Polish ref doc
Issue gh-499
This commit is contained in:
Steve Riesenberg
@@ -5,6 +5,8 @@ plugins {
|
||||
asciidoctor {
|
||||
attributes([
|
||||
"spring-authorization-server-version": project.version,
|
||||
"spring-security-reference-base-url": "https://docs.spring.io/spring-security/reference",
|
||||
"spring-security-api-base-url": "https://docs.spring.io/spring-security/site/docs/current/api",
|
||||
"examples-dir": "examples",
|
||||
"docs-java": "$sourceDir/examples/src/main/java",
|
||||
"chomp": "default headers packages",
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
[[configuration-model]]
|
||||
= Configuration Model
|
||||
:toc: left
|
||||
:toclevels: 1
|
||||
|
||||
[[default-configuration]]
|
||||
== Default configuration
|
||||
@@ -28,7 +26,7 @@ The OAuth2 authorization server `SecurityFilterChain` `@Bean` is configured with
|
||||
The JWK Set endpoint is configured *only* if a `JWKSource<SecurityContext>` `@Bean` is registered.
|
||||
|
||||
[NOTE]
|
||||
The xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint] is disabled by default.
|
||||
The xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint] is disabled by default because many deployments do not require dynamic client registration.
|
||||
|
||||
The following example shows how to use `OAuth2AuthorizationServerConfiguration` to apply the minimal default configuration:
|
||||
|
||||
@@ -108,11 +106,11 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
|
||||
return http.build();
|
||||
}
|
||||
----
|
||||
<1> `registeredClientRepository()`: The xref:core-model-components.adoc#registered-client-repository[`RegisteredClientRepository`] to use.
|
||||
<2> `authorizationService()`: The xref:core-model-components.adoc#oauth2-authorization-service[`OAuth2AuthorizationService`] to use.
|
||||
<3> `authorizationConsentService()`: The xref:core-model-components.adoc#oauth2-authorization-consent-service[`OAuth2AuthorizationConsentService`] to use.
|
||||
<4> `providerSettings()`: The <<configuring-provider-settings, `ProviderSettings`>> to use.
|
||||
<5> `tokenGenerator()`: The xref:core-model-components.adoc#oauth2-token-generator[`OAuth2TokenGenerator`] to use.
|
||||
<1> `registeredClientRepository()`: The xref:core-model-components.adoc#registered-client-repository[`RegisteredClientRepository`] (*REQUIRED*) for managing new and existing clients.
|
||||
<2> `authorizationService()`: The xref:core-model-components.adoc#oauth2-authorization-service[`OAuth2AuthorizationService`] for managing new and existing authorizations.
|
||||
<3> `authorizationConsentService()`: The xref:core-model-components.adoc#oauth2-authorization-consent-service[`OAuth2AuthorizationConsentService`] for managing new and existing authorization consents.
|
||||
<4> `providerSettings()`: The <<configuring-provider-settings, `ProviderSettings`>> (*REQUIRED*) for customizing configuration settings for the OAuth2 authorization server.
|
||||
<5> `tokenGenerator()`: The xref:core-model-components.adoc#oauth2-token-generator[`OAuth2TokenGenerator`] for generating tokens supported by the OAuth2 authorization server.
|
||||
<6> `clientAuthentication()`: The configurer for <<configuring-client-authentication, OAuth2 Client Authentication>>.
|
||||
<7> `authorizationEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-authorization-endpoint[OAuth2 Authorization endpoint].
|
||||
<8> `tokenEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-token-endpoint[OAuth2 Token endpoint].
|
||||
@@ -181,6 +179,7 @@ It provides access to the `ProviderSettings` and the "`current`" issuer identifi
|
||||
[NOTE]
|
||||
If the issuer identifier is not configured in `ProviderSettings.builder().issuer(String)`, it is resolved from the current request.
|
||||
|
||||
[NOTE]
|
||||
The `ProviderContext` is accessible through the `ProviderContextHolder`, which associates it with the current request thread by using a `ThreadLocal`.
