Spring Security When using OAuth2, I want to redirect it to other hosts and ports more conveniently.

If you use API gateway, you need to adjust the redirected host name more flexibly. I would like to specify the redirectionUri based on different hosts and ports (endpoint of the api gateway)

I think it is necessary to improve the DefaultOAuth2AuthorizationRequestResolver, the basic implementation of the OAuth2AuthorizationRequestResolver, which is currently used within the OAuth2AuthorizationRequestFilter.

I think it is necessary to improve the DefaultOAuth2AuthorizationRequestResolver, the basic implementation of the OAuth2AuthorizationRequestResolver, which is currently used within the OAuth2AuthorizationRequestFilter.

public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2AuthorizationRequestResolver {

    private OAuth2AuthorizationRequest resolve(HttpServletRequest request, String registrationId,
            String redirectUriAction) {
        if (registrationId == null) {
            return null;
        }
        ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
        if (clientRegistration == null) {
            throw new InvalidClientRegistrationIdException("Invalid Client Registration with Id: " + registrationId);
        }
        OAuth2AuthorizationRequest.Builder builder = getBuilder(clientRegistration);

        String redirectUriStr = expandRedirectUri(request, clientRegistration, redirectUriAction);

        // @formatter:off
        builder.clientId(clientRegistration.getClientId())
                .authorizationUri(clientRegistration.getProviderDetails().getAuthorizationUri())
                .redirectUri(redirectUriStr)
                .scopes(clientRegistration.getScopes())
                .state(DEFAULT_STATE_GENERATOR.generateKey());
        // @formatter:on

        this.authorizationRequestCustomizer.accept(builder);

        return builder.build();
    }

    private static String expandRedirectUri(HttpServletRequest request, ClientRegistration clientRegistration,
            String action) {
        Map<String, String> uriVariables = new HashMap<>();
        uriVariables.put("registrationId", clientRegistration.getRegistrationId());
        // @formatter:off
        UriComponents uriComponents = UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
                .replacePath(request.getContextPath())
                .replaceQuery(null)
                .fragment(null)
                .build();
        // @formatter:on

I think in this part, instead of getting the scheme, host, port from the request, what if there is another user customization means.

Currently, the final class, private access, and private static are too strict.

I think some solutions are as follows. 1. While maintaining the class structure, create fields in the form of resolver and provide a setter for them. In logic, the code calls a function registered as a field. 2. If the final class is intended, provide AbstractOAuth2AuthorizationRequestResolver for convenience. 3. Change the private to protected, release the final class. then users can modify details.

Comment From: onjik

I found a better way. I'm leaving a link for those who have the same concerns as me. https://github.com/spring-projects/spring-security/issues/5631