Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for OAuth2 Strava #37850

Merged
merged 1 commit into from
Jan 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added docs/src/main/asciidoc/images/oidc-strava-1.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
12 changes: 12 additions & 0 deletions docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,18 @@ quarkus.oidc.tls.trust-store-password=${trust-store-password}
#quarkus.oidc.tls.trust-store-alias=certAlias
----

===== POST query

Some providers such as the xref:security-openid-connect-providers#strava[Strava OAuth2 provider] require client credentials be posted as HTTP POST query parameters:

[source,properties]
----
quarkus.oidc.provider=strava
quarkus.oidc.client-id=quarkus-app
quarkus.oidc.credentials.client-secret.value=mysecret
quarkus.oidc.credentials.client-secret.method=query
----

==== Introspection endpoint authentication

Some OIDC providers require authenticating to its introspection endpoint by using Basic authentication and with credentials that are different from the `client_id` and `client_secret`.
Expand Down
52 changes: 48 additions & 4 deletions docs/src/main/asciidoc/security-openid-connect-providers.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@
include::_attributes.adoc[]
:diataxis-type: concept
:categories: security,web
:keywords: oidc github twitter google facebook mastodon microsoft apple spotify twitch linkedin
:keywords: oidc github twitter google facebook mastodon microsoft apple spotify twitch linkedin strava

Check warning on line 11 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'oidc'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'oidc'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 11, "column": 12}}}, "severity": "WARNING"}
:toclevels: 3
:topics: security,oidc,github,twitter,google,facebook,mastodon,microsoft,apple,spotify,twitch
:topics: security,oidc,github,twitter,google,facebook,mastodon,microsoft,apple,spotify,twitch,linkedin,strava

Check warning on line 13 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'facebook'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'facebook'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 13, "column": 46}}}, "severity": "WARNING"}

Check warning on line 13 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'microsoft'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'microsoft'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 13, "column": 64}}}, "severity": "WARNING"}

Check warning on line 13 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'spotify'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'spotify'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 13, "column": 80}}}, "severity": "WARNING"}

Check warning on line 13 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'linkedin'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'linkedin'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 13, "column": 95}}}, "severity": "WARNING"}

Check warning on line 13 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'strava'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'strava'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 13, "column": 104}}}, "severity": "WARNING"}
:extensions: io.quarkus:quarkus-oidc

This document explains how to configure well-known social OIDC and OAuth2 providers.
Expand Down Expand Up @@ -525,7 +525,27 @@
quarkus.oidc.credentials.client-secret=<Client Secret>
----

[[strava]]
=== Strava

Check warning on line 529 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'Strava'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'Strava'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 529, "column": 5}}}, "severity": "WARNING"}

Create a https://www.strava.com/settings/api[Strava application]:

image::oidc-strava-1.png[role="thumb"]

For example, set `Category` to `SocialMotivation`, and set `ApplicationCallbackDomain` to either `localhost` or the domain name provided by Ngrok, see the <<redirect_url>> for more information.

Check warning on line 535 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'Ngrok'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'Ngrok'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 535, "column": 141}}}, "severity": "WARNING"}

You can now configure your `application.properties`:

[source,properties]
----
quarkus.oidc.provider=strava
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.client-secret=<Client Secret>
# default value is '/strava'
quarkus.oidc.authentication.redirect-path=/fitness/welcome <1>
----
<1> Strava does not enforce that the redirect (callback) URI which is provided as an authorization code flow parameter is equal to the URI registered in the Strava application because it only requires configuring `ApplicationCallbackDomain`. For example, if `ApplicationCallbackDomain` is set to `www.my-strava-example.com`, Strava will accept redirect URIs such as `www.my-strava-example.com/a`, `www.my-strava-example.com/path/a`, which is not recommended by OAuth2 best security practices, see link:https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-insufficient-redirect-uri-v[Insufficent redirect_uri validation] for more information.

Check warning on line 547 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.Spelling] Use correct American English spelling. Did you really mean 'Strava'? Raw Output: {"message": "[Quarkus.Spelling] Use correct American English spelling. Did you really mean 'Strava'?", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 547, "column": 5}}}, "severity": "WARNING"}

Check warning on line 547 in docs/src/main/asciidoc/security-openid-connect-providers.adoc

View workflow job for this annotation

GitHub Actions / Linting with Vale

[vale] reported by reviewdog 🐶 [Quarkus.TermsSuggestions] Depending on the context, consider using ', which (non restrictive clause preceded by a comma)' or 'that (restrictive clause without a comma)' rather than 'which'. Raw Output: {"message": "[Quarkus.TermsSuggestions] Depending on the context, consider using ', which (non restrictive clause preceded by a comma)' or 'that (restrictive clause without a comma)' rather than 'which'.", "location": {"path": "docs/src/main/asciidoc/security-openid-connect-providers.adoc", "range": {"start": {"line": 547, "column": 61}}}, "severity": "INFO"}
Therefore you must configure a redirect path when working with the Strava provider and Quarkus will enforce that the current request path matches the configured `quarkus.oidc.authentication.redirect-path` value before completing the authotization code flow. See the <<exact_redirect_uri_match>> for more information.

