javaspringspring-securityspring-security-oauth2auth0

How to set an AuthorizationRequestCustomizer on a DefaultOAuth2AuthorizationRequestResolver?


While trying to get Spring Security OAuth2 5.4.2 to work with custom scopes and Auth0 in authorization code flow. I stumbled over a small detail which I have no simple solution for.

To request custom scopes Auth0 requires a user to provide an audience parameter. The redirect URI is created in org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver#resolve(javax.servlet.http.HttpServletRequest, java.lang.String, java.lang.String).

This process can be amended by using a AuthorizationRequestCustomizer, however I do not see any means to inject a customizer and the DefaultOAuth2AuthorizationRequestResolver is not registered as a bean or at least I do not grasp how it is accessible.


Solution

  • You can implement custom OAuth2AuthorizationRequestResolver and then add it to your spring security configuration

    .oauth2Login(req->
              req.authorizationEndpoint()
             .authorizationRequestResolver(new YourCustomAuthorizationRequestResolver)
     )