Skip to content

Webflux Oauth2 .oauth2Client() doesn't redirect back to the original request after authenticating in the auth server #6341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rozagerardo opened this issue Dec 29, 2018 · 7 comments
Closed

Webflux Oauth2 .oauth2Client() doesn't redirect back to the original request after authenticating in the auth server #6341

rozagerardo opened this issue Dec 29, 2018 · 7 comments
Assignees
@rwinch
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Milestone
5.2.0.M2

Comments

@rozagerardo
Copy link
Contributor

Summary

When configuring a WebFlux application as an OAuth2 Client using an authentication_code grant type and without implementing the OAuth2Login feature, the application redirects to the "/" path after authenticating in the Authentication Server instead of redirecting back to the original request

Actual Behavior

1-Calling an endpoint in an OAuth2 Client application (without using OAuth2 login) using Auth code Grant type
2- Authenticate in the Authorization Server
3- Get redirected to the /authorize/oauth2/code/[myclient] endpoint
4- Get redirected to the root ("/") URL

Expected Behavior

1-Calling an endpoint in an OAuth2 Client application (without using OAuth2 login) using Auth code Grant type
2- Authenticate in the Authorization Server
3- Get redirected to the /authorize/oauth2/code/[myclient] endpoint
4- Get redirected to the endpoint we called in the first place

Configuration

1- Set up an application with the following using the following ServerHttpSecurity configuration:

@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    http.authorizeExchange()
        .anyExchange()
        .permitAll()
        .and()
        .oauth2Client();
    return http.build();
}

2- A client registration:

spring.security.oauth2.client.registration.myclient.client-name=myclient
spring.security.oauth2.client.registration.myclient.client-id=myclient-client-id
spring.security.oauth2.client.registration.myclient.client-secret=myclient-secret
spring.security.oauth2.client.registration.myclient.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.myclient.redirect-uri-template=http://localhost:8080/authorize/oauth2/code/myclient

spring.security.oauth2.client.provider.myclient.token-uri=http://localhost:8085/oauth/token
spring.security.oauth2.client.provider.myclient.authorization-uri=http://localhost:8085/oauth/authorize

Note: In my case, I set up the Client registration using Spring Boot 2.x. The client is registered in a custom Authentication Provider that I configured using Spring Security Oauth, but the issue should be present for well-known providers as well.

3- Configure the WebClient:

@Bean
    WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations, ServerOAuth2AuthorizedClientRepository authorizedClients) {
        ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrations, authorizedClients);
        oauth.setDefaultClientRegistrationId("myclient");
        return WebClient.builder()
            .filter(oauth)
            .build();
    }

4-And the endpoint that I'm using:

@RestController
public class ClientRestController {

    private static final String RESOURCE_URI = "http://localhost:8084/retrieve-resource";

    @Autowired
    WebClient webClient;

    @GetMapping("/auth-code-oauth")
    Mono<String> useOauthWithAuthCode(@RegisteredOAuth2AuthorizedClient("myclient") OAuth2AuthorizedClient authorizedClient) {
        Mono<String> retrievedResource = webClient.get()
            .uri(RESOURCE_URI)
            .attributes(oauth2AuthorizedClient(authorizedClient))
            .retrieve()
            .bodyToMono(String.class);
        return retrievedResource.map(string -> "We retrieved the following resource using Oauth: " + string);
    }
}

5- Now call the /auth-code-oauth endpoint. We get redirected to the Authentication login form, approve the required scopes, and after being redirected to the specified redirect-uri (/authorize/oauth2/code/myclient) the application retrieves the token, and we are redirected to the root ("/") url, instead of the endpoint that I actually called in the first place. If I make the call to the /auth-code-oauth endpoint again afterwards, the retrieved response is the expected, since no authentication process is carried out at this point.

