Reputation: 31
Custom headers in public JWKs request for Spring Security OpenID Connect
I'm using Oracle's OAM as an authentication provider. Our set-up mandates that the request to public JWKs endpoint (the one that you set with .jwkSetUri()) had a custom header:
x-oauth-identity-domain-name: AppSpecificDomainName
So far I was not able to find a proper parameter configuration in the Spring Security OpenID Connect framework.
I use Spring Security 5.8.4
I was able to make a dirty workaround to at least verify my set-up. I copied the source-code of the RestTempate class to exact same packege that is has in the Spring framework so that it would get class-loaded first.
Then I've modified the
protected <T> T doExecute(URI url, @Nullable HttpMethod method, @Nullable RequestCallback requestCallback, @Nullable ResponseExtractor<T> responseExtractor);
method and added header injection code:
...
ClientHttpRequest request = createRequest(url, method);
// Inject custom headers if this is a security-related outbound call
if (url.toString().startsWith("https://access.mycompany.com")) {
request.getHeaders().add("x-oauth-identity-domain-name", "AppSpecificDomainName");
}
...
but clearly I want a cleaner solution. Since this one is hardly maintainable.
Upvotes: 2
Views: 185
Answers (0)
Related Questions
- Spring Security OAuth 2.0 Google: redirect to default URL after unauthorized request instead of requested URL
- Spring Security OAuth 2.0 - client secret always required for authorization code grant
- Spring Security and OpenID Connect (OIDC)
- Spring Security 5 XML configuration for OpenID Connect
- Spring Security Custom Authentication Filter and Authorization
- Spring: Check in code if url has security set to none
- How can I override the client credentials' default Base64 encoding in OAuth authorization API call?
- Spring Security and Google OpenID Connect migration