|
|
@@ -407,6 +407,29 @@ A request with the base path `/oauth2/authorization/okta` will initiate the Auth
|
|
|
The `AuthorizationCodeOAuth2AuthorizedClientProvider` is an implementation of `OAuth2AuthorizedClientProvider` for the Authorization Code grant,
|
|
|
which also initiates the Authorization Request redirect by the `OAuth2AuthorizationRequestRedirectFilter`.
|
|
|
|
|
|
+If the OAuth 2.0 Client is a https://tools.ietf.org/html/rfc6749#section-2.1[Public Client], than configure the OAuth 2.0 Client registration as follows:
|
|
|
+
|
|
|
+[source,yaml]
|
|
|
+----
|
|
|
+spring:
|
|
|
+ security:
|
|
|
+ oauth2:
|
|
|
+ client:
|
|
|
+ registration:
|
|
|
+ okta:
|
|
|
+ client-id: okta-client-id
|
|
|
+ client-authentication-method: none
|
|
|
+ authorization-grant-type: authorization_code
|
|
|
+ redirect-uri: "{baseUrl}/authorized/okta"
|
|
|
+ ...
|
|
|
+----
|
|
|
+
|
|
|
+Public Clients are supported using https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange] (PKCE).
|
|
|
+If the client is running in an untrusted environment (eg. native application or web browser-based application) and therefore incapable of maintaining the confidentiality of it's credentials, PKCE will automatically be used when the following conditions are true:
|
|
|
+
|
|
|
+. `client-secret` is omitted (or empty)
|
|
|
+. `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`)
|
|
|
+
|
|
|
The `DefaultOAuth2AuthorizationRequestResolver` also supports `URI` template variables for the `redirect-uri` using `UriComponentsBuilder`.
|
|
|
|
|
|
The following configuration uses all the supported `URI` template variables:
|
Stephen Doxsee