Allow to configure IssuerResolver

[ivan-zaitsev]

Expected Behavior
Allow to configure AuthorizationServerContextFilter or IssuerResolver, this should allow to change default url prefix issuer resolver to different type of resolvers, for example: request header/parameter resolver, url path resolver.

Or allow to disable AuthorizationServerContextFilter, this should allow to add custom filter.

Current Behavior
AuthorizationServerContextFilter and IssuerResolver are private, not possible to configure or disable.

Context
Want to resolve tenant from url, then concatenate some static prefix. But current AuthorizationServerContextFilter may execute after my custom filter, so it is better to have ability to disable it or change IssuerResolver.

By requesting http://localhost:8080/issuer1/.well-known/openid-configuration I want to get issuer1 or https://static-value/issuer1 instead http://localhost:8080/issuer1.

Another reason is to add OAuth social login client urls http://localhost:8080/issuer1/login/oauth2/code/... and http://localhost:8080/issuer1/oauth2/authorization/... to authorization server context. Using different filters for OAuth server/client urls may result in inconsistent issuer resolution.

[jgrandja]

@ivan-zaitsev

Want to resolve tenant from url ... By requesting http://localhost:8080/issuer1/.well-known/openid-configuration I want to get issuer1

This is already possible. Please see How-to: Implement Multitenancy for details on how to configure.

By requesting http://localhost:8080/issuer1/.well-known/openid-configuration I want to get issuer1 or https://static- value/issuer1 instead http://localhost:8080/issuer1

https://static-value/issuer1 is not a valid Issuer Identifier since it's not reachable and would break OidcProviderConfigurationEndpointFilter and OAuth2AuthorizationServerMetadataEndpointFilter and would likely break other parts of the framework.

Please see 4.1. OpenID Provider Configuration Request as the framework complies with that part of the spec.

Want to resolve tenant from url, then concatenate some static prefix. But current AuthorizationServerContextFilter may execute after my custom filter

I would not recommend "concatenate some static prefix" to the issuer identifier as this would result in breakage of endpoints and other parts of the framework. However, this would be custom behaviour that you would need to implement to meet your custom requirements. You would need to register a custom filter after AuthorizationServerContextFilter and set a new instance of AuthorizationServerContext similar to how AuthorizationServerContextFilter is implemented.

To ensure your custom filter is registered after AuthorizationServerContextFilter, you need to configure httpSecurity.addFilterBefore(customAuthorizationServerContextFilter, SecurityContextPersistenceFilter.class).