Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Webflux Oauth2 .oauth2Client() doesn't redirect back to the original request after authenticating in the auth server
See original GitHub issueSummary
When configuring a WebFlux application as an OAuth2 Client using an authentication_code grant type and without implementing the OAuth2Login feature, the application redirects to the “/” path after authenticating in the Authentication Server instead of redirecting back to the original request
Actual Behavior
1-Calling an endpoint in an OAuth2 Client application (without using OAuth2 login) using Auth code Grant type 2- Authenticate in the Authorization Server 3- Get redirected to the /authorize/oauth2/code/[myclient] endpoint 4- Get redirected to the root (“/”) URL
Expected Behavior
1-Calling an endpoint in an OAuth2 Client application (without using OAuth2 login) using Auth code Grant type 2- Authenticate in the Authorization Server 3- Get redirected to the /authorize/oauth2/code/[myclient] endpoint 4- Get redirected to the endpoint we called in the first place
Configuration
1- Set up an application with the following using the following ServerHttpSecurity configuration:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange()
.anyExchange()
.permitAll()
.and()
.oauth2Client();
return http.build();
}
2- A client registration:
spring.security.oauth2.client.registration.myclient.client-name=myclient
spring.security.oauth2.client.registration.myclient.client-id=myclient-client-id
spring.security.oauth2.client.registration.myclient.client-secret=myclient-secret
spring.security.oauth2.client.registration.myclient.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.myclient.redirect-uri-template=http://localhost:8080/authorize/oauth2/code/myclient
spring.security.oauth2.client.provider.myclient.token-uri=http://localhost:8085/oauth/token
spring.security.oauth2.client.provider.myclient.authorization-uri=http://localhost:8085/oauth/authorize
Note: In my case, I set up the Client registration using Spring Boot 2.x. The client is registered in a custom Authentication Provider that I configured using Spring Security Oauth, but the issue should be present for well-known providers as well.
3- Configure the WebClient:
@Bean
WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations, ServerOAuth2AuthorizedClientRepository authorizedClients) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrations, authorizedClients);
oauth.setDefaultClientRegistrationId("myclient");
return WebClient.builder()
.filter(oauth)
.build();
}
4-And the endpoint that I’m using:
@RestController
public class ClientRestController {
private static final String RESOURCE_URI = "http://localhost:8084/retrieve-resource";
@Autowired
WebClient webClient;
@GetMapping("/auth-code-oauth")
Mono<String> useOauthWithAuthCode(@RegisteredOAuth2AuthorizedClient("myclient") OAuth2AuthorizedClient authorizedClient) {
Mono<String> retrievedResource = webClient.get()
.uri(RESOURCE_URI)
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono(String.class);
return retrievedResource.map(string -> "We retrieved the following resource using Oauth: " + string);
}
}
5- Now call the /auth-code-oauth endpoint. We get redirected to the Authentication login form, approve the required scopes, and after being redirected to the specified redirect-uri (/authorize/oauth2/code/myclient) the application retrieves the token, and we are redirected to the root (“/”) url, instead of the endpoint that I actually called in the first place. If I make the call to the /auth-code-oauth endpoint again afterwards, the retrieved response is the expected, since no authentication process is carried out at this point.
Included a link to the sample by the end of the description
Version
Spring Boot 2.1.1.RELEASE Spring Security: 5.1.2.RELEASE
Sample
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (7 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks for the support @rwinch it’s been a nice first experience contributing to this project 😃 I’d like to get involved more with the Spring project, so I’ll try to pick another task soon (either from spring-security or from any other project). Any suggestion or feedback for me is always appreciated. Cheers!
Thanks @rwinch ! I now created PR #6418 to solve this. I’m looking forward to you comments, and please let me know if I can do anything else to help you 😃 cheers!