response there). It could have really been a single class and a single response served by the sever to the client.

@dawidkaluza RestfulRedirectStrategy returns a JSON response which goes against the contract of RedirectStrategy

I see, but on the other hand in DefaultRedirectStrategy class you have the following method (and the docs):

And in my case this user agent's behavior is undesired. Even just changing returned status code so that the client could control the redirection would help. I think it's just a response and whether we want a user agent or client app to control it - it's just a matter of contract between server and client sides.