Skip to content

Commit

Permalink
feat: always prompt the login/account selection screen at IDP
Browse files Browse the repository at this point in the history
  • Loading branch information
its-felix committed Oct 25, 2024
1 parent 8669968 commit 3d71d52
Showing 1 changed file with 43 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -39,27 +39,48 @@ public ClientRegistration findByRegistrationId(String registrationId) {
return Optional.ofNullable(uriComponents.getHost())
.flatMap((host) -> findBase(registrationId + "@" + host))
.or(() -> findBase(registrationId))
.map((v) -> maybeChangeAuthorizationURL(v, uriComponents))
.map(CustomClientRegistrationRepository::changeAuthorizationURL)
.orElse(null);
}

private Optional<ClientRegistration> findBase(String registrationId) {
return Optional.ofNullable(this.base.findByRegistrationId(registrationId));
}

private ClientRegistration maybeChangeAuthorizationURL(ClientRegistration base, UriComponents uriComponents) {
if (!Objects.equals(uriComponents.getQueryParams().getFirst("add"), "true")) {
return base;
private static ClientRegistration changeAuthorizationURL(ClientRegistration base) {
// Google and GitHub provider details are populated by org.springframework.security.config.oauth2.client.CommonOAuth2Provider

final String issuerUri = base.getProviderDetails().getIssuerUri();
if (issuerUri != null && !issuerUri.isEmpty()) {
final UriComponents uriComponents = UriComponentsBuilder.fromHttpUrl(issuerUri).build();
final String host = uriComponents.getHost();

if (host != null) {
if (host.startsWith("cognito-idp") && host.endsWith("amazonaws.com")) {
return changeAuthorizationURLCognito(base);
} else if (Objects.equals(host, "accounts.google.com")) {
return changeAuthorizationURLGitHubOrGoogle(base);
} else if (Objects.equals(host, "gw2auth.com")) {
return changeAuthorizationURLGw2auth(base);
}
}
}

return switch (base.getRegistrationId()) {
case "cognito" -> changeAuthorizationURLCognito(base);
case "github", "google" -> changeAuthorizationURLGitHubOrGoogle(base);
default -> base;
};
// GitHub provider details dont have a issuer uri, use authorization uri for detection instead
final String authorizationUri = base.getProviderDetails().getAuthorizationUri();
if (authorizationUri != null && !authorizationUri.isEmpty()) {
final UriComponents uriComponents = UriComponentsBuilder.fromHttpUrl(authorizationUri).build();
final String host = uriComponents.getHost();

if (Objects.equals(host, "github.com")) {
return changeAuthorizationURLGitHubOrGoogle(base);
}
}

return base;
}

private ClientRegistration changeAuthorizationURLCognito(ClientRegistration base) {
private static ClientRegistration changeAuthorizationURLCognito(ClientRegistration base) {
// https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html
final String authorizationUri = UriComponentsBuilder.fromHttpUrl(base.getProviderDetails().getAuthorizationUri())
.replacePath("/logout")
Expand All @@ -70,7 +91,7 @@ private ClientRegistration changeAuthorizationURLCognito(ClientRegistration base
.build();
}

private ClientRegistration changeAuthorizationURLGitHubOrGoogle(ClientRegistration base) {
private static ClientRegistration changeAuthorizationURLGitHubOrGoogle(ClientRegistration base) {
// https://developers.google.com/identity/openid-connect/openid-connect?hl=de#authenticationuriparameters
// https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#1-request-a-users-github-identity
final String authorizationUri = UriComponentsBuilder.fromHttpUrl(base.getProviderDetails().getAuthorizationUri())
Expand All @@ -81,5 +102,16 @@ private ClientRegistration changeAuthorizationURLGitHubOrGoogle(ClientRegistrati
.authorizationUri(authorizationUri)
.build();
}

private static ClientRegistration changeAuthorizationURLGw2auth(ClientRegistration base) {
// https://github.com/gw2auth/oauth2-server/wiki/GW2Auth-Developer-Guide#redirect-the-user-to-the-authorization_endpoint
final String authorizationUri = UriComponentsBuilder.fromHttpUrl(base.getProviderDetails().getAuthorizationUri())
.replaceQueryParam("prompt", "consent")
.toUriString();

return ClientRegistration.withClientRegistration(base)
.authorizationUri(authorizationUri)
.build();
}
}
}

0 comments on commit 3d71d52

Please sign in to comment.