[ Spring Authorization Server ] 일반 Request로 client id가져오기

- OAuth2 Authorization Server에서는 Redirection을 통해 주고받은 데이터 ( clientId, nonce, redirect_uri, response_type, scope, state )의 정보를 SavedRequest에 저장한다. 

 

/**
 * Redirect로 주고받은 데이터 中 client id 가져오기
 * - OAuth2 Authorization Server에서는 clientId, nonce, redirect_uri, response_type, scope, state를 SavedRequest에 저장한다.
 *
 * @param request
 * @param response
 * @return
 * @author ys5318.kim
 * @since 22.07.29
 */
private String parseClientIdFromSavedRequest(HttpServletRequest request, HttpServletResponse response) {
    RequestCache requestCache = new HttpSessionRequestCache();
    SavedRequest savedRequest = requestCache.getRequest(request, response);

    return Arrays.stream(savedRequest.getParameterValues("client_id")).findFirst().get();
}

 

- Spring Security 개발자 Luke Taylor가 작성한 SavedRequest를 이용한 매커니즘 설명

 

An authentication success strategy which can make use of the org.springframework.security.web.savedrequest.DefaultSavedRequest which may have been stored in the session by the ExceptionTranslationFilter. When such a request is intercepted and requires authentication, the request data is stored to record the original destination before the authentication process commenced, and to allow the request to be reconstructed when a redirect to the same URL occurs. This class is responsible for performing the redirect to the original URL if appropriate.

Following a successful authentication, it decides on the redirect destination, based on the following scenarios:

- If the alwaysUseDefaultTargetUrl property is set to true, the defaultTargetUrl will be used for the destination. Any DefaultSavedRequest stored in the session will be removed.

- If the targetUrlParameter has been set on the request, the value will be used as the destination. Any DefaultSavedRequest will again be removed.

- If a SavedRequest is found in the RequestCache (as set by the ExceptionTranslationFilter to record the original destination before the authentication process commenced), a redirect will be performed to the Url of that original destination. The SavedRequest object will remain cached and be picked up when the redirected request is received (See SavedRequestAwareWrapper).

- If no SavedRequest is found, it will delegate to the base class.

 

 

Spring Security 내부에서 인증 성공시 이를 활용한 코드

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
      Authentication authentication) throws ServletException, IOException {
   SavedRequest savedRequest = this.requestCache.getRequest(request, response);
   if (savedRequest == null) {
      super.onAuthenticationSuccess(request, response, authentication);
      return;
   }
   String targetUrlParameter = getTargetUrlParameter();
   if (isAlwaysUseDefaultTargetUrl()
         || (targetUrlParameter != null && StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
      this.requestCache.removeRequest(request, response);
      super.onAuthenticationSuccess(request, response, authentication);
      return;
   }
   clearAuthenticationAttributes(request);
   // Use the DefaultSavedRequest URL
   String targetUrl = savedRequest.getRedirectUrl();
   getRedirectStrategy().sendRedirect(request, response, targetUrl);
}