Included a link to the sample by the end of the description

Version

Spring Boot 2.1.1.RELEASE
Spring Security: 5.1.2.RELEASE

Sample

https://github.com/rozagerardo/samples
@rozagerardo
Copy link
Contributor Author

rozagerardo commented Dec 29, 2018
edited
Loading

It seems the SPRING_SECURITY_SAVED_REQUEST session attribute is not saved by any filter for the oauth2Client() configuration.
After comapring with the non-reactive version, I see that they behave differently. On the non-reactive side, the HttpSecurity uses an OAuth2ClientConfigurer when calling oauth2Client(), which seems to include an OAuth2AuthorizationRequestRedirectFilter in the SecurityWebFilterChain to save that session attribute.
The webflux version, on the other hand, uses a ServerHttpSecurity, which relies on the OAuth2ClientSpec. This adds an OAuth2AuthorizationRequestRedirectWebFilter to the chain, but it stores only the AUTHORIZATION_REQUEST web session attribute, not the SPRING_SECURITY_SAVED_REQUEST.
Then the RedirectServerAuthenticationSuccessHandler used by the OAuth2AuthroizationCodeGrantWebFilter (added to the chain by the oauth2client() configuration too) can't find it to redirect to the appropiate address

@rwinch
Copy link
Member

rwinch commented Jan 7, 2019

Thanks for the report and anyalysis @rozagerardo! Would you be interested in submitting a PR for this?

@rwinch rwinch added type: bug A general bug status: ideal-for-contribution An issue that we actively are looking for someone to help us with Reactive in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Jan 7, 2019
@rozagerardo
Copy link
Contributor Author

Thanks for the quick response @rwinch
Sure, I'll be glad to work on this :)
This will be my first contribution to the project, so it might take me a little bit longer than expected, to get familiarized with the contributor's guidelines
I'll come back as soon as I have the PR ready

@rwinch
Copy link
Member

rwinch commented Jan 8, 2019

Thanks @rozagerardo! Let us know if you run into any issues and we will do our best to help

@rozagerardo rozagerardo mentioned this issue Jan 13, 2019
Merged
@rozagerardo
Copy link
Contributor Author

Thanks @rwinch !
I now created PR #6418 to solve this.
I'm looking forward to you comments, and please let me know if I can do anything else to help you :) cheers!

rozagerardo added a commit to rozagerardo/spring-security that referenced this issue Jan 25, 2019
@rozagerardo
Save original request on oauth2Client filter
9ccbe21 
When we used the oauth2Client directive and requested an endpoint that
required client authorization on the authorization server, the
SPRING_SECURITY_SAVED_REQUEST was not persisted, and therefore after
creating the authorized client we were redirected to the root page ("/").

Now we are storing the session attribute and getting redirected back to
the original URI as expected.

Note that the attribute is stored only when a
ClientAuthorizationRequiredException is thrown in the chain, we dont
want to store it as a response to the
/oauth2/authorization/{registrationId} endpoint, since we would end
up in an infinite loop

Fixes spring-projectsgh-6341
@rwinch rwinch closed this as completed in 95e0e72 Jan 25, 2019
@rwinch rwinch removed the status: ideal-for-contribution An issue that we actively are looking for someone to help us with label Jan 25, 2019
@rwinch rwinch self-assigned this Jan 25, 2019
@rwinch rwinch added this to the 5.2.0.M2 milestone Jan 25, 2019
@rozagerardo
Copy link
Contributor Author

Thanks for the support @rwinch it's been a nice first experience contributing to this project :)
I'd like to get involved more with the Spring project, so I'll try to pick another task soon (either from spring-security or from any other project).
Any suggestion or feedback for me is always appreciated. Cheers!

@rwinch
Copy link
Member

rwinch commented Jan 29, 2019

Thanks again for your contribution! If you are looking for more tasks to work on, you can find ideal tickets with the Help Wanted label. Of course if you find something else, please just let us know and we can help determine if it is something we are interested in contributions for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
5.2.0.M2
Development

No branches or pull requests
2 participants
@rwinch @rozagerardo