Add RequestCache setter in OAuth2AuthorizationCodeGrantFilter

[mdindoffer]

Summary

Please provide a way to inject specific RequestCache to the OAuth2AuthorizationCodeGrantFilter.
The "sister" filter OAuth2AuthorizationRequestRedirectFilter already has a #setRequestCache method for injecting specific RequestCache, but the OAuth2AuthorizationCodeGrantFilter uses a hardcoded HttpSessionRequestCache.

Reasoning

Current setup does not allow for easy customization of redirect scenarios after successful OAuth2 Code grant authorization flow.

Two workarounds exist to my knowledge:

1. Use the HttpSessionRequestCache with a specially crafted HttpServletRequestWrapper, such that the DefaultSavedRequest created from it in the HttpSessionRequestCache will return a desired redirect uri.
2. Avoid saving the request via RequestCache's interface, and store it directly in the session via

request.getSession().setAttribute(customSavedRequest, "SPRING_SECURITY_SAVED_REQUEST")

The first one is prone to breakage and complicated to do so, because the DefaultSavedRequest#getRedirectUrl() builds a URL from multiple fields, that have to be specifically overriden in the request wrapper.
The second workaround is slightly less complicated, but even more prone to breakage, as the session attribute name is not a public constant and can change anytime.

The addition of injectable RequestCache would make the OAuth2AuthorizationCodeGrantFilter on par with OAuth2AuthorizationRequestRedirectFilter.

Version

5.2.2

[rwinch]

Thanks for the feedback. Is this something you would be willing to contribute?

[parikshitdutta]

Hi @rwinch, how is this for contribution? I can take a look.

[rwinch]

Thanks for volunteering @parikshitdutta! The issue is yours 😄

[parikshitdutta]

Hi @rwinch, the build process is failing at OAuth2ResourceServerSpecTests, is it okay to discuss it here or should I open an issue rather?

[rwinch]

@parikshitdutta Here is fine. What is the failure you are getting?

[parikshitdutta]

Hi @rwinch, there are 27 tests failing with "java.lang.IllegalStateException: Failed to load ApplicationContext", from OAuth2ResourceServerSpecTests.

Result page attached for your reference:
(https://github.com/spring-projects/spring-security/files/4456729/org.springframework.security.config.web.server.OAuth2ResourceServerSpecTests.zip)

[rwinch]

How are you running the tests? It looks like you might be running them from the commandline. What command do you run and from what folder? Do any of the other tests work?

[parikshitdutta]

I am running plain build from command line, i.e "gradlew build", also have tried other variations such as clean, refresh-dependencies etc, same result, only those 27 tests failing, all the other tests (about 1800 tests) are passed.

I am trying to build from spring-security root folder.

[parikshitdutta]

FYI, I was following "README.adoc" to try the building process with "gradlew build", which is failing at my end.

Then I tried gradle tasks for respective module, such as "spring-security-config" etc, using intelliJ "run test" option, those are getting through!

While, the same with "gradlew spring-security-config:test" from console again failing for those 27 tests.

Finally, I tried "gradlew clean build integrationTest" from "spring-security" folder from console, that passed all the tests, and build was successful.

@rwinch please guide me with the right approach to test and ensure my done changes are good for production.

Is running "gradlew clean build integrationTest" from spring-security folder sufficient after I am done with my code changes?