Joe Grandja

icon indicating a website link https://spring.io/team/jgrandja

icon company Broadcom icon location Toronto, Ontario, Canada

Results 404 comments of Joe Grandja

Authorize endpoint should take Spring Security filter chain access rules into account

Ok good to know that `AuthenticationTrustResolver` could be a potential solution. I'll also look at what the impact would be if we moved the `OAuth2AuthorizationEndpointFilter` behind `AuthorizationFilter`. Please give me...

Being able to decide which scopes require the consent page

@merxos > I got a business requirement where one of the scopes that we provide should not display consent page. Could you not configure a `RegisteredClient` that requests that scope...

Being able to decide which scopes require the consent page

@merxos > If it doesn't, please provide more detailed information for your use case so I can better understand. I still do not understand your use case. Please provide much...

Being able to decide which scopes require the consent page

@PunchyRascal Given the 3x client flows described [above](https://github.com/spring-projects/spring-authorization-server/issues/1363#issuecomment-1770270415), the following 3x `RegisteredClient`'s would fulfill the 3x flows. Makes sense? ```java RegisteredClient client1 = RegisteredClient.withId(UUID.randomUUID().toString()) .clientId("client-1") .clientSecret("{noop}secret") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("http://127.0.0.1:8080/authorized") .scope("scope-a")...

Being able to decide which scopes require the consent page

@PunchyRascal > but the problem is that the clients can later switch what scopes they want - it's up to them. The scopes are not predefined at registration time. One...

Being able to decide which scopes require the consent page

@PunchyRascal > We have a system where we are able to dynamically change the registered scopes. By implementing a custom `RegisteredClientRepository`. If you're able to dynamically change the registered scopes...

Being able to decide which scopes require the consent page

@merxos I now understand your use case. `Client1` is configured with `scopeA` (consent not required) and `scopeB` (consent required). Flow 1: `Client1` requests `scopeA` and consent should not display. Flow...

Support for overriding LogoutHandler in OidcLogoutEndpointFilter

@finke-ba > Option to override the default `LogoutHandler` The internal `LogoutHandler` is not intended to be exposed. The sole purpose is to reuse the logic in `SecurityContextLogoutHandler` to clear the...

Support for overriding LogoutHandler in OidcLogoutEndpointFilter

@finke-ba Thanks for the explanation. I'll review the customization capabilities of the other Filter's you mentioned and will look at aligning the same in `OidcLogoutEndpointFilter`. I'll get to this soon...

Support for overriding LogoutHandler in OidcLogoutEndpointFilter

@finke-ba If you can submit a PR that would be great 👍