0

I have implemented or extended on top of Spring Authorization server. I have a authentication controller that accesses the client-id from the RequestCache object.

Now, I have built a sample OAuth app that redirects to Spring Authorization server for login. I use the requestCache to access the client-id but after a while the requestCache does not contain the client-id anymore either because of session timeout or in activity. Where do I store this client-id? I tried session attribute but that times out too on inactivity. What is the best way to handle this scenario so I always have the client-id value for a user?

This is the workflow (added after original post):

  1. user clicks on a app link (Dashboard) that requires login
  2. If not logged-in redirects to OAuth2 (My Spring Authorization Server). This is what I observe in the Developer Tool console on Chrome

  • a. Goes to http://localhost:3000/response_type=code&client_id=myclientid&scope=read&state=some-state&redirect_uri=http://127.0.0.1:3000/login/oauth2/code/client-id-oidc

  • b. Then redirects to http://localhost:3000/issuer (this url shows my login page)

  • c. I want to add this to the login-url and show "http://localhost:3000/issuer?client_id=myclientid

How do I get that done?

Improve this question

1 Answer 1

Reset to default
0

Might encoding the client_id in the state Parameter

  1. Intercept the Authorization Request: Implement a filter or handler on the Authorization Server (AS) just before the user is redirected to the login page.
  2. Encode the client_id: Take the original state value provided by the client, append the client_id, and then encode and sign this combined string (e.g., using Base64 and HMAC-SHA256, or by minting a small JWT). This creates a custom, extended state value.
  3. Use Extended State: The AS proceeds with the flow, using this extended state value. The user authenticates.
  4. Decode and Restore: When the user is redirected back to the AS's authorization endpoint, the AS extracts the custom state parameter, verifies its signature, decodes it, and reliably retrieves the original client_id and the client's original state value, all without touching the session.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

For Step 2, I created a filter and added it to the SecurityFilterChain http object as http.addFilterBefore(new MyFilter(), UsernamePasswordAuthenticationFilter.class). Do I add the extendent value somewhere in the url? I am not sure how to do that.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.