Summary
Please provide a way to inject specific RequestCache to the OAuth2AuthorizationCodeGrantFilter.
The "sister" filter OAuth2AuthorizationRequestRedirectFilter already has a #setRequestCache method for injecting specific RequestCache, but the OAuth2AuthorizationCodeGrantFilter uses a hardcoded HttpSessionRequestCache.
Reasoning
Current setup does not allow for easy customization of redirect scenarios after successful OAuth2 Code grant authorization flow.
Two workarounds exist to my knowledge:
1. Use the HttpSessionRequestCache with a specially crafted HttpServletRequestWrapper, such that the DefaultSavedRequest created from it in the HttpSessionRequestCache will return a desired redirect uri.
2. Avoid saving the request via RequestCache's interface, and store it directly in the session via
request.getSession().setAttribute(customSavedRequest, "SPRING_SECURITY_SAVED_REQUEST")
The first one is prone to breakage and complicated to do so, because the DefaultSavedRequest#getRedirectUrl() builds a URL from multiple fields, that have to be specifically overriden in the request wrapper.
The second workaround is slightly less complicated, but even more prone to breakage, as the session attribute name is not a public constant and can change anytime.
The addition of injectable RequestCache would make the OAuth2AuthorizationCodeGrantFilter on par with OAuth2AuthorizationRequestRedirectFilter.
Version
5.2.2
Comment From: rwinch
Thanks for the feedback. Is this something you would be willing to contribute?
Comment From: parikshitdutta
Hi @rwinch, how is this for contribution? I can take a look.
Comment From: rwinch
Thanks for volunteering @parikshitdutta! The issue is yours :smile:
Comment From: parikshitdutta
Hi @rwinch, the build process is failing at OAuth2ResourceServerSpecTests, is it okay to discuss it here or should I open an issue rather?
Comment From: rwinch
@parikshitdutta Here is fine. What is the failure you are getting?
Comment From: parikshitdutta
Hi @rwinch, there are 27 tests failing with "java.lang.IllegalStateException: Failed to load ApplicationContext", from OAuth2ResourceServerSpecTests.
Result page attached for your reference: (https://github.com/spring-projects/spring-security/files/4456729/org.springframework.security.config.web.server.OAuth2ResourceServerSpecTests.zip)
Comment From: rwinch
How are you running the tests? It looks like you might be running them from the commandline. What command do you run and from what folder? Do any of the other tests work?
Comment From: parikshitdutta
I am running plain build from command line, i.e "gradlew build", also have tried other variations such as clean, refresh-dependencies etc, same result, only those 27 tests failing, all the other tests (about 1800 tests) are passed.
I am trying to build from spring-security root folder.
Comment From: parikshitdutta
FYI, I was following "README.adoc" to try the building process with "gradlew build", which is failing at my end.
Then I tried gradle tasks for respective module, such as "spring-security-config" etc, using intelliJ "run test" option, those are getting through!
While, the same with "gradlew spring-security-config:test" from console again failing for those 27 tests.
Finally, I tried "gradlew clean build integrationTest" from "spring-security" folder from console, that passed all the tests, and build was successful.
@rwinch please guide me with the right approach to test and ensure my done changes are good for production.
Is running "gradlew clean build integrationTest" from spring-security folder sufficient after I am done with my code changes?
Comment From: parikshitdutta
@rwinch Please take a look at PR #8392, or Please assign it to respective reviewer.
Thank you.