Ability to modify OIDC provider configuration

[tcchambers-els]

Expected Behavior
When enabling OIDC it would be good to be able to customise /.well-known/openid-configuration information. In my case I would like to modify the scopes_supported claim

Current Behavior
I can see how I can create an instance of OidcProviderConfiguration but I can't see how I can modify the one used here

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/oidc/web/OidcProviderConfigurationEndpointFilter.java

Line 79 in 82e4f3a

OidcProviderConfiguration providerConfiguration = OidcProviderConfiguration.builder()

in the filter without completely creating a new one (unless I've missed something)

Context
We would like the ability to modify some of the optional OIDC provider information to accurately reflect the actual provider.

[sjohnr]

@tcchambers-els currently I believe you are correct, you would need to implement your own filter to replace this one. It looks like scopes_supported is a RECOMMENDED metadata value for this endpoint, so it could be a candidate for addition at some point.

Since the server supports multiple clients, how would you envision filling in this field? Would it just be hard-coded to openid and possibly other standard scope values? Or would it need to be a setting in ProviderSettings for your use case?

[tcchambers-els]

Hi @sjohnr, I think either of those solutions would work - as you say openid needs to be mandatory but we would also need to add other standard OIDC scopes like profile plus custom scopes. So adding the config to ProviderSettings would satisfy our use case, with either openid hardcoded as it is or an exception thrown if it's missing.
Thanks for your time in taking a look at this.

[jgrandja]

@tcchambers-els @sjohnr I'm not sure adding the config to ProviderSettings is going to give us the flexibility for all potential use cases.

I think what we'll need to do is expose a setter for OidcProviderConfigurationEndpointFilter.providerConfigurationHttpMessageConverter, which allows a custom Converter to be set via OidcProviderConfigurationHttpMessageConverter.setProviderConfigurationParametersConverter().

[ghost]

hi @jgrandja. I can start working on this issue.

[its-felix]

Maybe it's already a bit too late poping up here, but I'd like to be able to completely disable the OIDC Part of the authorization server and only use oauth2.

Should I open another issue for this request?

[sjohnr]

@its-felix, the OAuth2AuthorizationServerConfigurer provides the ability to disable OIDC. However, I don't think this ticket is the appropriate place to discuss it, so it can remain focused on the issue at hand. Feel free to open a stackoverflow question if needed and we can take a look.

[jgrandja]

@tcchambers-els This is now merged via 0994a1e.

Please take a look at this test that demonstrates how to customize the OIDC provider configuration response.