|
||||
|
||||
[NOTE]
|
||||
|
||||
@@ -1,8 +1,5 @@
|
||||
[[core-model-components]]
|
||||
= Core Model / Components
|
||||
:toc: left
|
||||
:toclevels: 1
|
||||
:spring-security-reference-base-url: https://docs.spring.io/spring-security/reference
|
||||
|
||||
[[registered-client]]
|
||||
== RegisteredClient
|
||||
@@ -136,6 +133,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
|
||||
}
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
|
||||
|
||||
[[oauth2-authorization]]
|
||||
== OAuth2Authorization
|
||||
|
||||
@@ -144,13 +144,13 @@ An `OAuth2Authorization` is a representation of an OAuth2 authorization, which h
|
||||
[TIP]
|
||||
The corresponding authorization model in Spring Security's OAuth2 Client support is {spring-security-reference-base-url}/servlet/oauth2/client/core.html#oauth2Client-authorized-client[OAuth2AuthorizedClient].
|
||||
|
||||
After the successful completion of an authorization grant flow, an `OAuth2Authorization` is created and associates an `OAuth2AccessToken`, an (optional) `OAuth2RefreshToken`, and additional state specific to the executed authorization grant type.
|
||||
After the successful completion of an authorization grant flow, an `OAuth2Authorization` is created and associates an {spring-security-api-base-url}/org/springframework/security/oauth2/core/OAuth2AccessToken.html[`OAuth2AccessToken`], an (optional) {spring-security-api-base-url}/org/springframework/security/oauth2/core/OAuth2RefreshToken.html[`OAuth2RefreshToken`], and additional state specific to the executed authorization grant type.
|
||||
|
||||
The `OAuth2Token` instances associated with an `OAuth2Authorization` vary, depending on the authorization grant type.
|
||||
The {spring-security-api-base-url}/org/springframework/security/oauth2/core/OAuth2Token.html[`OAuth2Token`] instances associated with an `OAuth2Authorization` vary, depending on the authorization grant type.
|
||||
|
||||
For the OAuth2 https://datatracker.ietf.org/doc/html/rfc6749#section-4.1[authorization_code grant], an `OAuth2AuthorizationCode`, an `OAuth2AccessToken`, and an (optional) `OAuth2RefreshToken` are associated.
|
||||
|
||||
For the OpenID Connect 1.0 https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[authorization_code grant], an `OAuth2AuthorizationCode`, an `OidcIdToken`, an `OAuth2AccessToken`, and an (optional) `OAuth2RefreshToken` are associated.
|
||||
For the OpenID Connect 1.0 https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[authorization_code grant], an `OAuth2AuthorizationCode`, an {spring-security-api-base-url}/org/springframework/security/oauth2/core/oidc/OidcIdToken.html[`OidcIdToken`], an `OAuth2AccessToken`, and an (optional) `OAuth2RefreshToken` are associated.
|
||||
|
||||
For the OAuth2 https://datatracker.ietf.org/doc/html/rfc6749#section-4.4[client_credentials grant], only an `OAuth2AccessToken` is associated.
|
||||
|
||||
@@ -226,6 +226,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
|
||||
}
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
|
||||
|
||||
[[oauth2-authorization-consent]]
|
||||
== OAuth2AuthorizationConsent
|
||||
|
||||
@@ -295,6 +298,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
|
||||
}
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
|
||||
|
||||
[[oauth2-token-context]]
|
||||
== OAuth2TokenContext
|
||||
|
||||
@@ -333,7 +339,7 @@ public interface OAuth2TokenContext extends Context {
|
||||
<4> `getAuthorization()`: The <<oauth2-authorization, OAuth2Authorization>> associated with the authorization grant.
|
||||
<5> `getAuthorizedScopes()`: The scope(s) authorized for the client.
