spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Improve customizing OIDC Client Registration endpoint

Open rratliff opened this issue 2 years ago • 5 comments

Expected Behavior

The OIDC registration API calls the RegisteredClientRepository save method with a RegisteredClient object. I'd like the ability to have any custom claims on the registration request be propagated here.

Current Behavior The OidcClientRegistration object contains all the claims (including custom claims) in the registration request, but these claims are dropped when the auth provider creates the RegisteredClient object to pass to the repository.

Context

The use case would be adding an extra claim during registration and then being able to access it later in the OAuth2TokenCustomizer as part of the JwtEncodingContext

rratliff avatar Apr 21 '22 15:04 rratliff

@rratliff

I'd like the ability to have any custom claims on the registration request be propagated here

Can you provide more details on the custom claims you need propagated to the RegisteredClient?

Please provide the exact use case so I can better understand.

jgrandja avatar Apr 27 '22 20:04 jgrandja

I'm replacing a spring-security-oauth2 implementation. We had written our own register API and had a "subject" claim, which we later populated in the sub claim in the OAuth token. So the use case would be to capture the subject claim from the registration request so that it can be stored and later used during the token customization.

(I realize that this may be a slight deviation from OAuth standard in that sub means something specific in the token and probably should not be customizable.)

rratliff avatar Apr 28 '22 16:04 rratliff

@rratliff

So the use case would be to capture the subject claim from the registration request so that it can be stored and later used during the token customization

If we provided an extension point, where would you store the subject claim for later use?

jgrandja avatar May 31 '22 19:05 jgrandja

I was thinking of using the clientSettings. Then I have access to it in RegisteredClientRepository.

Example:

public class SubjectAwareRegisteredClientConverter extends DefaultRegisteredClientConverter {

	public static final String CLIENT_SETTINGS_SUBJECT_KEY = "subject";

	@Override
	public RegisteredClient createClient(OidcClientRegistration clientRegistration) {
		var registeredClient = super.createClient(clientRegistration);
		var customizedClient = RegisteredClient.from(registeredClient)
				.clientSettings(ClientSettings.builder()
						.setting(CLIENT_SETTINGS_SUBJECT_KEY, clientRegistration.getClaim("subject"))
						.build())
				.build();
		return customizedClient;
	}
}

rratliff avatar Jun 01 '22 22:06 rratliff

Thanks for the details @rratliff. We'll look at improving the customization / extension points soon.

jgrandja avatar Jun 09 '22 18:06 jgrandja

I can pick this one up.

Kehrlann avatar Oct 21 '22 14:10 Kehrlann

@rratliff

If we provided OidcClientRegistrationAuthenticationProvider.setRegisteredClientConverter(Converter<OidcClientRegistration, RegisteredClient>), would this work for your use case?

jgrandja avatar Oct 28 '22 21:10 jgrandja

Yes, that would work. Alternately it could be a constructor parameter. But a setter method would work as well.

rratliff avatar Oct 31 '22 13:10 rratliff

@rratliff This is now resolved via 6dc3944.

jgrandja avatar Oct 31 '22 18:10 jgrandja