Support POST for authorization code request flow

[sylvain-costanzo]

Expected Behavior
A POST /authorize without the openid scope should be accepted by the authorization server

Current Behavior
A POST /authorize without the openid scope returns a 404 with the following error log :

org.springframework.web.servlet.resource.NoResourceFoundException: No static resource oauth/authorize

Context
Our implementation allow to not pass the scope parameter during the first /authorize request, as allowed by the oauth2 specification
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 and https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
In this case our server act as if every scopes were requested.

There is no issue with spring authorization server when using a GET, but our implementation replays the /authorize request with a POST after a /login.

The authorizationEndpointMatcher of OAuth2AuthorizationEndpointFilter only match POST /authorize requests who have the openid scope : https://github.com/spring-projects/spring-authorization-server/blob/main/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java#L156

I guess this is because the oauth2 spec states that the authorization server MAY support the use of POST https://datatracker.ietf.org/doc/html/rfc6749#section-3.1
while openid spec states that the server MUST support GET and POST https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Unfortunately we cannot submit this second /authorize with a GET as it would break other parts of our system.
We considered tinkering with the RequestCache to add every scopes of the client in the SavedRequest, but a modification in spring authorization server would be simpler because we can just handle this use case in the token generators.

Is it possible to allow the customization of this matcher, or to remove the openid scope matcher for POST in OAuth2AuthorizationEndpointFilter ?

[jgrandja]

@sylvain-costanzo Can you provide more details regarding:

Unfortunately we cannot submit this second /authorize with a GET as it would break other parts of our system.

As specified in 3.1 Authorization Endpoint:

The authorization server MUST support the use of the HTTP "GET"
method [RFC2616] for the authorization endpoint and MAY support the
use of the "POST" method as well.

Hence POST is OPTIONAL and was not implemented for the standard OAuth 2.0 Authorization Request flow, but it is implemented for the OpenID Connect 1.0 Authorization Request flow (when openid scope is in request) since it is REQUIRED.

This is the very first request asking to support POST for the standard OAuth 2.0 Authorization Request flow, so it appears that it's not needed from the rest of our users.

However, before a decision is made, I would like to understand why changing things on your end to a GET would break parts of your system.

[sylvain-costanzo]

Hello @jgrandja and thank you for your answer

The main issue comes from our custom implementation of the prompt=login.
We are using an authentication converter to catch the /authorize request if prompt=login is detected within a GET request.
Using a POST during our "replay" of the /authorize request allow us to not loop indefinitely because of this converter.

We understand that our implementation may be sub-optimal, and that it is the first time someone request this feature.
But as the oauth2 spec states that it MAY support POST, we thought it was not an unreasonable request to do.

[jgrandja]

@sylvain-costanzo I don't think we want to expose a setter for authorizationEndpointMatcher but we will consider adding support for POST for a standard OAuth 2.1 Authorization Request flow. I've changed the title of the ticket to reflect that enhancement.

[sylvain-costanzo]

@jgrandja
I am willing to work on this feature but I don't see it planned in this board so I am reaching out to know if it would be acceptable ?

I think the best way to do it is to remove the openid scope matcher in OAuth2AuthorizationEndpointFilter so that's how I would implement it.

[jgrandja]

@sylvain-costanzo A PR for this enhancement would be greatly appreciated.

I think the best way to do it is to remove the openid scope matcher

I think that will work.