|
||||
<6> `getTokenType()`: The `OAuth2TokenType` to generate. The supported values are `code`, `access_token`, `refresh_token`, and `id_token`.
|
||||
<7> `getAuthorizationGrantType()`: The `AuthorizationGrantType`.
|
||||
<7> `getAuthorizationGrantType()`: The `AuthorizationGrantType` associated with the authorization grant.
|
||||
<8> `getAuthorizationGrant()`: The `Authentication` instance used by the `AuthenticationProvider` that processes the authorization grant.
|
||||
|
||||
[[oauth2-token-generator]]
|
||||
@@ -363,7 +369,9 @@ The `OAuth2AccessTokenGenerator` generates an "opaque" (`OAuth2TokenFormat.REFER
|
||||
|
||||
[NOTE]
|
||||
The `OAuth2TokenGenerator` is an *OPTIONAL* component and defaults to a `DelegatingOAuth2TokenGenerator` composed of an `OAuth2AccessTokenGenerator` and `OAuth2RefreshTokenGenerator`.
|
||||
As well, if a `JwtEncoder` `@Bean` or `JWKSource<SecurityContext>` `@Bean` is registered, then a `JwtGenerator` is additionally composed in the `DelegatingOAuth2TokenGenerator`.
|
||||
|
||||
[NOTE]
|
||||
If a `JwtEncoder` `@Bean` or `JWKSource<SecurityContext>` `@Bean` is registered, then a `JwtGenerator` is additionally composed in the `DelegatingOAuth2TokenGenerator`.
|
||||
|
||||
The `OAuth2TokenGenerator` provides great flexibility, as it can support any custom token format for `access_token` and `refresh_token`.
|
||||
|
||||
@@ -401,6 +409,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
|
||||
}
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
|
||||
|
||||
[[oauth2-token-customizer]]
|
||||
== OAuth2TokenCustomizer
|
||||
|
||||
@@ -435,7 +446,7 @@ public OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer() {
|
||||
}
|
||||
----
|
||||
|
||||
[TIP]
|
||||
[NOTE]
|
||||
If the `OAuth2TokenGenerator` is not provided as a `@Bean` or is not configured through the `OAuth2AuthorizationServerConfigurer`, an `OAuth2TokenCustomizer<OAuth2TokenClaimsContext>` `@Bean` will automatically be configured with an `OAuth2AccessTokenGenerator`.
|
||||
|
||||
An `OAuth2TokenCustomizer<JwtEncodingContext>` declared with a generic type of `JwtEncodingContext` (`implements OAuth2TokenContext`) provides the ability to customize the headers and claims of a `Jwt`.
|
||||
@@ -473,5 +484,8 @@ public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
|
||||
}
|
||||
----
|
||||
|
||||
[TIP]
|
||||
[NOTE]
|
||||
If the `OAuth2TokenGenerator` is not provided as a `@Bean` or is not configured through the `OAuth2AuthorizationServerConfigurer`, an `OAuth2TokenCustomizer<JwtEncodingContext>` `@Bean` will automatically be configured with a `JwtGenerator`.
|
||||
|
||||
[TIP]
|
||||
For an example showing how you can xref:guides/how-to-userinfo.adoc#customize-id-token[customize the ID token], see the guide xref:guides/how-to-userinfo.adoc#how-to-userinfo[How-to: Customize the OpenID Connect 1.0 UserInfo response].
