Implement Authorization Endpoint

[jgrandja]

An authorization server provides an authorization endpoint, which it uses when interacting with the resource owner to obtain authorization for a client.

The OAuth2AuthorizationEndpointFilter should be implemented as a Filter. The OAuth2AuthorizationRequestRedirectFilter in the spring-security-oauth2-client module is the client Filter that redirects to the Authorization Endpoint.

Implementation Requirements

• the Filter should process requests for the (default) path /oauth2/authorize
• authorizationRequestConverter should convert a valid Authorization Request to OAuth2AuthorizationRequest
• the RegisteredClientRepository Implement Client Registration Model / Repository #40 should be used to validate the client_id parameter
• the OAuth2AuthorizationService Implement Authorization Model / Service #43 should be used to persist the in-flight OAuth2Authorization
• the codeGenerator should be used to generate the authorization code parameter and it should also be stored in OAuth2Authorization.attributes for later validation in Implement Token Endpoint #67
• javadoc class and public methods
• Unit tests

Specification References

3.1. Authorization Endpoint
4.1. Authorization Code Grant
4.1.1. Authorization Request
4.1.2. Authorization Response

[paurav-munshi]

@jgrandja I would like to work on this issue. Please let me know if its good to start work on this ?

[jgrandja]

Thanks @paurav-munshi. The issue is yours.

[paurav-munshi]

@jgrandja

Can you please clarify few things ?

1. How will we handle the authentication part of the authorize endpoint ? Is is the scope of this issue ? If so then we will have to redirect the user-agent to a login endpoint

2. Once the code is generation, it will be the responsibility of the filter to redirect the user-agent to the configured redirect-uri along with code in query string. Is this understanding correct ?

3. Is there any reason why code needs to be in OAuth2Authorization.attributes and not have its own class like OAuth2AccessToken ? I am asking because code itself will need additional attributes like creating time and access counter at a minimum. So a separate class or representation by OAuth2AccesToken should be better.

[jgrandja]

@paurav-munshi

How will we handle the authentication part of the authorize endpoint ?

The default security configuration (WebSecurityConfigurerAdapter) will be configured with authenticated() for the /oauth2/authorize endpoint, so the existing features of Spring Security will be leveraged here - in a later story.

Once the code is generation, it will be the responsibility of the filter to redirect the user-agent to the configured redirect-uri along with code in query string. Is this understanding correct ?

Yes, that is correct. Take a look at how OAuth2AuthorizationRequestRedirectFilter (in spring-security-oauth2-client) redirects to the Authorization Endpoint. Also, please review 4.1.2. Authorization Response

Is there any reason why code needs to be in OAuth2Authorization.attributes and not have its own class like OAuth2AccessToken ?

OAuth2AccessToken is common across all grant flows. However, code is only applicable to the authorization_code grant. So I'd prefer to keep common attributes at the high-level of OAuth2Authorization and non-common attributes in OAuth2Authorization.attributes.

I am asking because code itself will need additional attributes like creating time and access counter at a minimum. So a separate class or representation by OAuth2AccesToken should be better.

Yes, great observation! This will come in a later story. We will need to expire code after a configured amount of time, as well, code should never be used more than once. We'll get there, but for now, just store code as a String in OAuth2Authorization.attributes.