Comments (5)
@xenoterracide I don't understand what you are looking for? The heading says "testing pkce against split resource server" but PKCE is validated by the authorization server.
What'd I'd like is a lite example of "stub servers" that could be used to fake something like auth0. Mostly for "integration" testing to avoid exposing the real auth0 tokens
Are you just looking to standup an authorization server for integration testing purposes? If so, see gh-258
from spring-authorization-server.
Yes, partially, same use case. I had assumed this was a matter of documentation at this point.
My plan was to start a separate server which would avoid the bean conflict. Although I don't particularly have a problem with an in JVM approach...
I could say that I also don't think this particular flow is simply documented. Maybe it's just me that I prefer my docs to exist largely as "curl"/raw http instead of having to write a full fronted app in addition to my separated resource/idp server (other examples also seem to be bundling these into one server). Note: I appreciate that example existing, it's just a lot to traverse to get to the simplest thing that can possibly work.
from spring-authorization-server.
What I'm looking for is something like these details (when using the defaults).
https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#replace-implicit-flow-with-pkce
one could argue that an example test of the server here might be enough, or at least a major step in the right direction.
https://docs.spring.io/spring-authorization-server/reference/guides/how-to-pkce.html
from spring-authorization-server.
@xenoterracide See gh-258 as I provided an "UPDATE" to the integration test support forthcoming. There is a branch and link to an integration test that shows how to startup a Spring Authorization Server (with custom config) for integration testing purposes.
I'll close this as a duplicate.
from spring-authorization-server.
So what's wrong with this request?
DEBUG 3489088 - o.apac.hc.clie.http.wire : http-outgoing-0 >> "GET /oauth/authorize?client_id=client&scope=openid+profile+email&redirect_uri=http://localhost:3000&response_type=code&state=sUmww5GH&audience=http://localhost&response_mode=query&nonce=FVO5cA3&code_challenge=g0bA5&code_challenge_method=S256&auth0Client=eyJuY HTTP/1.1[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire : http-outgoing-0 >> "Accept-Encoding: gzip, x-gzip, deflate[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire : http-outgoing-0 >> "Host: localhost:39413[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire : http-outgoing-0 >> "Connection: keep-alive[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire : http-outgoing-0 >> "User-Agent: Apache-HttpClient/5.2.3 (Java/21.0.2)[\r][\n]"
DEBUG 3489088 - o.apac.hc.clie.http.wire : http-outgoing-0 >> "[\r][\n]"
from what I can tell I'm calling with the correct parameters
I'm guessing it's the 3rd message
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Retrieved registered client
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Validated authorization code request parameters
TRACE 3489088 - th.auth.OAuth2AuthorizationCodeRequestAuthenticationProvider : Did not authenticate authorization code request since principal not authenticated
but explicitly in PKCE /login happens AFTER /authorize there's some things in there that aren't standard, but I'm not certain they should affect anything.
from spring-authorization-server.
Related Issues (20)
- Update to spring-security-release-plugin 1.0.3
- Multiple secrets per registered client HOT 6
- One-way storage of refresh tokens is better supported if the refresh token is reused HOT 5
- Enable refresh of JwkSet in X509SelfSignedCertificateVerifier
- Impossible to login after session timeout HOT 2
- Customize the sendAuthorizationConsent in OAuth2DeviceVerificationEndpointFilter . HOT 1
- Allow logout request to be sent without an id_token_hint HOT 1
- Add impersonation sample for token exchange
- Update to actions/checkout@v4
- Introspection can't work HOT 1
- Login screen is displayed after upgrade spring authorization server to latest
- Consider to support Federated Credential Management in the future HOT 1
- Spring Authorization Server fails to start with multiple PasswordEncoder beans HOT 2
- Path component for issuer identifier should be disabled by default
- allow /authorize without being authenticated first HOT 1
- document default paths HOT 1
- Build failed for samples HOT 1
- Fix package tangle
- Format source code with spring-javaformat
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-authorization-server.