Skip to content

Spring Authorization Server now defaults multipleIssuersAllowed to false and it cannot be easily re-enabled #41355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Spring Authorization Server now defaults multipleIssuersAllowed to false and it cannot be easily re-enabled #41355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions ...oot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,30 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean {
*/
private String issuer;

/**
* Set to {@code true} if multiple issuers are allowed per host. Using path
* components in the URL of the issuer identifier enables supporting multiple
* issuers per host in a multi-tenant hosting configuration.
*
* <p>
* For example:
* <ul>
* <li>{@code https://example.com/issuer1}</li>
* <li>{@code https://example.com/authz/issuer2}</li>
* </ul>
*
* <p>
* <b>NOTE:</b> Explicitly configuring the issuer identifier via
* {@link #issuer(String)} forces to a single-tenant configuration. Avoid
* configuring the issuer identifier when using a multi-tenant hosting
* configuration, allowing the issuer identifier to be resolved from the
* <i>"current"</i> request.
* @param multipleIssuersAllowed {@code true} if multiple issuers are allowed per
* host, {@code false} otherwise
* @return the {@link Builder} for further configuration
*/
private boolean multipleIssuersAllowed = false;

/**
* Registered clients of the Authorization Server.
*/
Expand Down
3 changes: 2 additions & 1 deletion ...toconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ AuthorizationServerSettings asAuthorizationServerSettings() {
OAuth2AuthorizationServerProperties.Endpoint endpoint = this.properties.getEndpoint();
OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoint.getOidc();
AuthorizationServerSettings.Builder builder = AuthorizationServerSettings.builder();
map.from(this.properties::getIssuer).to(builder::issuer);
map.from(this.properties::getIssuer).whenHasText().to(builder::issuer);
map.from(this.properties::isMultipleIssuersAllowed).to(builder::multipleIssuersAllowed);
map.from(endpoint::getAuthorizationUri).to(builder::authorizationEndpoint);
map.from(endpoint::getDeviceAuthorizationUri).to(builder::deviceAuthorizationEndpoint);
map.from(endpoint::getDeviceVerificationUri).to(builder::deviceVerificationEndpoint);
Expand Down