[[provider-scope]]
== Provider scopes
Expand Down Expand Up @@ -685,9 +705,33 @@

The pattern of authenticating with a given provider, where the endpoint uses either an ID token or UserInfo (especially if an OAuth2-only provider such as `GitHub` is used) to get some information about the currently authenticated user and using an access token to access some downstream services (provider or application specific ones) on behalf of this user can be universally applied, irrespectively of which provider is used to secure the application.

== HTTPS Redirect URL
[[exact_redirect_uri_match]]
== Exact redirect URI match

Most OIDC and OAuth2 providers with the exception of <<strava>> will enforce that the authorization code flow can be completed only if the redirect URI matches precisely the redirect URI configured in a given provider's dashboard.

From the practical point of view, your Quarkus endpoint will most likely need to have the `quarkus.oidc.authentication.redirect-path` relative path property set to an initial entry path for all the authenticated users, for example, `quarkus.oidc.authentication.redirect-path=/authenticated`, which means that newly authenticated users will land on the `/authenticated` page, irrespectively of how many secured entry points your application has and which secured resource they initially accessed.

It is a typical flow for many OIDC `web-app` applications. Once the user lands on the initial secured page, your application can return an HTML page which uses links to guide users to other parts of the application or users can be immediately redirected to other application resources with the help of JAX-RS API.

If necessary, you can configure Quarkus to restore the original request URI after the authentication has been completed. For example:

[source,properties]
----
quarkus.oidc.provider=strava <1>
quarkus.oidc.client-id=<Client ID>
quarkus.oidc.credentials.secret=<Secret>
quarkus.oidc.authentication.restore-path-after-redirect=true <2>
----
<1> `strava` provider configuration is the only supported configuration which enforces the `quarkus.oidc.authentication.redirect-path` property with the `/strava` path which you can override with another path such as `/fitness`.
<2> If the users access the `/run` endpoint before the authentication, then, once they have authenticated and been redirected to the configured redirect path such as `/strava`, they will land on the original request `/run` path.

You do not have to set `quarkus.oidc.authentication.redirect-path` immediately because Quarkus assumes the current request URL is an authorization code flow redirect URL if no `quarkus.oidc.authentication.redirect-path` is configured. For example, to test that a <<google>> authentication is working, you can have a Quarkus endpoint listening on `/google` and update the Google dashboard that `http://localhost:8080/google` redirect URI is supported. Setting `quarkus.oidc.authentication.redirect-path` property will be required once your secured application URL space grows.

[[redirect_url]]
== HTTPS Redirect URI

Some providers will only accept HTTPS-based redirect URLs. Tools such as https://ngrok.com/[ngrok] https://linuxhint.com/set-up-use-ngrok/[can be set up] to help testing such providers with Quarkus endpoints running on localhost in dev mode.
Some providers will only accept HTTPS-based redirect URIs. Tools such as https://ngrok.com/[ngrok] https://linuxhint.com/set-up-use-ngrok/[can be set up] to help testing such providers with Quarkus endpoints running on localhost in dev mode.

== Rate Limiting

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,13 @@ public static enum Method {
* form
* parameters.
*/
POST_JWT
POST_JWT,

/**
* client id and secret are submitted as HTTP query parameters. This option is only supported for the OIDC
* extension.
*/
QUERY
}

/**
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1812,6 +1812,7 @@ public static enum Provider {
MASTODON,
MICROSOFT,
SPOTIFY,
STRAVA,
TWITCH,
TWITTER,
// New name for Twitter
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1258,8 +1258,13 @@ public AuthorizationCodeTokens apply(AuthorizationCodeTokens tokens) {
private Uni<AuthorizationCodeTokens> getCodeFlowTokensUni(RoutingContext context, TenantConfigContext configContext,
String code, String codeVerifier) {

// 'redirect_uri': typically it must match the 'redirect_uri' query parameter which was used during the code request.
// 'redirect_uri': it must match the 'redirect_uri' query parameter which was used during the code request.
String redirectPath = getRedirectPath(configContext.oidcConfig, context);
if (configContext.oidcConfig.authentication.redirectPath.isPresent()
Copy link
Member Author

