Spring 5 Security OAuth2 Login Redirect Loop

Question

I want to work with Spotify Web API, but I'm having trouble with Spring Security Configuration. Here are my security dependencies:

 /* springBootVersion = '2.1.2.RELEASE' */
implementation "org.springframework.security:spring-security-oauth2-client"
implementation 'org.springframework.security:spring-security-oauth2-jose:5.1.6.RELEASE'
implementation "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.7.RELEASE"

And here's my security in my application.yml file:

spring:
  security:
    oauth2:
      client:
        registration:
          spotify:
            provider: spotify-provider
            client-id: <client-id>
            client-secret: <client-secret>
            client-authentication-method: basic
            authorization-grant-type: authorization_code
            redirect-uri: http://localhost:8080/
            scope: <comma delimited scopes>
        provider:
          spotify-provider:
            authorization-uri: https://accounts.spotify.com/authorize
            token-uri: https://accounts.spotify.com/api/token
            user-info-uri: https://api.spotify.com/v1/me

My issue is that after I login and get redirected back to my application, it gets stuck on the URL http://localhost:8080/oauth2/authorization/spotify with the error

localhost redirected you too many times.

Here's what my java security configuration looks like:

@Configuration
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
  }
}

Answer 1

The Redirect Loop was because the /oauth2/authorization/ endpoint was secured, thus it was triggering going back to the Web API for an access token.

I've updated my configuration to this:

@Configuration
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/home", "/login**","/callback/", "/webjars/**", "/error**", "/oauth2/authorization/**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
  }
}

The second issue was that the redirect-uri is the URI that the Web API will send the access token to Spring to be used to get the refresh token. I thought it was for a successful login. Spring already has an implementation for handling refresh tokens, but I did not know what endpoint it should use. For some reason, the redirect-uri cannot be blank, there is no default, I would get this error:

IllegalArgumentException: redirectUriTemplate cannot be empty

To use Spring's refresh token implementation I needed to set the redirect-uri to this:

redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'

redirect-uri-template is an alias for redirect-uri (they're the same variable).

I found the redirect-uri in another stackoverflow post:

authorizationGrantType cannot be null in Spring Security 5 OAuth Client and Spring Boot 2.0

Answer 2

Try to add the @EnableOAuth2Sso annotation :

@Configuration
@EnableOAuth2Sso
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
  }
}