Home > database >  Spring Boot/Auth0 - How do I specify the connection?
Spring Boot/Auth0 - How do I specify the connection?

Time:10-25

I am working on setting up an application using Spring Boot and Auth0. We are refactoring from a legacy codebase to use Spring Boot. In the legacy code, the Auth0 URL is created manually by appending the URL parameters:

https://[removed].auth0.com/authorize?
    response_type=code
    &client_id=[removed]
    &scope=openid email profile
    &connection=[removed]
    &state=[removed]
    &redirect_uri=http://localhost:8081/login/oauth2/code/auth0

With the Spring Boot configuration (guide here: https://auth0.com/docs/quickstart/webapp/java-spring-boot/01-login), this is the URL that generates:

https://[removed].auth0.com/authorize?
    response_type=code
    &client_id=[removed]
    &scope=openid email profile
    &state=[removed]
    &redirect_uri=http://localhost:8081/login/oauth2/code/auth0

The Spring Boot URL is giving me an error "[invalid_request] no connections enabled for the client".

I am missing the "connection" parameter with the Spring Boot setup. I have tested by manually copying the URL and adding the "connection" parameter and I get the login page. Without it, I get the error.

On Spring's configuration page (https://docs.spring.io/spring-security/reference/servlet/oauth2/login/core.html#oauth2login-boot-property-mappings), I don't see an option for Connection. I didn't see anything on the SecurityFilterChain that would allow me to change this either.

I see that Auth0.js has a function that allows a "connection" parameter (https://auth0.com/docs/libraries/auth0js). How do I add this using Spring Boot/Java?

EDIT

application.properties:

spring.security.oauth2.client.registration.auth0.client-id=[removed]
spring.security.oauth2.client.registration.auth0.client-secret=[removed]
spring.security.oauth2.client.registration.auth0.scope[0]=openid
spring.security.oauth2.client.registration.auth0.scope[1]=email
spring.security.oauth2.client.registration.auth0.scope[2]=profile
spring.security.oauth2.client.provider.auth0.issuer-uri=[removed]

CodePudding user response:

Spring Security comes with with mostly preconfigured Auth0 module. Unless you're doing something specific, there's no need to construct URL yourself.
Have you done Spring configuration as said in the link you've posted: https://auth0.com/docs/quickstart/webapp/java-spring-boot/01-login#configure-spring-security ?

# src/main/resources/application.yml
spring:
  security:
    oauth2:
      client:
        registration:
          auth0:
            ...

CodePudding user response:

You are looking for a way to add an additional parameter to the authorization URI. It's isn't as straightforward as one would like but doable.

Fortunately, it's described in Customizing Authorization and Token Requests with Spring Security 5.1 Client.

You probably want to implement the steps 2 and 4:

  • Add your own implementation of OAuth2AuthorizationRequestResolver, override both resolve() methods to call customizeAuthorizationRequest()
  • Implement customizeAuthorizationRequest() to add the additional connection parameter (OAuth2AuthorizationRequest already support additional parameters)
  • Implement a security configuration class to register CustomAuthorizationRequestResolver as the authorization request resolver

Several issues on GitHub ask for a simpler way. But the issues are still open (or closed as duplicates).

Update

Instead of clientRegistrationRepository() (at the end of step 2), you could declare clientRegistrationRepository as an injected dependency and the use it without parentheses:

@Autowired
private ClientRegistrationRepository clientRegistrationRepository;

CodePudding user response:

Here's another option (untested):

In application.properties, specify all URLs separately. So instead of:

spring.security.oauth2.client.provider.auth0.issuer-uri=xyz.us.auth0.com

Specify:

spring.security.oauth2.client.provider.auth0.authorization-uri=https://xyz.us.auth0.com/authorize?connection=azuread
spring.security.oauth2.client.provider.auth0.token-uri=https://xyz.us.auth0.com/oauth/token
spring.security.oauth2.client.provider.auth0.jwk-set-uri=https://xyz.us.auth0.com/=.well-known/jwks.json
spring.security.oauth2.client.provider.auth0.user-info-uri=https://xyz.us.auth0.com/userinfo

Note that the authorization URI already includes the connection parameters. All the other parameters should then be appended.

You can get all the URIs at https://xyz.us.auth0.com/.well-known/openid-configuration (just replace "xyz" and put the URL in your browser).

Page link:https//www.codepudding.com/database/587426.html

Prev:Bcrypt bean could not be found when defined in Main class and other service bean with same problem w
Next:How to recursively calculate the difference in departures from the previous month
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding