I've been thrashing around with the Spring Boot Oauth2 tutorial and I can't seem to get a pretty key element working:
https://spring.io/guides/tutorials/spring-boot-oauth2/
I want to run as an authorization server. I've followed the instructions as closely as I can fathom, but when I go to the /oauth/authorize endpoint, all I ever get is a 403 Forbidden response. This actually makes sense to me given the HttpSecurity configuration that the tutorial sets up:
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/login**", "/webjars/**")
.permitAll()
.anyRequest()
.authenticated()
.and().logout().logoutSuccessUrl("/").permitAll()
.and().csrf().csrfTokenRepository(csrfTokenRepository())
.and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
.addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
}
The login page for this tutorial is actually the main index and I definitely don't see anything in the tutorial that would instruct the Oauth system to redirect the login flow there.
I can get it kind of working by adding this:
.and().formLogin().loginPage("/")
...but before moving forward I really wanted to understand if this is a problem with the tutorial or my implementation of it or something else. What is the mechanism by which the Oauth security system decides what a "login" page is?
At this point, the OAuth Client retrieves your email address and basic profile information from the UserInfo Endpoint and establishes an authenticated session. For well known providers, Spring Security provides the necessary defaults for the OAuth Authorization Provider’s configuration.
By default, Spring Boot configures this redirect URI as /login/oauth2/code/ {registrationId}. Therefore, for Google we'll add the URI: To obtain the client credentials for authentication with Facebook, we need to register an application on the Facebook for Developers website and set up the corresponding URI as a “Valid OAuth redirect URI”: 3.3.
In form-based authentication, redirection happens right after login, which is handled in an AuthenticationSuccessHandler instance in Spring Security. Three default implementations are provided: SimpleUrlAuthenticationSuccessHandler, SavedRequestAwareAuthenticationSuccessHandler and ForwardAuthenticationSuccessHandler.
The OAuth 2.0 Login feature provides an application with the capability to have users log in to the application by using their existing account at an OAuth 2.0 Provider (e.g. GitHub) or OpenID Connect 1.0 Provider (such as Google). OAuth 2.0 Login implements the use cases: "Login with Google" or "Login with GitHub".
The solution was to add the following to the SecurityConfig.configure call:
@Override
protected void configure(HttpSecurity http) throws Exception {
AuthenticationEntryPoint aep = new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException,
ServletException {
response.sendRedirect("/login");
}
};
http.exceptionHandling()
.authenticationEntryPoint(aep)
Which redirects the authentication flow to a specific URL (in this case I am sending it to "/login", but it also worked with "/" or anything else I chose). I have no idea how the tutorial is supposed to do the redirect without explicitly adding this line.
Please follow this answer. 1. You have to setup the headers on your Apache proxy:
<VirtualHost *:443>
ServerName www.myapp.org
ProxyPass / http://127.0.0.1:8080/
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
... (SSL directives omitted for readability)
</VirtualHost>
2. You have to tell your Spring Boot app to use these headers. So put the following line in your application.properties (or any other place where Spring Boots understands properties):
server.use-forward-headers=true
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With