CODEWITHSUNDEEP
javaapachespring-bootspring-security-oauth2
t-my
t-my

Reputation: 133

Spring Boot and OAuth2: redirect url over reverse proxy

Good day.

I'm developing a spring-boot service which runs under certain port, let's say hostname:8080 in server. Users access this service over apache proxy, url.com/application

Now apache is configured:

ProxyRequests Off
ProxyPreserveHost Off
ProxyPass /application http://hostname:8080
ProxyPassReverse /application http://hostname:8080

I use oauth2 for authentication and authentication happens in authserver.com

Application.yml: 

 oauth2:
    client:
      clientId: username
      clientSecret: 123123
      accessTokenUri: http://authserver.com/oauth/token
      userAuthorizationUri: http://authserver.com/oauth/authorize
      clientAuthenticationScheme: form
    resource:
      userInfoUri: http://authserver.com/oauth/user
      preferTokenInfo: false
  1. I request url.com/application
  2. I get redirected to form based authentication authserver.com/oath/authorize?client_id=username&redirect_url=url.com/login&...
  3. Once authenticated I get redirected back to url.com/login which was given as GET parameter in previous step. This is resulted to 404.

How can I modify that redirect_url in Spring Boot config? It should be url.com/application/login.

pom.xml:

<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-ws</artifactId>
            <version>1.3.0.M2</version>
        </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <exclusions>
            <exclusion>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-tomcat</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-undertow</artifactId>
    </dependency>
</dependecies>

Security config:

@EnableAutoConfiguration
@EnableGlobalMethodSecurity(prePostEnabled = true)
public static class WebSecurityConfig extends OAuth2SsoConfiguration {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/health", "/status", "/ws", "/ws/*", "/mappings", "/beans")
                .anonymous();
        http.csrf().disable();
        super.configure(http);
    }

}

Using Spring Cloud Security 1.0.0.RC3

Upvotes: 2

Views: 11549

Answers (2)

Kushal
Kushal

Reputation: 113

Please follow this answer. It solved my day.

1. You have to setup the headers on your Apache proxy:

<VirtualHost *:443>
    ServerName www.myapp.org
    ProxyPass / http://127.0.0.1:8080/
    RequestHeader set X-Forwarded-Proto https
    RequestHeader set X-Forwarded-Port 443
    ProxyPreserveHost On
    ... (SSL directives omitted for readability)
</VirtualHost>

2. You have to tell your Spring Boot app to use these headers. So put the following line in your application.properties (or any other place where Spring Boots understands properties):

server.use-forward-headers=true

Upvotes: 3

KSTN
KSTN

Reputation: 2022

From the OAuth2 spec:

3.1.2. Redirection Endpoint

After completing its interaction with the resource owner, the authorization server directs the resource owner's user-agent back to the client. The authorization server redirects the user-agent to the client's redirection endpoint previously established with the authorization server during the client registration process or when making the authorization request.

The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3. The endpoint URI MAY include an "application/x-www-form-urlencoded" formatted (per Appendix B) query component ([RFC3986] Section 3.4), which MUST be retained when adding additional query parameters. The endpoint URI MUST NOT include a fragment component.

there are 2 options how to handle redirection

  • First, during the client registration the redirect url is stored in database
  • Second, during requesting the authorization we can pass the redirect_url

I can see that you are using the second option by passing the redirect_url to the OAuth server authserver.com/oath/authorize?client_id=username&redirect_url=url.com/login

But the one who trigger this redirection is the url.com/application. Therefore you need to change/configure the url.com/application to redirect the request to authserver.com/oath/authorize?client_id=username&redirect_url=url.com/application/login.

If you are using spring security in your url.com/application, change the login page configuration url. 

protected void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests()
            .antMatchers("/", "/home").permitAll()
            .anyRequest().authenticated()
            .and()
        .formLogin()
            .loginPage("authserver.com/oath/authorize?client_id=username&redirect_url=url.com/application/login")
            .permitAll()
            .and()
        .logout()
            .permitAll();
}

Since your are not showing your application code the above code may or may not work.

Upvotes: 0

Related Questions