I shall inform the redirect URI for an application using OpenId.
My application.yml reads:
spring:
security:
oauth2:
client:
registration:
xxxx:
client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client-secret: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
authorization-grant-type: authorization_code
redirect-uri: https://www.example.com/home
scope:
- openid
- profile
- email
provider:
xxxx:
authorizationUri: https:...
...
When I look at the generated redirect URL, I see it is not URL-encoded:
https://.....com/authorize
?response_type=code
&client_id=...
&scope=...
&state=...D
&redirect_uri=https://www.example.com/home <---- not URL-encoded
&nonce=...
I would expect:
&redirect_uri=https%2A%2F%2Fwww.example.com%2Fhome <---- encoded
So I go back to the configuration, and I URL-encode it:
redirect-uri: https://www.example.com/home
At this point, I get another problem because, who knows why, this time, Spring tried to encode it or anyway transform the redirect URI to something illegal (seems it gets encoded twice):
https://.....com/authorize
?response_type=code
&client_id=...
&scope=...
&state=...D
&redirect_uri=https%253A%252F%252Fexample.com%252Fhome <---- What is %253A?
&nonce=...
If I omit redirect-uri and try to hardcode it in the authorization URI, Spring tells me that the parameter is mandatory.
The provider does not implement auto-discovery, and I can't find a work-around.
Also, I am bound to Spring-boot 2.7.6 cause the compiler is Java 11. Can anybody suggest a solution? Is this issue solved with Spring 3?
I appreciate any help anybody can provide.