|
||||
@@ -53,12 +53,16 @@ public class SecurityConfig {
|
||||
|
||||
@Bean // <1>
|
||||
@Order(1)
|
||||
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
|
||||
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
|
||||
throws Exception {
|
||||
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
|
||||
// @formatter:off
|
||||
http
|
||||
// Redirect to the login page when not authenticated from the
|
||||
// authorization endpoint
|
||||
.exceptionHandling((exceptions) -> exceptions
|
||||
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
|
||||
.authenticationEntryPoint(
|
||||
new LoginUrlAuthenticationEntryPoint("/login"))
|
||||
);
|
||||
// @formatter:on
|
||||
|
||||
@@ -67,12 +71,15 @@ public class SecurityConfig {
|
||||
|
||||
@Bean // <2>
|
||||
@Order(2)
|
||||
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
|
||||
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
|
||||
throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.authorizeHttpRequests((authorize) -> authorize
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
// Form login handles the redirect to the login page from the
|
||||
// authorization server filter chain
|
||||
.formLogin(Customizer.withDefaults());
|
||||
// @formatter:on
|
||||
|
||||
|
||||
@@ -51,7 +51,7 @@ This is a minimal configuration for getting started quickly. To understand what
|
||||
|
||||
<1> A Spring Security filter chain for the xref:protocol-endpoints.adoc[Protocol Endpoints].
|
||||
<2> A Spring Security filter chain for https://docs.spring.io/spring-security/reference/servlet/authentication/index.html[authentication].
|
||||
<3> An instance of `UserDetailsService` for retrieving users to authenticate.
|
||||
<3> An instance of {spring-security-api-base-url}/org/springframework/security/core/userdetails/UserDetailsService.html[`UserDetailsService`] for retrieving users to authenticate.
|
||||
<4> An instance of xref:core-components.adoc#registered-client-repository[`RegisteredClientRepository`] for managing clients.
|
||||
<5> An instance of `com.nimbusds.jose.jwk.source.JWKSource` for signing access tokens.
|
||||
<6> An instance of `java.security.KeyPair` with keys generated on startup used to create the `JWKSource` above.
|
||||
|
||||
@@ -4,12 +4,14 @@
|
||||
:docs-dir: ..
|
||||
:examples-dir: ../examples
|
||||
|
||||
[[getting-started]]
|
||||
== Getting Started
|
||||
|
||||
This guide shows how to implement the xref:{docs-dir}/core-model-components.adoc#core-model-components[core services] of xref:{docs-dir}/index.adoc#top[Spring Authorization Server] with JPA.
|
||||
The purpose of this guide is to provide a starting point for implementing these services yourself, with the intention that you can make modifications to suit your needs.
|
||||
|
||||
* <<define-data-model>>
|
||||
* <<create-jpa-entities>>
|
||||
* <<create-spring-data-repositories>>
|
||||
* <<implement-core-services>>
|
||||
|
||||
[[define-data-model]]
|
||||
== Define the data model
|
||||
|
||||
@@ -20,6 +22,10 @@ NOTE: Except for token, state, metadata, settings, and claims values, we use the
|
||||
In reality, the length and even type of columns you use may need to be customized.
|
||||
You are encouraged to experiment and test before deploying to production.
|
||||
|
||||
* <<client-schema>>
|
||||
* <<authorization-schema>>
|
||||
* <<authorization-consent-schema>>
|
||||
|
||||
[[client-schema]]
|
||||
=== Client Schema
|
||||
|
||||
@@ -69,6 +75,10 @@ The preceding schema examples provide a reference for the structure of the entit
|
||||
NOTE: The following entities are minimally annotated and are just examples.
|
||||
They allow the schema to be created dynamically and therefore do not require the above sql scripts to be executed manually.
|
||||
|
||||
* <<client-entity>>
|
||||
* <<authorization-entity>>
|
||||
* <<authorization-consent-entity>>
|
||||
|
||||
[[client-entity]]
|
||||
=== Client Entity
|
||||
|
||||
@@ -107,6 +117,10 @@ include::{examples-dir}/src/main/java/sample/jpa/AuthorizationConsent.java[tag=c
|
||||
|
||||
By closely examining the interfaces of each core service and reviewing the `Jdbc` implementations, we can derive a minimal set of queries needed for supporting a JPA version of each interface.