@sberyozkin sberyozkin Dec 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gastaldi @pedroigor This is the only hardening code that I've added to enforce a precise path match at the Quarkus level. For example, if the configured redirect path is /a/b/c but the current request attempting to complete the code flow is /a then it means, assuming the best and wide-spread practice that a registered application in my-provider has configured www.my-provider-app/a/b/c then this redirect may not be coming from that provider . We haven't had to deal it with it before because the providers will enforce such checks. For example, I linked to Google docs and it can easily be confirmed with all providers here except Strava that a mismatch will cause an eventual failure, but, it costs a remote call, and we rely on providers to do the right thing, so this simple check will make the initial check done early at the Quarkus level which is important for the Strava case.
This is also why I'm not considering this check changing the OIDC logic as such, it is only a hardening check

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've found it difficult to test this specific check though as it is difficult to verify the test failed exactly because of this check, I've spent quite some time today on it

Copy link
Member Author

@sberyozkin sberyozkin Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gastaldi Hi George, I've now added a test for this condition by modifying one of the existing CodeFlowTest integration tests, not perfect but is probably closest to what can be done without having to create a dedicated integration module and check logs. So I'm happy enough now.

&& !configContext.oidcConfig.authentication.redirectPath.get().equals(context.request().path())) {
LOG.warnf("Token redirect path %s does not match the current request path", context.request().path());
return Uni.createFrom().failure(new AuthenticationFailedException("Wrong redirect path"));
}
String redirectUriParam = buildUri(context, isForceHttps(configContext.oidcConfig), redirectPath);
LOG.debugf("Token request redirect_uri parameter: %s", redirectUriParam);

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
import io.quarkus.oidc.TokenCustomizer;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.common.runtime.OidcConstants;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
Expand Down Expand Up @@ -551,7 +552,7 @@ private class SymmetricKeyResolver implements VerificationKeyResolver {
@Override
public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure> nestingContext)
throws UnresolvableKeyException {
return KeyUtils.createSecretKeyFromSecret(oidcConfig.credentials.secret.get());
return KeyUtils.createSecretKeyFromSecret(OidcCommonUtils.clientSecret(oidcConfig.credentials));
}
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import io.quarkus.oidc.common.OidcEndpoint;
import io.quarkus.oidc.common.OidcRequestContextProperties;
import io.quarkus.oidc.common.OidcRequestFilter;
import io.quarkus.oidc.common.runtime.OidcCommonConfig.Credentials.Secret.Method;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.common.runtime.OidcConstants;
import io.quarkus.oidc.common.runtime.OidcEndpointAccessException;
Expand Down Expand Up @@ -51,6 +52,7 @@ public class OidcProviderClient implements Closeable {
private final String introspectionBasicAuthScheme;
private final Key clientJwtKey;
private final Map<OidcEndpoint.Type, List<OidcRequestFilter>> filters;
private final boolean clientSecretQueryAuthentication;

public OidcProviderClient(WebClient client,
Vertx vertx,
Expand All @@ -65,6 +67,7 @@ public OidcProviderClient(WebClient client,
this.clientJwtKey = OidcCommonUtils.initClientJwtKey(oidcConfig);
this.introspectionBasicAuthScheme = initIntrospectionBasicAuthScheme(oidcConfig);
this.filters = filters;
this.clientSecretQueryAuthentication = oidcConfig.credentials.clientSecret.method.orElse(null) == Method.QUERY;
}

private static String initIntrospectionBasicAuthScheme(OidcTenantConfig oidcConfig) {
Expand Down Expand Up @@ -139,45 +142,62 @@ public Uni<AuthorizationCodeTokens> refreshAuthorizationCodeTokens(String refres

private UniOnItem<HttpResponse<Buffer>> getHttpResponse(String uri, MultiMap formBody, boolean introspect) {
HttpRequest<Buffer> request = client.postAbs(uri);
request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
if (oidcConfig.codeGrant.headers != null) {
for (Map.Entry<String, String> headerEntry : oidcConfig.codeGrant.headers.entrySet()) {
request.putHeader(headerEntry.getKey(), headerEntry.getValue());
}
}
if (introspect && introspectionBasicAuthScheme != null) {
request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
if (oidcConfig.clientId.isPresent() && oidcConfig.introspectionCredentials.includeClientId) {
formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
}
} else if (clientSecretBasicAuthScheme != null) {
request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
} else if (clientJwtKey != null) {
String jwt = OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey);
if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(oidcConfig.credentials)) {

