Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow extension and/or modification of success/error response handlers within Filters #1369

Closed
ddubson opened this issue Sep 19, 2023 · 2 comments
Closed

Allow extension and/or modification of success/error response handlers within Filters #1369

ddubson opened this issue Sep 19, 2023 · 2 comments
Assignees
@ddubson
Labels
status: duplicate A duplicate of another issue

Comments

@ddubson
Copy link
Contributor

ddubson commented Sep 19, 2023
edited by jgrandja
Loading

The purpose of this design charter is to evaluate a strategy for allowing extension and/or modification of success and error response handlers within a set of applicable server endpoints (implemented within Filter classes).

The present state of success and error handlers is that they are implemented mostly as private instance methods within respective Filter classes. (List of Filter classes below).

Success response handlers

Success response handlers should not be fully modifiable as they contain logic critical to a stable operating auth server, but they should be customizable at designated points. The designated points should be decided in advance with the criteria being: should a developer be able to modify this behavior? The approach of allowing the developer to inject Consumer<T> classes in order to extend a certain logic of a handler may be an option.

Success response handlers may be extendable at designated points. A developer should be able to inject their own application logic (e.g. for logging purposes) as needed — after the critical default success response handler.

Error response handlers

Error response handlers are much lighter than success response handlers as they contain less logic and overall have a smaller footprint for any given Filter response.

For example, the following is a subset of Filters contain the same logic for error response handling which may be abstracted into a consistent pattern for a default error response handler:

  • OAuth2TokenIntrospectionEndpointFilter
  • OAuth2TokenRevocationEndpointFilter
  • OAuth2TokenEndpointFilter
  • OAuth2DeviceAuthorizationEndpointFilter

Error response handlers may be extendable at designated points. A developer should be able to inject their own application logic (i.e. for logging purposes) as needed — after the critical default error response handler.

Potential approaches

Potential approaches for affording extensions of response handlers:

  • Using private scoped, static functions as default success and error handlers, which may then be used in a class using Delegation pattern.
  • Disallow overriding default handlers (private methods) as needed.

Potential approaches for affording modifications of default response handlers:

  • Usage of Consumer<T> implementations

Appendix

The following is a list of allFilter classes

  • Applicable (i.e. success/error handlers are present)
    • OAuth2AuthorizationEndpointFilter
    • OAuth2ClientAuthenticationFilter
    • OAuth2DeviceAuthorizationEndpointFilter
    • OAuth2DeviceVerificationEndpointFilter
    • OAuth2TokenEndpointFilter
    • OAuth2TokenIntrospectionEndpointFilter
    • OAuth2TokenRevocationEndpointFilter
    • OidcUserInfoEndpointFilter
    • OidcClientRegistrationEndpointFilter
    • OidcLogoutEndpointFilter
  • Not applicable (i.e. no success/error handlers present)
    • NimbusJwkSetEndpointFilter
    • OAuth2AuthorizationServerMetadataEndpointFilter
    • OidcProviderConfigurationEndpointFilter

Use cases

  • Application and/or audit logging of authorization server responses.
  • Modify response codes and/or messages as per organizational need.
  • Append additional data to success or error responses.

Related open issues
@ddubson ddubson added the type: enhancement A general enhancement label Sep 19, 2023
@ddubson ddubson changed the title **Design charter**: Pattern for allowing extension and/or modification of success and error response handlers within Filters Design charter: Pattern for allowing extension and/or modification of success and error response handlers within Filters Sep 19, 2023
@jgrandja jgrandja changed the title Design charter: Pattern for allowing extension and/or modification of success and error response handlers within Filters Allow extension and/or modification of success/error response handlers within Filters Oct 10, 2023
@jgrandja
Copy link
Collaborator

Thanks for the detailed analysis @ddubson !

As far as the approach goes, I think we should start exposing AuthenticationSuccessHandler and AuthenticationFailureHandler implementations to allow for delegation-based strategy configurations. Furthermore, exposing new class implementations will allow us to add hooks to allow for customizing the default behaviour.

For the first iteration, let's create a new AuthenticationFailureHandler that will be used by:

  • OAuth2TokenEndpointFilter
  • OAuth2TokenIntrospectionEndpointFilter
  • OAuth2TokenRevocationEndpointFilter
  • OAuth2DeviceAuthorizationEndpointFilter

For the second iteration, let's see if we can come up with a hook in the new AuthenticationFailureHandler that will allow for reuse and customization for these additional Filter's:

  • OAuth2ClientAuthenticationFilter
  • OidcUserInfoEndpointFilter
  • OidcClientRegistrationEndpointFilter

As far as exposing AuthenticationSuccessHandler's, let's focus on exposing OAuth2TokenEndpointFilter.sendAccessTokenResponse() as a new AuthenticationSuccessHandler, which will resolve gh-925. Let's keep this in a separate PR from the above work.

ddubson pushed a commit to ddubson/spring-authorization-server that referenced this issue Oct 12, 2023
Add reusable default authentication failure handler
63796c7 
Fixes spring-projectsgh-1369
@ddubson ddubson mentioned this issue Oct 12, 2023
Closed
ddubson pushed a commit to ddubson/spring-authorization-server that referenced this issue Oct 14, 2023
@ddubson
Add reusable default authentication failure handler
9c9824c 
Fixes spring-projectsgh-1369
ddubson pushed a commit to ddubson/spring-authorization-server that referenced this issue Oct 14, 2023
@ddubson
Add reusable default authentication failure handler
dcf80ef 
Fixes spring-projectsgh-1369
ddubson pushed a commit to ddubson/spring-authorization-server that referenced this issue Oct 16, 2023
Add reusable OAuth2ErrorAuthenticationFailureHandler
4016465 
Related spring-projectsgh-1369
ddubson pushed a commit to ddubson/spring-authorization-server that referenced this issue Oct 16, 2023
Add reusable OAuth2ErrorAuthenticationFailureHandler
3808ad3 
Related spring-projectsgh-1369
jgrandja pushed a commit that referenced this issue Oct 17, 2023
@jgrandja
Add OAuth2ErrorAuthenticationFailureHandler
96c90dd 
Related gh-1369

Closes gh-1384
@jgrandja jgrandja mentioned this issue Oct 18, 2023
Closed
@jgrandja jgrandja moved this to Prioritized in Spring Security Team Oct 20, 2023
@ddubson ddubson mentioned this issue Oct 30, 2023
Closed
2 tasks
ddubson added a commit to ddubson/spring-authorization-server that referenced this issue Nov 28, 2023
@ddubson
draft: initial implementation of customization functions in auth erro…
038fd2d 
…r response handler

fixes spring-projectsgh-1369
@ddubson ddubson mentioned this issue Nov 28, 2023
Closed
3 tasks
ddubson added a commit to ddubson/spring-authorization-server that referenced this issue Jan 19, 2024
@ddubson
draft: initial implementation of customization functions in auth erro…
f2e0434 
…r response handler

fixes spring-projectsgh-1369
ddubson added a commit to ddubson/spring-authorization-server that referenced this issue Jan 19, 2024
@ddubson
draft: initial implementation of customization functions in auth erro…
25ac17c 
…r response handler

fixes spring-projectsgh-1369
@jgrandja
Copy link
Collaborator

Closing as duplicate of gh-1384 and gh-1429

@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: enhancement A general enhancement labels Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ddubson ddubson

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
2 participants
@ddubson @jgrandja