Provide more flexibility on when to display consent page #1552
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks @MrJovanovic13. I will review this soon. I'm trying to finish up gh-101 before we release |
jgrandja
added
type: enhancement
jgrandja
changed the title
There was a problem hiding this comment.
Thanks for the PR @MrJovanovic13.
Please see review comments.
| * {@link OAuth2AuthorizationCodeRequestAuthenticationContext#getRegisteredClient()} containing {@link RegisteredClient} used to make the request. | ||
| * | ||
| * @param requiresAuthorizationConsent the {@link Predicate} that determines if authorization consent is required. | ||
| * @since 1.2.3 |
| @@ -295,26 +339,6 @@ private static OAuth2TokenContext createAuthorizationCodeTokenContext( | |||
| return tokenContextBuilder.build(); | |||
| } | |||
|
|
|||
| private static boolean requireAuthorizationConsent(RegisteredClient registeredClient, | |||
There was a problem hiding this comment.
We should keep this method and associated logic as-is but change the signature to:
private boolean requireAuthorizationConsent(OAuth2AuthorizationCodeRequestAuthenticationContext context)We would also need to supply OAuth2AuthorizationCodeRequestAuthenticationContext with OAuth2AuthorizationRequest and OAuth2AuthorizationConsent.
This method would then be the default for:
private Predicate<OAuth2AuthorizationCodeRequestAuthenticationContext> requiresAuthorizationConsent;Applications could then override this via setRequiresAuthorizationConsent().
There was a problem hiding this comment.
Sounds good.
Would you like if OAuth2AuthorizationRequest and OAuth2AuthorizationConsent got treated the same way as RegisteredClient by exposing getRegisteredClient() and a builder method registeredClient(RegisteredClient registeredClient) inside the OAuth2AuthorizationCodeRequestAuthenticationContext?
Or do you want just to use regular .put() and .get() for their supply & access?
There was a problem hiding this comment.
I have pushed a commit with a refactor according to your comment.
I attempted to expose getter & builders methods in the OAuth2AuthorizationCodeRequestAuthenticationContext for OAuth2AuthorizationRequest and OAuth2AuthorizationConsent instead of the .put() and .get() approach. However that ended up breaking a lot of tests. If It's important to go in that direction, I will put some more effort into making that work.
There was a problem hiding this comment.
Would you like if
OAuth2AuthorizationRequestandOAuth2AuthorizationConsentgot treated the same way asRegisteredClient
Yes. We should make the getter @Nullable since it may be null when the authenticationValidator is called.
MrJovanovic13
force-pushed
the
issue-1541
branch
2 times, most recently
from
4d4d80e to
8be811f
Compare
|
Sorry for the slight delay, had a busy week. I can squash the commits if you guys prefer that. |
There was a problem hiding this comment.
Thanks for the updates @MrJovanovic13. Please see review comments.
Also, please squash commits. Thanks.
| @@ -63,6 +65,27 @@ public RegisteredClient getRegisteredClient() { | |||
| return get(RegisteredClient.class); | |||
| } | |||
|
|
|||
| /** | |||
| * Returns the {@link OAuth2AuthorizationRequest oauth2 authorization request}. | |||
| * | |||
|
|
||
| /** | ||
| * Returns the {@link OAuth2AuthorizationConsent oauth2 authorization consent}. | ||
| * |
| * @return the {@link Builder} for further configuration | ||
| */ | ||
| @Override | ||
| public Builder put(Object key, Object value) { |
There was a problem hiding this comment.
This can be removed since it's inherited by AbstractBuilder
There was a problem hiding this comment.
This can be removed since it's inherited by
AbstractBuilder
I overrode this method as opposed to using the one in AbstractBuilder because the one in the AbstractBuilder does not accept null values and authorizationConsent can be null.
The alternative is to remove the not null assertion inside the AbstractBuilder, but it's inherited 5 times so I didn't want to cause potential issues in other builders.
There was a problem hiding this comment.
If authorizationConsent or authorizationRequest is null it should not be passed into the builder so it's not an issue.
There was a problem hiding this comment.
If
authorizationConsentorauthorizationRequestisnullit should not be passed into thebuilderso it's not an issue.
The authorizationConsent from authorizationConsentService.findById() is @Nullable.
So I added a null check which won't pass it into the builder if it's null. I got rid of the custom put() method.
Let me know if the solution is suitable.
| * @param oAuth2AuthorizationRequest the {@link OAuth2AuthorizationRequest} | ||
| * @return the {@link Builder} for further configuration | ||
| */ | ||
| public Builder oAuth2AuthorizationRequest(OAuth2AuthorizationRequest oAuth2AuthorizationRequest) { |
There was a problem hiding this comment.
Rename to authorizationRequest
| * @param oAuth2AuthorizationConsent the {@link OAuth2AuthorizationConsent} | ||
| * @return the {@link Builder} for further configuration | ||
| */ | ||
| public Builder oAuth2AuthorizationConsent(OAuth2AuthorizationConsent oAuth2AuthorizationConsent) { |
There was a problem hiding this comment.
Rename to authorizationConsent
MrJovanovic13
force-pushed
the
issue-1541
branch
from
87e1ba1 to
577d392
Compare
MrJovanovic13
force-pushed
the
issue-1541
branch
from
577d392 to
1433393
Compare
|
Thanks for the updates @MrJovanovic13. FYI, I added a polish commit to get this merged before tomorrow's release. Thanks again! |
This PR fixes Issue-1541
Some things worth mentioning.