Configuration of spring-addons-starter-oidc to match default spring-boot-starter-oauth2-client behaviour #244
Description
Is your feature request related to a problem? Please describe.
Hello,
This is more a question, but I don't know how I can change the label of the issue.
I've followed the tutorial servlet-client and I'm now trying to have a similar configuration using the spring-addons-starter-oidc dependency, but it seems the multiple redirections don't work the same way, and I'm not sure if I'm configuring it correctly.
With the servlet-client tutorial, I have the following behavior on a @RestController with some @GetMapping routes:
- I call an endpoint in my browser (example :
http://localhost:3000/test) /testendpoint responds with a HTTP 302 and redirects tohttp://localhost:3000/oauth2/authorization/myregistration(wheremyregistrationis the name I configured inapplication.yamlunder propertyspring.security.oauth2.client.registration)/oauth2/authorization/myregistrationendpoint also responds with a HTTP 302 and redirects to theissuer-uriI configured underspring.security.oauth2.client.provider, adding some parameters, and notably theredirect_uriwhich contains valuehttp://localhost:3000/login/oauth2/code/myregistration)- I submit login and consent on the OIDC provider pages
- OIDC provider redirects to the
http://localhost:3000/login/oauth2/code/myregistrationdescribed above /login/oauth2/code/myregistrationredirects to the initial endpoint but with acontinueparameter:http://localhost:3000/test?continue(from what I read, this seems to be related to session cache).
This works whatever the initial endpoint was, as if /login/oauth2/code/myregistration knows what was the initial call it needs to redirect to.
And with the spring-addons-starter-oidc dependency, I have the following behavior on same controller / mapping routes:
- I call an endpoint in my browser (example :
http://localhost:3000/test) /testendpoint responds with a HTTP 302 and redirects to///login(without any hostname).
a. I saw that if I manually configure the propertycom.c4-soft.springaddons.oidc.client.login-uriwith/oauth2/authorization/myregistration, I can get the same behavior as above, but I don't understand why this is not the default behavior ? Am I supposed to implement a/logincontroller ?/oauth2/authorization/myregistrationendpoint also responds with a HTTP 302 and redirects to theissuer-uri, but this timeredirect_uriparameter contains value/login/oauth2/code/myregistration(without thehttp://localhost:3000hostname). As this URI is not configured on my OIDC provider, I get an error.
a. I saw that if I manually configure the propertycom.c4-soft.springaddons.oidc.client.client-uriwithhttp://localhost:3000, I can get the same behavior as above, but again I don't understand why this is not the default behavior ?- I submit login and consent on the OIDC provider pages
- OIDC provider redirects to the
http://localhost:3000/login/oauth2/code/myregistrationdescribed above /login/oauth2/code/myregistrationredirects to/(without any hostname, but the browser seems to understand this and tries to accesshttp://localhost:3000/which returns HTTP 404)
a. Here I saw I can update my initial call tohttp://localhost:3000/test?post_login_success_uri=/testto get the final redirection working. But I find it strange to have to duplicate on each API call the endpoint I'm calling.
Describe the solution you'd like
Get the configuration working similarly to what is achieved with the tutorial using spring-boot-starter-oauth2-client, but with the benefits of spring-addons-starter-oidc security configuration
Describe alternatives you've considered
Using login-uri and client-uri for the first redirections to work, and query parameter post_login_success_uri for the last one. But I find it strange I have to override the properties to get back to the default behavior.
Additional context
I'm a beginner with Oauth2 and OIDC, so it's possible that I just completely misunderstood how to use or configure the spring-addons-starter-oidc dependency.
Thanks