Fix forced PKCE

pom.xml

@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.c4-soft.springaddons</groupId>
 	<artifactId>spring-addons</artifactId>
-	<version>7.6.2-SNAPSHOT</version>
+	<version>7.6.3-SNAPSHOT</version>
 	<packaging>pom</packaging>
 	<name>spring-addons</name>
 	<description>Set of tools I find useful to work with Spring (mostly spring-security for OpenID)</description>

release-notes.md

@@ -2,7 +2,7 @@
 
 ## `7.x` Branch
 
-### `7.6.1`
+### `7.6.3`
 - Spring Boot 3.2.3
 - add `com.c4-soft.springaddons.oidc.client.pkce-forced` property. Default to `false`. When `true`, PKCE is used by  clients for authorization-code flows, even by confidential clients
 - move [the BFF tutorial to Baeldung](https://www.baeldung.com/spring-cloud-gateway-bff-oauth2). It is also refreshed and now contains sample implementations for React (Next.js) and Vue (Vite).

samples/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons</groupId>
 		<artifactId>spring-addons</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<groupId>com.c4-soft.springaddons.samples</groupId>

samples/tutorials/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>

samples/tutorials/reactive-client/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>reactive-client</artifactId>

samples/tutorials/reactive-resource-server/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>reactive-resource-server</artifactId>

samples/tutorials/resource-server_multitenant_dynamic/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>resource-server_multitenant_dynamic</artifactId>

samples/tutorials/resource-server_with_additional-header/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>resource-server_with_additional-header</artifactId>

samples/tutorials/resource-server_with_introspection/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>resource-server_with_introspection</artifactId>

samples/tutorials/resource-server_with_oauthentication/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>resource-server_with_oauthentication</artifactId>

samples/tutorials/resource-server_with_specialized_oauthentication/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>resource-server_with_specialized_oauthentication</artifactId>

samples/tutorials/resource-server_with_ui/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>resource-server_with_ui</artifactId>

samples/tutorials/resource-server_with_ui/src/main/resources/application.yml

@@ -101,6 +101,7 @@ com:
           post-login-redirect-path: /ui/greet
           post-logout-redirect-path: /ui/greet
           multi-tenancy-enabled: true
+          pkce-forced: true
           oauth2-logout:
             cognito-confidential-user:
               uri: https://spring-addons.auth.us-west-2.amazoncognito.com/logout
@@ -123,7 +124,7 @@ logging:
   level:
     org:
       springframework:
-        security: INFO
+        security: DEBUG
         boot: INFO
 
 management:

samples/tutorials/servlet-client/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>servlet-client</artifactId>

samples/tutorials/servlet-resource-server/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples.tutorials</groupId>
 		<artifactId>tutorials</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>servlet-resource-server</artifactId>

samples/webflux-introspecting-default/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webflux-introspecting-oauthentication/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webflux-jwt-default/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webflux-jwt-oauthentication/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webmvc-introspecting-default/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webmvc-introspecting-oauthentication/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webmvc-jwt-default-jpa-authorities/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webmvc-jwt-default/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

samples/webmvc-jwt-oauthentication/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons.samples</groupId>
 		<artifactId>spring-addons-samples</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 

spring-addons-oauth2-test/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons</groupId>
 		<artifactId>spring-addons</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>spring-addons-oauth2-test</artifactId>

spring-addons-oauth2/pom.xml

@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons</groupId>
 		<artifactId>spring-addons</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>spring-addons-oauth2</artifactId>

spring-addons-starter-oidc-test/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons</groupId>
 		<artifactId>spring-addons</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>spring-addons-starter-oidc-test</artifactId>