|
||||
|
||||
* <<client-repository>>
|
||||
* <<authorization-repository>>
|
||||
* <<authorization-consent-repository>>
|
||||
|
||||
[[client-repository]]
|
||||
=== Client Repository
|
||||
|
||||
@@ -150,6 +164,10 @@ By reviewing the `Jdbc` implementations, we can derive a minimal set of internal
|
||||
CAUTION: Keep in mind that writing JSON data to text columns with a fixed length has proven problematic with the `Jdbc` implementations.
|
||||
While these examples continue to do so, you may need to split these fields out into a separate table or data store that supports arbitrarily long data values.
|
||||
|
||||
* <<registered-client-repository>>
|
||||
* <<authorization-service>>
|
||||
* <<authorization-consent-service>>
|
||||
|
||||
[[registered-client-repository]]
|
||||
=== Registered Client Repository
|
||||
|
||||
|
||||
@@ -3,23 +3,21 @@
|
||||
:index-link: ../how-to.html
|
||||
:docs-dir: ..
|
||||
|
||||
[[getting-started]]
|
||||
== Getting Started
|
||||
|
||||
This guide shows how to customize the xref:{docs-dir}/protocol-endpoints.adoc#oidc-user-info-endpoint[User Info endpoint] of the xref:{docs-dir}/index.adoc#top[Spring Authorization Server].
|
||||
The purpose of this guide is to demonstrate how to enable the endpoint and use the available customization options to produce a custom response.
|
||||
|
||||
* <<enable-user-info>>
|
||||
* <<customize-user-info>>
|
||||
|
||||
[[enable-user-info]]
|
||||
== Enable the User Info Endpoint
|
||||
|
||||
Before customizing the response, you need to enable the User Info endpoint.
|
||||
In https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest[Section 5.3.1], the OpenID Connect 1.0 Core specification states:
|
||||
The xref:{docs-dir}/protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint] is an OAuth2 protected resource, which *REQUIRES* an access token to be sent as a bearer token in the https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest[UserInfo request].
|
||||
|
||||
> The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token, per Section 2 of https://openid.net/specs/openid-connect-core-1_0.html#RFC6750[OAuth 2.0 Bearer Token Usage] [RFC6750].
|
||||
|
||||
The User Info endpoint requires an authenticated request using the access token (which is a JWT when using the xref:{docs-dir}/getting-started.adoc#sample.gettingStarted[Getting Started config]).
|
||||
|
||||
The following listing shows how to configure https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html[Resource Server support] and provide a `JwtDecoder` that can validate the access token to allow authenticated requests to the User Info endpoint.
|
||||
Before customizing the response, you need to enable the User Info endpoint.
|
||||
The following listing shows how to enable the {spring-security-reference-base-url}/servlet/oauth2/resource-server/jwt.html[OAuth2 resource server configuration].
|
||||
|
||||
[[sample.userinfo]]
|
||||
include::code:EnableUserInfoSecurityConfig[]
|
||||
@@ -37,6 +35,9 @@ This configuration provides the following:
|
||||
|
||||
The following sections describe some options for customizing the user info response.
|
||||
|
||||
* <<customize-id-token>>
|
||||
* <<customize-user-info-mapper>>
|
||||
|
||||
[[customize-id-token]]
|
||||
=== Customize the ID Token
|
||||
|
||||
@@ -44,7 +45,7 @@ By default, the user info response is generated by using claims from the `id_tok
|
||||
Using the default strategy, https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard claims] are returned only with the user info response based on the https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[requested scopes] during authorization.
|
||||
|
||||
The preferred way to customize the user info response is to add standard claims to the `id_token`.
|
||||
The following listing shows how add claims to the `id_token`.
|
||||
The following listing shows how to add claims to the `id_token`.
|
||||
|
||||
[[sample.userinfo.idtoken]]
|
||||
include::code:IdTokenCustomizerConfig[]
|
||||
@@ -83,7 +84,3 @@ Similar to the <<customize-id-token,example shown earlier>> where we customize c
|
||||
include::code:JwtTokenCustomizerConfig[]
|
||||
|
||||
Whether you customize the user info response directly or use this example and customize the access token, you can look up information in a database, perform an LDAP query, make a request to another service, or use any other means of obtaining the information you want to be presented in the user info response.
