I'm using Spring Authorization Server v3.3.1. My current well-known endpoint is <hostname>/.well-known/openid-configuration and this returns the standard OpenId configuration.
I want to remove a couple of attributes from this standard response and change the endpoint path to <hostname>/oauth2/token/.well-known/openid-configuration.
For this I've duplicated the OidcProviderConfigurationEndpointFilter and made the necessary changes and registered it to the authorizationServerSecurityFilterChain.
Request Matcher in the duplicated filter is as follows:
private static RequestMatcher createRequestMatcher() {
final RequestMatcher defaultRequestMatcher = new AntPathRequestMatcher(
"/oauth2/token/.well-known/openid-configuration", HttpMethod.GET.name());
return (request) -> defaultRequestMatcher.matches(request);
}
This is how I've added the filter to the chain:
SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.authorizationEndpoint((authorizationEndpoint) -> authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator()))
.tokenEndpoint((tokenEndpoint) -> tokenEndpoint
.authenticationProviders(configureAuthenticationValidator())
.errorResponseHandler(new ErrorResponseHandler()))
.oidc(Customizer.withDefaults());
// Duplicated Filter
OidcWellknownEndpointFilter oidcWellknownEndpointFilter = new OidcWellknownEndpointFilter();
http.addFilterBefore(oidcWellknownEndpointFilter,
AbstractPreAuthenticatedProcessingFilter.class);
return http.build();
}
My question is, how can I direct requests coming to the /oauth2/token/.well-known/openid-configuration to the OidcWellknownEndpointFilter?
I tried to add a permitAll() for this endpoint like below:
SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authorize) -> authorize
.requestMatchers("/oauth2/token/.well-known/openid-configuration").permitAll());
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer.... <other code>
}
This will redirect all the requests coming to the endpoint to the login page. Appreciate any help regarding this.
The docs cover how to customize the well-known endpoint without providing a custom filter. See OpenID Connect 1.0 Provider Configuration Endpoint.
Configuring paths is explained in Configuring Authorization Server Settings. However, you cannot change the path for well-known endpoints because it would make them "not well-known". The path should remain as-is. You can use an issuer identifier to prefix the path, which the OpenID discovery spec allows.