'Spring Security Oauth2 dynamic redirect uri

How do i dynamically specify redirect uri for Oauth2 Authorization code flow in spring security? I have a use case where the application is being accessed by multiple users using 2 to 3 different urls. A user using one particular url has no access to another url. In this case, i want to configure oauth2 so that i can just provide /login or something instead of the entire url

spring-securityspring-security-oauth2


Solution 1:[1]

In my case I wanted to be able to login and use my web app from two different urls, one for running the frontend locally from localhost.app.mydomain.com and one real url like app.mydomain.com using Google to login.

Simple solution
To achieve this in Spring Security I registered two different ClientRegistration's with the exact same info, except for the name, registrationId and the redirectUri

From the frontend I can then control which Oauth2 client I use by invoking the different registrationId endpoints which in turn decides which domain I'm logged into and which redirectUri will be used based on if I'm running my frontend locally or not.

It is not truly dynamic but solves the case where you have a limited number or redirect urls that you know on beforehand which can be controlled from the frontend this way.

Dynamic solution
Another more common solution, which I also use in my code, would probably be to pass a state parameter with the call to the oauth client in Spring. That will then get passed on to google and be returned untouched to Spring security from the google login flow. This can have whatever info you want to decided by the frontend and then decoded in the backend and e.g. the SimpleUrlAuthenticationSuccessHandler use this data to setDefaultTargetUrl to this which will cause a redirect to wherever the frontend decided on a successful login.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

How to return 404 for pages that do not exist when using Grails Spring Security Plugin

spring sas 0.2.0 access_token throw 'Access is denied'

AuthenticationSuccessEvent never fired

Spring Security: How to use a UserDetailsService with JwtAuthenticationProvider?

@EventListener for AuthenticationSuccessEvent or InteractiveAuthenticationSuccessEvent not fired

CookieCsrfTokenRepository allows the client to create its own Csrf Tokens

Authorization Header not getting displayed in CURL springdoc-openapi-ui

Getting 404 error in spring boot even though method is logging statements

Consider defining a bean of type 'org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository' in your configuration

Customizing the TokenEndpoint in spring security OAuth2

Swagger UI being blocked by Spring Security

Spring boot security, always redirects to login page, if navigate through address bar

How does SecurityContextHolder.getContext().getAuthentication() work?

automatically redirect to login page after session timeout - JSP, Spring

Spring security - Disable logout redirect