Reputation: 31
Password Reset Spring Authorization Server
I implemented the password reset flow in the spring authorization server with an email token. The implementation is similar to the OWASP Forgot Password The problem is that I do not know how to get the registered client when clicking the reset password link on the login form. It is possible to call this reset password URL without the client, and this shouldn't be possible.
When I open this URL in the browser, I get redirected to the login form.
http://localhost:8083/oauth2/authorize?response_type=code &client_id=client
&scope=openid
&redirect_uri=http://example.com
&code_challenge=MyChallengeCode
&code_challenge_method=S256
Login Form: 
When I click the reset password link, the flow starts.
My Questions:
- How can I get the client credentials for my reset password view?
- Should I implement it with my own OAuth2 Authorization Endpoint?
- How can I add the client to reset password link on the login page?
Upvotes: 0
Views: 696
Answers (1)
Reputation: 6158
The question is not 100% clear on your goal but based on clarifying questions in comments, it seems you are trying to access to query parameters that were submitted with the authorization request. Using your example:
http://localhost:8083/oauth2/authorize?response_type=code &client_id=client
&scope=openid
&redirect_uri=http://example.com
&code_challenge=MyChallengeCode
&code_challenge_method=S256
Let's say we want to access the client_id parameter during the Forgot Password flow. The easiest way to accomplish this would be to use the RequestCache, since this is what stores the original URL in order to replay the request after the user authenticates successfully. Here is a simplified example:
@Controller
public class ForgotPasswordController {
private final RequestCache requestCache = new HttpSessionRequestCache();
@GetMapping("/password/forgot")
public String forgot(HttpServletRequest request, HttpServletResponse response) {
var savedRequest = this.requestCache.getRequest(request, response);
var clientId = savedRequest.getParameterValues("client_id")[0];
// ...
}
}
See also this related answer for an additional example.
Upvotes: 0
Related Questions
- Spring Security OAuth2 - Add parameter to Authorization URL
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2
- Authorization code without using form login
- Why state changes when requires authorization consent in Spring Authorization Server