spring-addons-starter-oidc/README.MD

@@ -4,7 +4,7 @@ This project is a Spring Boot starter to use in addition to `spring-boot-starter
 
 ```xml
     <properties>
-        <springaddons.version>7.6.1</springaddons.version>
+        <springaddons.version>7.6.3</springaddons.version>
     </properties>
 
     <dependencies>

spring-addons-starter-oidc/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>com.c4-soft.springaddons</groupId>
 		<artifactId>spring-addons</artifactId>
-		<version>7.6.2-SNAPSHOT</version>
+		<version>7.6.3-SNAPSHOT</version>
 		<relativePath>..</relativePath>
 	</parent>
 	<artifactId>spring-addons-starter-oidc</artifactId>

spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/AdditionalParamsAuthorizationRequestCustomizer.java

@@ -0,0 +1,26 @@
+package com.c4_soft.springaddons.security.oidc.starter;
+
+import java.util.Collection;
+import java.util.function.Consumer;
+
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.Builder;
+
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcClientProperties.RequestParam;
+
+import lombok.RequiredArgsConstructor;
+
+@RequiredArgsConstructor
+public class AdditionalParamsAuthorizationRequestCustomizer implements Consumer<OAuth2AuthorizationRequest.Builder> {
+    private final Collection<RequestParam> additionalParams;
+
+    @Override
+    public void accept(Builder t) {
+        t.additionalParameters(params -> {
+            for (var reqParam : additionalParams) {
+                params.put(reqParam.getName(), reqParam.getValue());
+            }
+        });
+    }
+
+}

spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/CompositeOAuth2AuthorizationRequestCustomizer.java

@@ -0,0 +1,31 @@
+package com.c4_soft.springaddons.security.oidc.starter;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.function.Consumer;
+
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
+import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest.Builder;
+
+public class CompositeOAuth2AuthorizationRequestCustomizer implements Consumer<OAuth2AuthorizationRequest.Builder> {
+    private final List<Consumer<OAuth2AuthorizationRequest.Builder>> delegates;
+
+    public CompositeOAuth2AuthorizationRequestCustomizer(Consumer<OAuth2AuthorizationRequest.Builder>... customizers) {
+        delegates = new ArrayList<>(customizers.length + 3);
+        Collections.addAll(delegates, customizers);
+    }
+
+    @Override
+    public void accept(Builder t) {
+        for (var consumer : delegates) {
+            consumer.accept(t);
+        }
+    }
+
+    public CompositeOAuth2AuthorizationRequestCustomizer addCustomizer(Consumer<OAuth2AuthorizationRequest.Builder> customizer) {
+        this.delegates.add(customizer);
+        return this;
+    }
+
+}

spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/client/ReactiveSpringAddonsOidcClientWithLoginBeans.java

@@ -5,6 +5,7 @@
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
@@ -62,8 +63,8 @@
  * <li>clientAuthorizePostProcessor: a {@link ClientAuthorizeExchangeSpecPostProcessor} post processor to fine tune access control from java
  * configuration. It applies to all routes not listed in "permit-all" property configuration. Default requires users to be
  * authenticated.</li>
- * <li>clientHttpPostProcessor: a {@link ClientReactiveHttpSecurityPostProcessor} to override anything from above auto-configuration. It is called
- * just before the security filter-chain is returned. Default is a no-op.</li>
+ * <li>clientHttpPostProcessor: a {@link ClientReactiveHttpSecurityPostProcessor} to override anything from above auto-configuration. It is
+ * called just before the security filter-chain is returned. Default is a no-op.</li>
  * <li>authorizationRequestResolver: a {@link ServerOAuth2AuthorizationRequestResolver} to add custom parameters (from application
  * properties) to authorization code request</li>
  * </ul>
@@ -245,8 +246,9 @@ WebFilter csrfCookieWebFilter() {
 
     @ConditionalOnMissingBean
     @Bean
-    ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(ReactiveClientRegistrationRepository clientRegistrationRepository, SpringAddonsOidcProperties addonsProperties) {
-    	return new SpringAddonsServerOAuth2AuthorizationRequestResolver(clientRegistrationRepository, addonsProperties.getClient());
+    ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver(
+			OAuth2ClientProperties bootClientProperties, ReactiveClientRegistrationRepository clientRegistrationRepository, SpringAddonsOidcProperties addonsProperties) {
+    	return new SpringAddonsServerOAuth2AuthorizationRequestResolver(bootClientProperties, clientRegistrationRepository, addonsProperties.getClient());
     }
 
     @ConditionalOnMissingBean