SSL / Proxy Issue using Spring Cloud OAuth2

Question

I adapted the following OAauth2 Spring Cloud samples:

Authserver / SSO

The only change I made, was using JPA on the Authserver side to check the credentials from a database. Everything works well, except deploying it behind an nginx proxy. As used in the sample apps above, Spring Boot and embedded Tomcat is used. I also properly configured proxy headers:

server.tomcat.protocol-header=X-Forwarded-Proto
server.tomcat.remote-ip-header=X-Real-IP

Proxying HTTP is working:

accessTokenUri: http://uaa.sample.com/oauth/token
userAuthorizationUri: http://uaa.sample.com/oauth/authorize

So far so good, but I need to use SSL (obviously):

accessTokenUri: https://uaa.sample.com/oauth/token
userAuthorizationUri: https://uaa.sample.com/oauth/authorize

If I switch to SSL, I get a 401 from my client application after the auth server is redirecting back from authorize. I captured the HTTP traffic and everything seems to work:

• GET request to client application
• Client app redirects to /login
• /login redirects to https://uaa.sample.com/oauth/authorize?client_id=reprisk&redirect_uri=http://test.sample.com/login&response_type=code&state=9prwi2
• Auth server redirects to https://uaa.sample.com/login
• After login, authorize is called again and the server finally redirects to http://test.sample.com/login?code=212eRK&state=9prwi2

The HTTP traffic for HTTP and HTTPS is exactly the same, except that for HTTP a proper referer is set for the last request (AFAIK, the referer isn't checked during OAuth authentication, right?):

HTTP:

GET /login?code=212eRK&state=9prwi2 HTTP/1.1
Host: test.sample.com
...
Referer: http://uaa.sample.com/login
Cookie: JSESSIONID=401EB8D1D1F4297160D518EC253A0CB5; XSRF-TOKEN=95a00a0d-3362-4e9b-b7eb-45addf2d10b4
...

---
HTTP/1.1 302 Found

HTTPS:

GET /login?code=212eRK&state=9prwi2 HTTP/1.1
Host: test.sample.com
...
Cookie: JSESSIONID=401EB8D1D1F4297160D518EC253A0CB5; XSRF-TOKEN=95a00a0d-3362-4e9b-b7eb-45addf2d10b4
...

---
HTTP/1.1 401 Unauthorized

Corresponding log message from client application:

Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token.

Any ideas why using a proxy and SSL isn't working? I'm happy to share more code and/or log output!

Thanks!!!

Answer 1

It looks to be failing where the SSO app tries to swap the auth code for a token. All the steps prior to this were browser redirects, this is code on the SSO server trying to call the auth server. What are you using for SSL certificates on the auth server? Are they signed by a trusted party with a CA in the Java trust store? If not, that is probably why it's failing as the BadCredentialsException is the end result of the underlying HTTP request failing.

The other option is that there is no route directly from the SSO server to the Auth server address.

I believe it's ultimately the Apache Commons HttpClient code that will be handling the request, so you should try upping the debug for those classes (org.apache.http) and see what it reported.

Answer 2

It may be a little late but I ran into the exact same thing.

My Setup is a NGINX doing SSL proxying through to a running Spring Boot Application using Spring oAuth2.

To solve this in nginx config

 proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;  
 proxy_set_header X-Forwarded-Proto  $scheme;  

And this in your spring application.yml

 server.tomcat.remote_ip_header: X-Forwarded-For
 server.tomcat.protocol_header: X-Forwarded-Proto
 security.require_ssl: true

Source: http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https

And now Spring detects the right URL and also request.getRequestURL returns the right URL now including https://

 @Controller
 public class HomeController {
     @RequestMapping("/")
     @ResponseBody
     public String rootLandingPage(HttpServletRequest request) throws Exception {
         return "url: " + request.getRequestURL();
     }
 }