Buffer buffer = null;

if (!clientSecretQueryAuthentication) {
request.putHeader(CONTENT_TYPE_HEADER, APPLICATION_X_WWW_FORM_URLENCODED);
request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);

if (introspect && introspectionBasicAuthScheme != null) {
request.putHeader(AUTHORIZATION_HEADER, introspectionBasicAuthScheme);
if (oidcConfig.clientId.isPresent() && oidcConfig.introspectionCredentials.includeClientId) {
formBody.set(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
}
} else if (clientSecretBasicAuthScheme != null) {
request.putHeader(AUTHORIZATION_HEADER, clientSecretBasicAuthScheme);
} else if (clientJwtKey != null) {
String jwt = OidcCommonUtils.signJwtWithKey(oidcConfig, metadata.getTokenUri(), clientJwtKey);
if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(oidcConfig.credentials)) {
formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
formBody.add(OidcConstants.CLIENT_SECRET, jwt);
} else {
formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
formBody.add(OidcConstants.CLIENT_ASSERTION, jwt);
}
} else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
formBody.add(OidcConstants.CLIENT_SECRET, jwt);
formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
} else {
formBody.add(OidcConstants.CLIENT_ASSERTION_TYPE, OidcConstants.JWT_BEARER_CLIENT_ASSERTION_TYPE);
formBody.add(OidcConstants.CLIENT_ASSERTION, jwt);
formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
}
} else if (OidcCommonUtils.isClientSecretPostAuthRequired(oidcConfig.credentials)) {
formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
buffer = OidcCommonUtils.encodeForm(formBody);
} else {
formBody.add(OidcConstants.CLIENT_ID, oidcConfig.clientId.get());
formBody.add(OidcConstants.CLIENT_SECRET, OidcCommonUtils.clientSecret(oidcConfig.credentials));
for (Map.Entry<String, String> entry : formBody) {
request.addQueryParam(entry.getKey(), OidcCommonUtils.urlEncode(entry.getValue()));
}
request.putHeader(ACCEPT_HEADER, APPLICATION_JSON);
buffer = Buffer.buffer();
}

if (oidcConfig.codeGrant.headers != null) {
for (Map.Entry<String, String> headerEntry : oidcConfig.codeGrant.headers.entrySet()) {
request.putHeader(headerEntry.getKey(), headerEntry.getValue());
}
}

LOG.debugf("Get token on: %s params: %s headers: %s", metadata.getTokenUri(), formBody, request.headers());
// Retry up to three times with a one-second delay between the retries if the connection is closed.
Buffer buffer = OidcCommonUtils.encodeForm(formBody);

OidcEndpoint.Type endpoint = introspect ? OidcEndpoint.Type.INTROSPECTION : OidcEndpoint.Type.TOKEN;
Uni<HttpResponse<Buffer>> response = filter(endpoint, request, buffer, null).sendBuffer(buffer)
.onFailure(ConnectException.class)
.retry()
.atMost(oidcConfig.connectionRetryCount).onFailure().transform(t -> t.getCause());
return response.onItem();

}

private AuthorizationCodeTokens getAuthorizationCodeTokens(HttpResponse<Buffer> resp) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -553,6 +553,9 @@ static OidcTenantConfig mergeTenantConfig(OidcTenantConfig tenant, OidcTenantCon
if (tenant.authentication.responseMode.isEmpty()) {
tenant.authentication.responseMode = provider.authentication.responseMode;
}
if (tenant.authentication.redirectPath.isEmpty()) {
tenant.authentication.redirectPath = provider.authentication.redirectPath;
}

// credentials
if (tenant.credentials.clientSecret.method.isEmpty()) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ public static OidcTenantConfig provider(OidcTenantConfig.Provider provider) {
case MASTODON -> mastodon();
case MICROSOFT -> microsoft();
case SPOTIFY -> spotify();
case STRAVA -> strava();
case TWITCH -> twitch();
case TWITTER, X -> twitter();
};
Expand Down Expand Up @@ -153,6 +154,28 @@ private static OidcTenantConfig spotify() {
return ret;
}

private static OidcTenantConfig strava() {
OidcTenantConfig ret = new OidcTenantConfig();
ret.setDiscoveryEnabled(false);
ret.setAuthServerUrl("https://www.strava.com/oauth");
ret.setApplicationType(OidcTenantConfig.ApplicationType.WEB_APP);
ret.setAuthorizationPath("authorize");

ret.setTokenPath("token");
ret.setUserInfoPath("https://www.strava.com/api/v3/athlete");

OidcTenantConfig.Authentication authentication = ret.getAuthentication();
authentication.setAddOpenidScope(false);
authentication.setScopes(List.of("activity:read"));
authentication.setIdTokenRequired(false);
authentication.setRedirectPath("/strava");

ret.getToken().setVerifyAccessTokenWithUserInfo(true);
ret.getCredentials().getClientSecret().setMethod(Method.QUERY);

return ret;
}

private static OidcTenantConfig twitch() {
// Ref https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-grant-flow

Expand Down
Loading
Loading