Comments (3)
jgrandja
commented on July 22, 2024
1
"this type of configuration/setting would make more sense in the Spring Boot auto-configuration classes and properties..."
My comment was meant to be more of a general statement but I see that I was a conflicting statement instead. To be clear, a "use-pkce" configuration option per client registration would not make sense to add as a Spring Boot property.
We do not want to promote:
We would be in danger of trying to recreate Spring Security's DSL in properties and of encouraging people to program through properties.
@wilkinsona Please close this issue and we'll take it over in spring-security#12219.
@randomstuff Let's take this conversation to spring-security#12219 and see what we can do to simplify things further.
@sjohnr has an idea that he will propose.
from spring-boot.
wilkinsona
commented on July 22, 2024
1
Thanks very much, @jgrandja.
from spring-boot.
wilkinsona
commented on July 22, 2024
Thanks for the suggestion.
We don't have a great deal of auto-configuration for this and it currently uses Spring Security's defaults for OAuth2 login:
This configuration backs off once any custom security configuration is provided.
I'm not sure that we should start offering properties that are intended to take the place of a Customizer<OAuth2LoginConfigurer<HttpSecurity>> passed to oauth2Login. We would be in danger of trying to recreate Spring Security's DSL in properties and of encouraging people to program through properties.
What's your take on this please, @jgrandja? You said in spring-projects/spring-security#12219 (comment) that "this type of configuration/setting would make more sense in the Spring Boot auto-configuration classes and properties. However, I don't feel it's necessary as the configuration is pretty straight forward". This was 18 months ago so I wonder if your opinion has changed since then.
I think it would make sense to have this enabled by default in the medium term (apparently, there is fear that this might break some authorization servers) so maybe an option whose default value could be changed in the future would be nice.
I don't think this is something that we'd do in Spring Boot as we prefer to keep our defaults aligned with Spring Security's. If you would like to see PKCE enabled by default, please raise a Spring Security issue.
from spring-boot.
Related Issues (20)
- Some @ControllerEndpoint and @RestControllerEndpoint infrastructure remains undeprecated
- Allow ContainerConnectionDetailsFactory to match on one of multiple different connection names
- Spring Authorization Server now defaults multipleIssuersAllowed to false and it cannot be easily re-enabled
- Exceeding 32 @SpringBootTest Configurations Causes Netty RejectedExecutionException with WebFlux HOT 3
- Fix documentation links in the README
- Fix documentation links in the README
- Add support for CNB platform API version 0.14
- Constructor binding of EnumMap fails due to missing key type HOT 2
- DynamicPropertyRegistry Values Not Set After Dev Tools Reload for RestartScope Containers
- Upgrade to Spring RESTDocs 3.0.2
- Upgrade to Spring Framework 6.2.0-M6
- Spring Boot 2 datasource can not run with Dockerfile HOT 4
- ClassNotFoundException in JSP compiler after update from Spring Boot 3.3.1 -> 3.3.2 HOT 6
- Broken documentation links HOT 2
- java.lang.LinkageError: loader 'app' attempted duplicate class definition for jakarta.persistence.TemporalType HOT 1
- Has the loading order of springboot3 beans changed? HOT 1
- Wait until spring-boot.rb file is available when updating Homebrew tap
- Spring Boot profiles not respected when fetching configuration files from Spring Cloud Config after native build HOT 7
- Constructor binding of EnumMap fails due to missing key type
- Constructor binding of EnumMap fails due to missing key type
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-boot.