spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Allow the ability to deactivate the device authorization grant

Open ddittmar opened this issue 2 years ago • 15 comments
trafficstars

Expected Behavior

I would like to have the ability to deactivate certain flows (or endpoints).

Current Behavior

There is no way to deactivate certain flows (or endpoints)

Context

Specifically I want to deactivate the "device authorization flow". I don't want my server to have the ability.

The "OpenID Connect 1.0 Client Registration endpoint" is disabled by default. Why can't I deactive other endpoints?

ddittmar avatar Nov 20 '23 15:11 ddittmar

@ddittmar

I want to deactivate the "device authorization flow". I don't want my server to have the ability.

Can you please provide a detailed reason why you need to deactivate the device authorization endpoint?

As an FYI, if there are no RegisterClient's that are configured with .authorizationGrantType(AuthorizationGrantType.DEVICE_CODE) then the endpoint will never process the flow anyway.

I would like to have the ability to deactivate certain flows (or endpoints).

Which other flows? Please be specific and provide a detailed reason.

jgrandja avatar Nov 25 '23 15:11 jgrandja

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Dec 02 '23 15:12 spring-projects-issues

@jgrandja sorry for the late reply ...

You're right that the flow is never processed if the RegisterdClient does not have the AuthorizationGrantType.DEVICE_CODE configured... but then the endpoint is open and will never do anything... additionally the filter is in the securty chain without any need...

I just thought it would be good to deactive the flow completly because (in my case) there is no need for a "device authorization flow" and I think (especally) the device flow is a more exotic case.

ddittmar avatar Dec 04 '23 07:12 ddittmar

Thanks for the explanation @ddittmar. I updated the issue title to be more specific.

jgrandja avatar Dec 05 '23 12:12 jgrandja

@jgrandja ,

Do we need to support this feature? If so, can I work on this?

gregecho avatar Dec 20 '23 06:12 gregecho

@gregecho Thanks for your interest. It's a lower priority item at the moment but if you would like to work on it please go ahead. Just a heads up that I'm heading out for the holidays and will be back Jan 8.

jgrandja avatar Dec 21 '23 16:12 jgrandja

@ddittmar Just circling back to this and I have a temporary workaround until we come up with a solution.

Assuming the @Bean name for the Authorization Server SecurityFilterChain is authorizationServerSecurityFilterChain, registering the following BeanPostProcessor will remove the device_code grant Filter's:

@Bean
public BeanPostProcessor authorizationServerSecurityFilterChainPostProcessor() {
	return new BeanPostProcessor() {
		public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
			if (beanName.equals("authorizationServerSecurityFilterChain")) {
				DefaultSecurityFilterChain securityFilterChain = (DefaultSecurityFilterChain)bean;
				List<Filter> filters = new ArrayList<>(securityFilterChain.getFilters());
				filters.removeIf((filter) ->
						filter instanceof OAuth2DeviceAuthorizationEndpointFilter ||
								filter instanceof OAuth2DeviceVerificationEndpointFilter);

				return new DefaultSecurityFilterChain(
						securityFilterChain.getRequestMatcher(), filters);
			}

			return bean;
		}
	};
}

jgrandja avatar Apr 26 '24 13:04 jgrandja