[oauth2] support custom signing algorithms and PKCE for social login #1507
Conversation
|
Hi, can you provide more context ? I have no idea what the problem is in the first place. |
I cannot use my IDM tool kanidm because of the spring security library only doing RS256 token signing out of the box. These things can sadly not by enabled via the spring oauth provider config (with no interest from spring upstream to add it), thus the code changes here to allow for it. Sorry for the lack of context, I had provided this in the discord and didn't think further about it after being told to create an issue/pr. |
|
Thanks. This should ideally be baked in Spring Boot, as mentioned here. I have not seen this raised in the Spring Boot repo though. I am reluctant to merge this PR, as the setting would apply to all registered OAuth2 providers, and not just the one needed. I think a better approach would be to raise this in the Spring Boot repo and see if they can add support for it in the auto configuration. |
|
It appears that pkce can now be done via a bean, idk if this is better or provides access to client config, will have to test that out: spring-projects/spring-security#15236. I'm linking this here so I don't lose track of it. |
This pr would allow users to configure different oauth2 id_token signing algorithms
And prevent against worst consequences of accidental client-secret leakage using PKCE.
Please let me know if I should do the configuration stuff differently or if things (beans) are in the wrong place :)
Or if the defaults should stay pkce disabled and RS256 signing.
I currently tested these changes locally using
komga [bootRun] dev,localdb,noclaim,oauth2and my kanidm instance configured as custom oauth2 client/provider.I also tested with the github example, seems to also support ES256 and pkce.