From 9bce83d875384d2132b676158eb41c6785aba213 Mon Sep 17 00:00:00 2001 From: Stephen Doxsee Date: Mon, 19 Aug 2019 16:01:56 -0400 Subject: [PATCH 1/2] Add documentation for public client PKCE support --- .../docs/asciidoc/_includes/reactive/oauth2/login.adoc | 10 ++++++++++ .../_includes/servlet/preface/oauth2-client.adoc | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc index 09fc66dc04a..dced3428268 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc @@ -154,3 +154,13 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { return http.build(); } ---- + +[[webflux-oauth2-login-public-client]] +== Login With Public Client + +If your client is running on a untrusted host where you are unable to keep a secret (e.g. a desktop client, an insecure server environment, etc.), you can use Spring Security's PKCE support for public clients. https://tools.ietf.org/html/rfc7636[PKCE] utilizes the Authorization Code Flow to obtain access tokens without the need for a client secret. Spring Security will use PKCE automatically when the following conditions are true in your `ClientRegistration`: + +. `clientSecret` is empty +. `clientAuthenticationMethod` is set to `ClientAuthenticationMethod.NONE` + +For default Spring Boot configuration like _<>_, this is as simple as omitting `client-secret` and setting `client-authentication-method: none` in your client registration. For explicit configuration, ensure the above two conditions are met when creating your `ClientRegistration`. \ No newline at end of file diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc index 74fb98708a9..9c07b7b9aa2 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-client.adoc @@ -90,7 +90,7 @@ public final class ClientRegistration { <2> `clientId`: The client identifier. <3> `clientSecret`: The client secret. <4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider. -The supported values are *basic* and *post*. +The supported values are *basic*, *none* and *post*. <5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types. The supported values are authorization_code, implicit, and client_credentials. <6> `redirectUriTemplate`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent From 782d9d249f3f65aa2607491e9bc4d64d132e0470 Mon Sep 17 00:00:00 2001 From: Stephen Doxsee Date: Mon, 19 Aug 2019 16:18:38 -0400 Subject: [PATCH 2/2] Copy documentation from reactive to servlet --- .../asciidoc/_includes/reactive/oauth2/login.adoc | 2 +- .../_includes/servlet/additional-topics/oauth2.adoc | 11 +++++++++++ .../_includes/servlet/preface/oauth2-login.adoc | 1 + 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc index dced3428268..b701a385fd8 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc @@ -158,7 +158,7 @@ SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { [[webflux-oauth2-login-public-client]] == Login With Public Client -If your client is running on a untrusted host where you are unable to keep a secret (e.g. a desktop client, an insecure server environment, etc.), you can use Spring Security's PKCE support for public clients. https://tools.ietf.org/html/rfc7636[PKCE] utilizes the Authorization Code Flow to obtain access tokens without the need for a client secret. Spring Security will use PKCE automatically when the following conditions are true in your `ClientRegistration`: +If your client is running on a untrusted host where you are unable to keep a secret (e.g. a desktop client, an insecure server environment, etc.) and your identity provider supports it, you can use Spring Security's PKCE support for public clients. https://tools.ietf.org/html/rfc7636[PKCE] utilizes the Authorization Code Flow to obtain access tokens without the need for a client secret. Spring Security will use PKCE automatically when the following conditions are true in your `ClientRegistration`: . `clientSecret` is empty . `clientAuthenticationMethod` is set to `ClientAuthenticationMethod.NONE` diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc index 0fb146b07bb..d2470d63ffc 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/oauth2.adoc @@ -221,6 +221,17 @@ return CommonOAuth2Provider.GOOGLE.getBuilder("google") ==== +[[oauth2login-advanced-public-client]] +=== Login With Public Client + +If your client is running on a untrusted host where you are unable to keep a secret (e.g. a desktop client, an insecure server environment, etc.) and your identity provider supports it, you can use Spring Security's PKCE support for public clients. https://tools.ietf.org/html/rfc7636[PKCE] utilizes the Authorization Code Flow to obtain access tokens without the need for a client secret. Spring Security will use PKCE automatically when the following conditions are true in your `ClientRegistration`: + +. `clientSecret` is empty +. `clientAuthenticationMethod` is set to `ClientAuthenticationMethod.NONE` + +For default Spring Boot configuration, this is as simple as omitting `client-secret` and setting `client-authentication-method: none` in your client registration. For explicit configuration, ensure the above two conditions are met when creating your `ClientRegistration`. + + [[oauth2login-advanced-userinfo-endpoint]] === UserInfo Endpoint diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc index adead1a92d1..b6117ab6744 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/preface/oauth2-login.adoc @@ -402,6 +402,7 @@ The following additional resources describe advanced configuration options: * <> * <> +* <> * <> ** <> ** <>