Flaw in Spring security OAuth2 samples: same OAuth2ClientContext used for several providers

Question

I try to implement OAuth2 with Spring Security and I have studied the samples provided by Spring in the following Github: https://github.com/spring-projects/spring-security-oauth/blob/master/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/config/WebMvcConfig.java

This OAuth2 sample is divided in two projects :

• tonr: OAuth2 client (OAuth2Client) and
• sparklr: OAuth2 provider (ResourceServer & AuthorizationServer)

Tonr allows to show photos from Sparklr and also includes a Facebook API client to list friends of an account. It seems that once got from one provider, the same token is sent to all OAuth2 providers, even if the token doesn't come from the called provider.

Steps:

• I log in tonr2 (localhost:8080/tonr2/login.jsp)
• I go to Sparklr photos and log in sparklr2 (localhost:8080/tonr2/sparklr/photos & localhost:8080/sparklr2/login.jsp)
• I approve the scope Read and I see photos: OK
• Then I go to Facebook friends page : localhost:8080/tonr2/facebook/info

The sparklr token is sent to Facebook (visible in debug logs), and obviously Facebook returns a 400 Bad Request Error.

If now, I log out from tonr, click directly to Facebook friends page and log in tonr again, it is working; a token is asked to Facebook and access is granted. So the same OAuth2ClientContext and same token are kept from Sparklr to Facebook.

Question: How to separate OAuth2ClientContext to keep the token with its respective resource server?

I tried to instanciate a different OAuth2ClientContext bean for facebookRestTemplate, but the OAuth2 flow is broken with:

@Bean(name = "facebookClientContext")
public OAuth2ClientContext facebookClientContext() {
    return new DefaultOAuth2ClientContext();
}

@Bean
public OAuth2RestTemplate facebookRestTemplate(@Qualifier("facebookClientContext") OAuth2ClientContext clientContext) {
    ...

Answer 1

I had the same problem. I solved it the same as you did except that you should:

1. inject a AccessTokenRequest (request-scoped) in the constructor of your DefaultOAuth2ClientContext. (@Resource injection is necessary in this verion of Spring because AccessTokenRequest is a Map).
2. session-scope your facebookClientContext to not share the tokens among differents users.

See OAuth2ClientConfiguration as a guideline.

Modify your WebMvcConfig$ResourceConfiguration:

    @Resource(name = "accessTokenRequest")
    private AccessTokenRequest accessTokenRequest;

    @Bean
    @Qualifier("facebookClientContext")
    @Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
    public DefaultOAuth2ClientContext facebookClientContext() {
        return new DefaultOAuth2ClientContext(accessTokenRequest);
    }

    @Bean
    public OAuth2RestTemplate facebookRestTemplate(
            @Qualifier("facebookClientContext") OAuth2ClientContext clientContext) {
        OAuth2RestTemplate template = new OAuth2RestTemplate(facebook(), clientContext);
        MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
        converter.setSupportedMediaTypes(
                Arrays.asList(MediaType.APPLICATION_JSON, MediaType.valueOf("text/javascript")));
        template.setMessageConverters(Arrays.<HttpMessageConverter<?>>asList(converter));
        return template;
    }

    @Bean
    public OAuth2RestTemplate sparklrRestTemplate(
            @Qualifier("oauth2ClientContext") OAuth2ClientContext clientContext) {
        return new OAuth2RestTemplate(sparklr(), clientContext);
    }

    @Bean
    public OAuth2RestTemplate sparklrRedirectRestTemplate(
            @Qualifier("oauth2ClientContext") OAuth2ClientContext clientContext) {
        return new OAuth2RestTemplate(sparklrRedirect(), clientContext);
    }