Invalid verification_uri in device authorization response when context path exists

[sfeigl]

Describe the bug

The OAuth2AuthorizationServerConfigurer allows to configure the "verificationUri" the user has to visit to authorize a device during the device authorization flow.

This verification URI replaces the complete path component of the URI the device used to request the device authorization. If the web application is not located on the root path, the path to the web application is truncated.

Lets say the verificationUri is configured to "verifyDevice", the authorization server is reachable with the base URL:

https://auth.server/authserver/

and the device initates the flow under the URI

https://auth.server/authserver/oauth2/device_authorization

then the returned verification uri is

https://auth.server/verifyDevice

In the OAuth2DeviceAuthorizationEndpointFilter a replacePath is used

UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder .fromHttpUrl(UrlUtils.buildFullRequestUrl(request)) .replacePath(this.verificationUri); String verificationUri = uriComponentsBuilder.build().toUriString();

So it is impossible to configure a path relative to the authorization server base URI without knowing the server base URI in advance (during application startup). Knowing the base URI in advance is sometimes difficult (in proxy scenarios)

Expected behavior

The verificationUri should be configurable relative to the authorization server base URI.

[jgrandja]

@sfeigl Thanks for reporting this. This bug was introduced in 1.3.

Would you be interested in submitting a fix for this?

[sfeigl]

I suppose

.fromHttpUrl(UrlUtils.buildFullRequestUrl(request)) .replacePath(UrlPathHelper.defaultInstance.getContextPath(request)).pathSegment(this.verificationUri)

should work.

I probably can try this end of the week.