Currently, scopes are space-delimited in the authorization request (in security.oauth2.core.endpoint.OAuth2AuthorizationRequest). This is according to the spec, so if services behave nicely, all is fine. There are however services out there that do not adhere to the spec (such as Strava). Passing in a space-delimited list of scopes causes the request to fail, indicating an invalid scope.
Any comma's passed into the list of scopes get converted into spaces by Spring Security. Great behaviour for services that adhere to the spec, but not for me, wanting to talk to Strava. So, this, for example, doesn't work.
scope: activity:read,read_all
It'd be great if somehow the delimiter could be configured in the ClientRegistration. Sure, it is not how things are supposed to work, but currently, I cannot use Spring Security with Strava.
For reference, it's currently hard-coded in org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest
Changing getParameters(......) to the following does the trick for me.
private Map<String, Object> getParameters() {
Map<String, Object> parameters = new LinkedHashMap();
parameters.put("response_type", this.responseType.getValue());
parameters.put("client_id", this.clientId);
if (!CollectionUtils.isEmpty(this.scopes)) {
parameters.put("scope", StringUtils.collectionToDelimitedString(this.scopes, ","));
}
p.s. here's a similar issue, from gravitee https://github.com/gravitee-io/issues/issues/1001
Comment From: sjohnr
Hi @alefarendsen, thanks for your interest in the project!
It does indeed appear difficult to customize the behavior of encoding the scopes in the request to the authorization server. One possible solution would be to add this customization option to the OAuth2AuthorizationRequest.Builder. Since the DefaultOAuth2AuthorizationRequestResolver already has a Consumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer, directly affecting the builder should be possible, we only need to make it possible to override the default delimiter in the builder for encoding scopes in the URL.
I believe that would be preferred over propagating something this specific from the ClientRegistration itself. Would you be interested in trying your hand at submitting a PR for this?
Comment From: alefarendsen
Hey Steve,
It's been a while, but yes I can do that. Will take a bit of time though, I'm a little busy the next week or so.
Alef
On Mon, Nov 22, 2021, 19:03 Steve Riesenberg @.***> wrote:
Hi @alefarendsen https://github.com/alefarendsen, thanks for your interest in the project!
It does indeed appear difficult to customize the behavior of encoding the scopes in the request to the authorization server. One possible solution would be to add this customization option to the OAuth2AuthorizationRequest.Builder. Since the DefaultOAuth2AuthorizationRequestResolver already has a Consumer
authorizationRequestCustomizer, directly affecting the builder should be possible, we only need to make it possible to override the default delimiter in the builder for encoding scopes in the URL. I believe that would be preferred over propagating something this specific from the ClientRegistration itself. Would you be interested in trying your hand at submitting a PR for this?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-security/issues/10526#issuecomment-975783473, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWIT3HYZVBBX6IHU7ARGWO3UNKAVPANCNFSM5IJZ2SFA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Comment From: jgrandja
@alefarendsen
It's already possible to override the default scope parameter by converting it from space-delimited to comma-delimited.
As noted by @sjohnr, the customization point is:
Since the
DefaultOAuth2AuthorizationRequestResolveralready has aConsumer<OAuth2AuthorizationRequest.Builder> authorizationRequestCustomizer, directly affecting the builder should be possible, we only need to make it possible to override the default delimiter in the builder for encoding scopes in the URL
Here is a sample configuration to override it:
this.resolver.setAuthorizationRequestCustomizer((customizer) ->
customizer.parameters((params) -> {
// Override any of the default parameters (before encoding)
// Override the default scope parameter using comma delimiter
String scope = (String) params.get(OAuth2ParameterNames.SCOPE);
String[] scopes = StringUtils.delimitedListToStringArray(scope, " ");
params.put(OAuth2ParameterNames.SCOPE, StringUtils.arrayToDelimitedString(scopes, ","));
})
);
Please refer to the reference for additional details on customizing the authorization request.
I'm going to close this as the solution provided allows for customization.
Comment From: alefarendsen
Thanks Joe,
this is helpful, as always.
cheers, Alef
On Thu, Nov 25, 2021 at 8:22 PM Joe Grandja @.***> wrote:
@alefarendsen https://github.com/alefarendsen
It's already possible to override the default scope parameter by converting it from space-delimited to comma-delimited.
As noted by @sjohnr https://github.com/sjohnr, the customization point is:
Since the DefaultOAuth2AuthorizationRequestResolver already has a Consumer
authorizationRequestCustomizer, directly affecting the builder should be possible, we only need to make it possible to override the default delimiter in the builder for encoding scopes in the URL Here is a sample configuration to override it:
this.resolver.setAuthorizationRequestCustomizer((customizer) -> customizer.parameters((params) -> { // Override any of the default parameters (before encoding)
// Override the default scope parameter using comma delimiter String scope = (String) params.get(OAuth2ParameterNames.SCOPE); String[] scopes = StringUtils.delimitedListToStringArray(scope, " "); params.put(OAuth2ParameterNames.SCOPE, StringUtils.arrayToDelimitedString(scopes, ",")); }));
Please refer to the reference for additional details on customizing the authorization request https://docs.spring.io/spring-security/reference/servlet/oauth2/client/authorization-grants.html#_customizing_the_authorization_request .
I'm going to close this as the solution provided allows for customization.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-security/issues/10526#issuecomment-979434642, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWIT3H7Q5KAIJXSIYVF5R6LUN2EILANCNFSM5IJZ2SFA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Comment From: sjohnr
Ah, perfect! I had somehow missed the parametersConsumer.