Can't use a custom authorization grant type in a ClientRegistration

[edouardhue]

Summary

Documentation suggests that defining additional grant types should be supported. Though, the ClientRegistration builder won't validate a registration using a custom grant type.

Actual Behavior

1. Define a custom org.springframework.security.oauth2.core.AuthorizationGrantType.
2. Build a org.springframework.security.oauth2.client.registration.ClientRegistration with this custom type.

When calling build(), any unsupported grant type is validated as an authorization code grant type, and it fails.

Expected Behavior

Custom grant type should not be validated with the wrong validator. It could be nice to be able to provide a custom validator.

Version

spring-security-oauth2-client 5.1.5.RELEASE

Sample

[jgrandja]

@edouardhue Specifying a custom grant using AuthorizationGrantType provides no value as there is functionality that needs to be implemented associated with the grant_type. The current authorization grants supported in Spring Security 5.1 are authorization_code and client_credentials and password targeted for the upcoming 5.2 release.

I'm going to close this ticket as invalid. If you're looking for a specific grant_type and it's associated functionality (flow) than please log another ticket with more specific details. Thanks.

[edouardhue]

Hi @jgrandja,

I am currently migrating from Spring Security 4 to 5 and I can't port my code. I had implemented a custom grant type, on both authorization and resource server sides.

The Javadoc in https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/core/AuthorizationGrantType.html clearly states that "The OAuth 2.0 Authorization Framework defines four standard grant types: authorization code, implicit, resource owner password credentials, and client credentials. It also provides an extensibility mechanism for defining additional grant types."

AuthorizationGrantType's constructor is public, custom types may be defined in Spring Security 5. The default validation I pointed out in the ClientRegistration builder is the only point that won't allow a custom grant type to be used by a client. Looks like a violation of the open-closed principle to me!

[jgrandja]

@edouardhue

I am currently migrating from Spring Security 4 to 5 and I can't port my code.

The new OAuth support was introduced in Spring Security 5. So I'm confused as to what you are porting since it wasn't available in Spring Security 4?

I had implemented a custom grant type, on both authorization and resource server sides.

Authorization Grants are implemented between the Client and Authorization Server NOT Resource Server. The Resource Server just receives the access token.

It's still not clear to me what you are trying to accomplish. Can you please be more specific with details so I can better understand.

[edouardhue]

@jgrandja

Authorization Grants are implemented between the Client and Authorization Server NOT Resource Server. The Resource Server just receives the access token.

Sorry for my too quick answer yesterday, allow me to correct myself. I indeed meant client instead of resource server.

The new OAuth support was introduced in Spring Security 5. So I'm confused as to what you are porting since it wasn't available in Spring Security 4?

I used the spring-security-oauth subproject with Spring Security 4 (all under Spring Boot 1.5).

It's still not clear to me what you are trying to accomplish. Can you please be more specific with details so I can better understand.

For very specific reasons, I need to define a custom grant type carrying some custom credentials that can't fit into the standard grant types. On the client side, I only had to implement a custom OAuth2ProtectedResourceDetails and the matching AccessTokenProvider.

When migrating to Spring Security 5 native support, I extended AbstractOAuth2AuthorizationGrantRequest and implemented the matching Converter to RequestEntity and OAuth2AccessTokenResponseClient. I only miss the ability to declare this custom grant type in the ClientRegistration, as the validation in the Builder assumes that any registration with a grant type that is neither client_credentials nor implicit must use the authorization_code type.

I ask for this method to be changed to allow for extension:

public ClientRegistration build() {
	Assert.notNull(this.authorizationGrantType, "authorizationGrantType cannot be null");
	if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType)) {
		this.validateClientCredentialsGrantType();
	} else if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) {
		this.validateImplicitGrantType();
	} else if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(this.authorizationGrantType)) {
		this.validateAuthorizationCodeGrantType();
	}
	return this.create();
}

Maybe a validation function could be passed to build(), to allow for custom or additional validation… but the private scoping of the attributes of the Builder would be a problem.

Making the OAuth2AuthorizationGrantRequestEntityUtils public could be useful too.

[jgrandja]

Thank you for the explanation @edouardhue. I now understand how you are porting your code and the issue you are having with the ClientRegistration validation. We would welcome a PR from you if you're interested? Otherwise, I'll address this for you shortly.

FYI, I would recommend tracking the work in #6811 as it will help with creating a custom grant for the client with the introduction of the OAuth2AuthorizedClientProvider. The work is still in progress but it is targeted for 5.2 in Aug.