I’m using Spring Authorization Server v3.3.1. My current well-known endpoint is <hostname>/.well-known/openid-configuration
and this returns the standard OpenId configuration.
I want to remove a couple of attributes from this standard response and change the endpoint path to <hostname>/oauth2/token/.well-known/openid-configuration
.
For this I’ve duplicated the OidcProviderConfigurationEndpointFilter
and made the necessary changes and registered it to the authorizationServerSecurityFilterChain
.
Request Matcher in the duplicated filter is as follows:
private static RequestMatcher createRequestMatcher() {
final RequestMatcher defaultRequestMatcher = new AntPathRequestMatcher(
"/oauth2/token/.well-known/openid-configuration", HttpMethod.GET.name());
return (request) -> defaultRequestMatcher.matches(request);
}
This is how I’ve added the filter to the chain:
SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.authorizationEndpoint((authorizationEndpoint) -> authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator()))
.tokenEndpoint((tokenEndpoint) -> tokenEndpoint
.authenticationProviders(configureAuthenticationValidator())
.errorResponseHandler(new ErrorResponseHandler()))
.oidc(Customizer.withDefaults());
// Duplicated Filter
OidcWellknownEndpointFilter oidcWellknownEndpointFilter = new OidcWellknownEndpointFilter();
http.addFilterBefore(oidcWellknownEndpointFilter,
AbstractPreAuthenticatedProcessingFilter.class);
return http.build();
}
My question is, how can I direct requests coming to the /oauth2/token/.well-known/openid-configuration
to the OidcWellknownEndpointFilter
?
I tried to add a permitAll()
for this endpoint like below:
SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/oauth2/token/.well-known/openid-configuration").permitAll());
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer.... <other code>
}
This will redirect all the requests coming to the endpoint to the login page.
Appreciate any help regarding this.
You need to sign in to view this answers
Leave feedback about this