You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OAuth2AuthorizationServerConfigurer allows to configure the "verificationUri" the user has to visit to authorize a device during the device authorization flow.
This verification URI replaces the complete path component of the URI the device used to request the device authorization. If the web application is not located on the root path, the path to the web application is truncated.
Lets say the verificationUri is configured to "verifyDevice", the authorization server is reachable with the base URL:
So it is impossible to configure a path relative to the authorization server base URI without knowing the server base URI in advance (during application startup). Knowing the base URI in advance is sometimes difficult (in proxy scenarios)
Expected behavior
The verificationUri should be configurable relative to the authorization server base URI.
The text was updated successfully, but these errors were encountered:
jgrandja
changed the title
Device authorization flow when authorization server is not running under root path
Invalid verification_uri in device authorization response when context path exists
Sep 18, 2024
Describe the bug
The OAuth2AuthorizationServerConfigurer allows to configure the "verificationUri" the user has to visit to authorize a device during the device authorization flow.
This verification URI replaces the complete path component of the URI the device used to request the device authorization. If the web application is not located on the root path, the path to the web application is truncated.
Lets say the verificationUri is configured to "verifyDevice", the authorization server is reachable with the base URL:
https://auth.server/authserver/
and the device initates the flow under the URI
https://auth.server/authserver/oauth2/device_authorization
then the returned verification uri is
https://auth.server/verifyDevice
In the OAuth2DeviceAuthorizationEndpointFilter a replacePath is used
UriComponentsBuilder uriComponentsBuilder = UriComponentsBuilder .fromHttpUrl(UrlUtils.buildFullRequestUrl(request)) .replacePath(this.verificationUri); String verificationUri = uriComponentsBuilder.build().toUriString();
So it is impossible to configure a path relative to the authorization server base URI without knowing the server base URI in advance (during application startup). Knowing the base URI in advance is sometimes difficult (in proxy scenarios)
Expected behavior
The verificationUri should be configurable relative to the authorization server base URI.
The text was updated successfully, but these errors were encountered: