docs: example of testing pkce against split resource server about spring-authorization-server HOT 5 CLOSED

@xenoterracide I don't understand what you are looking for? The heading says "testing pkce against split resource server" but PKCE is validated by the authorization server.

What'd I'd like is a lite example of "stub servers" that could be used to fake something like auth0. Mostly for "integration" testing to avoid exposing the real auth0 tokens

Are you just looking to standup an authorization server for integration testing purposes? If so, see gh-258

from spring-authorization-server.

Yes, partially, same use case. I had assumed this was a matter of documentation at this point.

My plan was to start a separate server which would avoid the bean conflict. Although I don't particularly have a problem with an in JVM approach...

I could say that I also don't think this particular flow is simply documented. Maybe it's just me that I prefer my docs to exist largely as "curl"/raw http instead of having to write a full fronted app in addition to my separated resource/idp server (other examples also seem to be bundling these into one server). Note: I appreciate that example existing, it's just a lot to traverse to get to the simplest thing that can possibly work.

from spring-authorization-server.

What I'm looking for is something like these details (when using the defaults).

https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#replace-implicit-flow-with-pkce

one could argue that an example test of the server here might be enough, or at least a major step in the right direction.

https://docs.spring.io/spring-authorization-server/reference/guides/how-to-pkce.html

from spring-authorization-server.

@xenoterracide See gh-258 as I provided an "UPDATE" to the integration test support forthcoming. There is a branch and link to an integration test that shows how to startup a Spring Authorization Server (with custom config) for integration testing purposes.

I'll close this as a duplicate.

from spring-authorization-server.

So what's wrong with this request?

DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "GET /oauth/authorize?client_id=client&scope=openid+profile+email&redirect_uri=http://localhost:3000&response_type=code&state=sUmww5GH&audience=http://localhost&response_mode=query&nonce=FVO5cA3&code_challenge=g0bA5&code_challenge_method=S256&auth0Client=eyJuY HTTP/1.1[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Accept-Encoding: gzip, x-gzip, deflate[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Host: localhost:39413[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "Connection: keep-alive[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "User-Agent: Apache-HttpClient/5.2.3 (Java/21.0.2)[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire                                     : http-outgoing-0 >> "[\r][\n]"

from what I can tell I'm calling with the correct parameters

I'm guessing it's the 3rd message

TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Retrieved registered client
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Validated authorization code request parameters
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Did not authenticate authorization code request since principal not authenticated

but explicitly in PKCE /login happens AFTER /authorize there's some things in there that aren't standard, but I'm not certain they should affect anything.

from spring-authorization-server.