CODEWITHSUNDEEP
javascalaspring-securityspring-security-oauth2
michele
michele

Reputation: 26598

Spring security oauth2 client - too many redirect

This is my application property file:

spring.security.oauth2.client.registration.myclient.client-id=SampleClientId
spring.security.oauth2.client.registration.myclient.client-secret=secret
spring.security.oauth2.client.provider.myclient.authorization-uri=http://localhost:8081/auth/oauth/authorize
spring.security.oauth2.client.provider.myclient.token-uri=http://localhost:8081/auth/oauth/token
spring.security.oauth2.client.provider.myclient.user-info-uri=http://localhost:8081/auth/user/me
spring.security.oauth2.client.registration.myclient.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.myclient.redirect-uri=http://localhost:8080/hellouser
spring.security.oauth2.client.provider.myclient.userNameAttribute=user

This is my configuration class:

@Configuration class SecurityConfig extends WebSecurityConfigurerAdapter {

  @throws[Exception]
  override protected def configure(http: HttpSecurity): Unit = {
    http.authorizeRequests.anyRequest.authenticated.and.oauth2Login
      .redirectionEndpoint()
      .baseUri("/")
  }
}

and this my controller:

case class Message(val string: String)

@Controller
class SuccessController {

  @GetMapping(path = Array("/hellouser"), produces = Array(MediaType.APPLICATION_JSON_VALUE))
  def getHelloUser(model: Model, authentication: OAuth2AuthenticationToken ): Message = {
    Message("hello user")
  }
}

When I do login, I get back ERR_TOO_MANY_REDIRECTS

In network section of developer console I see these three call are infinitely repeated:

http://localhost:8081/auth/oauth/authorize?response_type=code&client_id=SampleClientId&state=xyz&redirect_uri=http://localhost:8080/hellouser

http://localhost:8080/hellouser?code=abc&state=xyz

http://localhost:8080/oauth2/authorization/myclient

What I am doing wrong?

Thank you

Upvotes: 5

Views: 5151

Answers (1)

Darren Forsythe
Darren Forsythe

Reputation: 11411

Do not set your re-direct URI to an API.

The redirect URI in the authorization code flow is used to pick up the authorization code so it then can be exchanged for tokens.

What is happening in your setup is

  1. Request Starts
  2. User is not logged in
  3. Redirect to Authorization login
  4. Redirect back from IdP to predetermined URI
  5. Request to API /helloworld
  6. Go to step 2.

https://auth0.com/docs/flows/concepts/auth-code has a visual of this, you are not making it to step 4, but short circuiting the flow back to step 1

Your config makes it that the auth code flow never completes. You should just keep the Spring default redirect URI and remove spring.security.oauth2.client.registration.myclient.redirect-uri=http://localhost:8080/hellouser

Nor should you need to set the redirectionEndpoint#baseUri config.

Edit,

Aditional clarification is that with Spring Security the initial request at step 1 is saved, and when the Authorization Code Flow completes at step 4 Spring will automatically replay the saved request.

Upvotes: 9

Related Questions