|
||||
|
||||
== Conclusion
|
||||
|
||||
In this guide, you have learned how to <<enable-user-info,enable>> the xref:{docs-dir}/protocol-endpoints.adoc#oidc-user-info-endpoint[User Info endpoint] and explored various ways of customizing the response, including <<customize-id-token,customizing the ID token>> while continuing to use the built-in response and <<customize-user-info-mapper,customizing the response directly>> using a custom user info mapper.
|
||||
|
||||
@@ -2,18 +2,7 @@
|
||||
= "How-to" Guides
|
||||
|
||||
[[how-to-overview]]
|
||||
== Overview
|
||||
== List of Guides
|
||||
|
||||
* xref:guides/how-to-userinfo.adoc[Customize the OpenID Connect 1.0 UserInfo response]
|
||||
* xref:guides/how-to-jpa.adoc[Implement core services with JPA]
|
||||
|
||||
[[how-to-coming-soon]]
|
||||
== Coming Soon
|
||||
|
||||
* Authenticate using social login, e.g. Google (https://github.com/spring-projects/spring-authorization-server/issues/538[#538])
|
||||
* Authenticate a user in a Single Page Application with PKCE (https://github.com/spring-projects/spring-authorization-server/issues/539[#539])
|
||||
* Deny access for a revoked JWT access token (https://github.com/spring-projects/spring-authorization-server/issues/543[#543])
|
||||
* Provide a JWK source backed by a key rotation strategy (https://github.com/spring-projects/spring-authorization-server/issues/544[#544])
|
||||
* Customize form based login (https://github.com/spring-projects/spring-authorization-server/issues/533[#533])
|
||||
* Add a custom grant type (https://github.com/spring-projects/spring-authorization-server/issues/686[#686])
|
||||
* Authenticate a user with two-factor authentication (https://github.com/spring-projects/spring-authorization-server/issues/534[#534])
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
[[overview]]
|
||||
= Overview
|
||||
:toc: left
|
||||
:toclevels: 1
|
||||
|
||||
This site contains reference documentation and how-to guides for Spring Authorization Server.
|
||||
|
||||
|
||||
@@ -1,7 +1,5 @@
|
||||
[[protocol-endpoints]]
|
||||
= Protocol Endpoints
|
||||
:toc: left
|
||||
:toclevels: 1
|
||||
|
||||
[[oauth2-authorization-endpoint]]
|
||||
== OAuth2 Authorization Endpoint
|
||||
@@ -271,6 +269,9 @@ public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
|
||||
[NOTE]
|
||||
A `JwtDecoder` `@Bean` is *REQUIRED* for the OpenID Connect 1.0 UserInfo endpoint.
|
||||
|
||||
[TIP]
|
||||
The guide xref:guides/how-to-userinfo.adoc#how-to-userinfo[How-to: Customize the OpenID Connect 1.0 UserInfo response] contains examples of customizing the UserInfo endpoint.
|
||||
|
||||
[[oidc-client-registration-endpoint]]
|
||||
== OpenID Connect 1.0 Client Registration Endpoint
|
||||
|
||||
@@ -295,6 +296,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
|
||||
}
|
||||
----
|
||||
|
||||
[NOTE]
|
||||
The OpenID Connect 1.0 Client Registration endpoint is disabled by default because many deployments do not require dynamic client registration.
|
||||
|
||||
`OidcClientRegistrationEndpointConfigurer` configures the `OidcClientRegistrationEndpointFilter` and registers it with the OAuth2 authorization server `SecurityFilterChain` `@Bean`.
|
||||
`OidcClientRegistrationEndpointFilter` is the `Filter` that processes https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest[Client Registration requests] and returns the https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationResponse[OidcClientRegistration response].
|
||||
|
||||
|
||||
Reference in New Issue
Block a user