spring-oauth2spring-authorization-server

Authorization code without using form login

I am currently using spring boot Oauth2 authorization server. the grant type is Authorization Code. is there anyway I can avoid using the form login for authorization code grant type?

can I make a rest call to the authorize endpoint ?

are there any refrences that I can follow ?

lets take the below as an example and assume that the client_id is client and client_secret is secret

http://localhost:8080/oauth2/authorize?response%5C_type=code&client%5C_id=client&redirect%5C_uri=http://127.0.0.1:8080/login/oauth2/code/oidc-client&scope=openid

If the above approach is not possible,

then is it possible to add more fields to the login form and and do the validation not only based on client id and client secret but also based on the status of those fields for an example

Employee name : Test Employee Employee age : 17 Client id: client client Secret: secret

first I want to check if TestEmployee exists in the database then I want to make sure he is older than >25

if not then I want to display login validation exception ... is this possible ?

I have tried to use Media type as application json but it does not seem to work

 http
                .securityMatcher(endpointsMatcher)
                .authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
                .oauth2ResourceServer(resourceServer -> resourceServer
                        .jwt(Customizer.withDefaults())
                )
                .exceptionHandling((exceptions) -> exceptions
                        .defaultAuthenticationEntryPointFor(
                                new LoginUrlAuthenticationEntryPoint("/login"),
                                **new MediaTypeRequestMatcher(MediaType.APPLICATION_JSON)**
                        )
                )
                .apply(authorizationServerConfigurer);
Solution

  • Is there anyway I can avoid using the form login for authorization code grant type?

    It's not possible to bypass the login form in authorization_code flow.

    then is it possible to add more fields to the login form?

    Yes it's possible. Check: https://github.com/spring-projects/spring-authorization-server/issues/533

    For validations, you may want to implement a custom AuthenticationProvider. Check this article for some guidance.