Enabling Oauth2sso on Google App Engine

Question

I am trying to get spring security oauth2 setup on my application in Google app engine. Everything seems to work fine locally but when i deploy to app engine things start to break down. After I authenticate through google its forwarding me to a Whitelabel error page. In the console I see this error:

http://my-application.appspot.com/login?state=t…m&session_state=8b67f5df659a8324430803973b9e1726e39fd454..1ae3&prompt=none 
401 (Unauthorized)

I setup my auth with this application.yml file:

security:
  oauth2:
client:
  clientId: client-key
  clientSecret: secret-key
  accessTokenUri: https://www.googleapis.com/oauth2/v4/token
  userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
  clientAuthenticationScheme: form
  scope:
    - openid
    - email
    - profile
    - https://www.googleapis.com/auth/cloud-platform
resource:
  userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
  preferTokenInfo: true

My security config looks somethign like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .and()
            .authorizeRequests()
            .antMatchers("/static/**").permitAll()
            .antMatchers("/**").hasAuthority("ROLE_ADMIN")
            .anyRequest().authenticated()
        .and()
            .exceptionHandling()
            .accessDeniedPage("/403");
}

I have configured the Oauth ID on the google credential pages to allow authorized javascript origins to be:

http://my-application.appspot.com
https://my-application.appspot.com
http://localhost:8080

And the authorized redirect URIs to:

http://my-application.appspot.com/login
https://my-application.appspot.com/login
http://localhost:8080/login

Any ideas why i might be getting unauthorized errors once I deploy to GAE?

Thanks,

Craig

Answer 1

Your problem is about Authorization, maybe missed step on fully authorizing application, such as moving your client_secret.json to your working directory.

https://developers.google.com/drive/v3/web/quickstart/java#step_1_turn_on_the_api_name

Step 1: Turn on the Drive API

1. Use this wizard to create or select a project in the Google Developers Console and automatically turn on the API. Click Continue, then Go to credentials. On the Add credentials to your project page, click the Cancel button.

   2. At the top of the page, select the OAuth consent screen tab. Select an Email address, enter a Product name if not already set, and click the Save button. Select the Credentials tab, click the Create credentials button and select OAuth client ID.

   3. Select the application type Other, enter the name "Drive API Quickstart", and click the Create button.

   4. Click OK to dismiss the resulting dialog.

   5. Click the file_download (Download JSON) button to the right of the client ID.

   6. Move this file to your working directory and rename it client_secret.json.

helpful link : GCM http 401 authorization error