spring-projects
OidcAuthorizationCodeAuthenticationProvider easier to extend
Expected Behavior
I would like to be able to use and modify OidcAuthorizationCodeAuthenticationProvider and the functionalities it provides a bit easier. The general usecase is that I already implemented a custom OAuth2AuthorizationRequestResolver that handles OIDC requests, so that includes setting the nonce to a specific value rather than it being a hashed random value like in the DefaultOAuth2AuthorizationRequestResolver. The OidcAuthorizationCodeAuthenticationProvider later does nonce validation and assumes the nonce in the token to be a hashed value and that the stored AuthRequest object has a non-hashed value and that those two can be compared. This validation method is a private method and cannot be extended easily, it'd be great if this nonce validation method were protected instead.
Current Behavior
private void validateNonce(OAuth2AuthorizationRequest authorizationRequest, OidcIdToken idToken)
This method is private and if we were to extend OidcAuthorizationCodeAuthenticationProvider we cannot override its behavior.
Context
I am using this part of spring security in order to create a wide variety of auth requests in order to interact with an identity provider for testing purposes. Being able to customize and modify existing classes that come out of the box would be greatly appreciated.
@vladimirr9
I already implemented a custom OAuth2AuthorizationRequestResolver that handles OIDC requests, so that includes setting the nonce to a specific value rather than it being a hashed random value like in the DefaultOAuth2AuthorizationRequestResolver.
I can understand why you might not want to use a random value but why can't you hash the value you assign? If you simply hash your assigned value using SHA-256 then it would work as expected.
It's part of a wider collection of systems which would like to set the value to a specific one (that is already hashed) and get it back in the resulting access token without it being hashed again.