While trying to get Spring Security OAuth2 5.4.2 to work with custom scopes and Auth0 in authorization code flow. I stumbled over a small detail which I have no simple solution for.
To request custom scopes Auth0 requires a user to provide an audience
parameter. The redirect URI is created in org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizationRequestResolver#resolve(javax.servlet.http.HttpServletRequest, java.lang.String, java.lang.String)
.
This process can be amended by using a AuthorizationRequestCustomizer
, however I do not see any means to inject a customizer and the DefaultOAuth2AuthorizationRequestResolver
is not registered as a bean or at least I do not grasp how it is accessible.
You can implement custom OAuth2AuthorizationRequestResolver and then add it to your spring security configuration
.oauth2Login(req->
req.authorizationEndpoint()
.authorizationRequestResolver(new YourCustomAuthorizationRequestResolver)
)