Skip to content

OAuth2AuthenticationException should be in allowlist #8797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
schnapster opened this issue Jul 5, 2020 · 3 comments
Closed

OAuth2AuthenticationException should be in allowlist #8797

schnapster opened this issue Jul 5, 2020 · 3 comments
Assignees
@schnapster
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.4.0-RC1

Comments

@schnapster
Copy link
Contributor

schnapster commented Jul 5, 2020
edited
Loading

Describe the bug
Using spring-boot-starter-oauth2-client with spring-session-data-redis and JSON serialization, when attempting an invalid authentication (for example by using the browsers back button) an OAuth2AuthenticationException ends up being serialized into the Redis store, which then cannot be deserialized due to the security config.

To Reproduce
I noticed this problem while developing an open source project of mine. The steps to reproduce this are fairly complicated and require amongst other things a Discord account and registering a Discord bot application. Unfortunately I have no idea how to reproduce it more minimally, without talking to a third-party OAuth2 provider. At least the steps below allow to reproduce it using a port forward service, no full deployment necessary.

Maybe the stack traces and serialized data which are posted further down this post are enough to identify the problem without having to go through these reproduction steps.

Here we go:

The current state of the project as of writing this is this commit: https://github.com/wolfiabot/Wolfia/tree/de5fb5094d8c586d2d793c78adf0cbce08d52d60
A more-or-less detailed guide to start the backend and the frontend it locally is here: https://github.com/wolfiabot/Wolfia/tree/de5fb5094d8c586d2d793c78adf0cbce08d52d60/dashboard

Once everything is running, open it in your browser.

  1. Click on the login button in the top right
  2. Login to Discord if necessary, and click Authorize
  3. You will be redirected back to the application, which now detects you as logged in. All good so far!
  4. Click the back button in the browser to go back to Discord's OAuth2 screen
  5. Click Authorize again

The application throws an HTTP 500 for any requests to the backend now. Only clearing the cookies will help, as a session with the undeserializable data has been written into redis.

org.springframework.data.redis.serializer.SerializationException: Could not read JSON: The class with org.springframework.security.oauth2.core.OAuth2AuthenticationException and name of org.springframework.security.oauth2.core.OAuth2AuthenticationException is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details; nested exception is java.lang.IllegalArgumentException: The class with org.springframework.security.oauth2.core.OAuth2AuthenticationException and name of org.springframework.security.oauth2.core.OAuth2AuthenticationException is not whitelisted. If you believe this class is safe to deserialize, please provide an explicit mapping using Jackson annotations or by providing a Mixin. If the serialization is only done by a trusted source, you can also enable default typing. See https://github.com/spring-projects/spring-security/issues/4370 for details

The full stack trace of the exception is here:
https://wastebin.party/ojidoxomol.pl

I used Redsmin to look into the exact content written into redis:
image
It appears to me the offending data is in the sessionAttr:SPRING_SECURITY_LAST_EXCEPTION field:
https://wastebin.party/eseyinomeg.json

Expected behavior
Data that the framework serializes should also be deserializable by itself.
I can imagine two ways to achieve that: Either don't serialize any OAuth2AuthenticationExceptions in the first place, or whitelist them.
Also not ruling out that something with my own setup is wrong here in which case some pointers are very welcome.

Sample
See the reproduction steps above.

Please let me know if anything is unclear and I'll do my best to provide further information.

I have suggested two possible approaches to a fix under "Expected behaviour". I'd be happy to work on a pull request to fix this problem if someone with better understanding of the internals of the framework can give me some directions which of those (or something else entirely) would be the correct approach.
@schnapster schnapster added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jul 5, 2020
@jgrandja
Copy link
Contributor

jgrandja commented Jul 9, 2020

Thanks for the report @napstr.

The default AuthenticationFailureHandler for oauth2Login() is SimpleUrlAuthenticationFailureHandler, which saves the OAuth2AuthenticationException to HttpSession when there is a failure. The fix would be to add a new class called OAuth2AuthenticationExceptionMixin and register it in OAuth2ClientJackson2Module. Would you be interested in submitting a PR for this?

@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 9, 2020
@jgrandja jgrandja added this to the 5.4.0-RC1 milestone Jul 9, 2020
@jgrandja jgrandja changed the title The class org.springframework.security.oauth2.core.OAuth2AuthenticationException is not whitelisted. OAuth2AuthenticationException should be whitelisted Jul 9, 2020
@schnapster
Copy link
Contributor Author

@jgrandja Thanks, I'd love to give it a shot over the weekend.

@jgrandja
Copy link
Contributor

Thanks for taking this on @napstr. Let me know if you have any questions.

@schnapster schnapster mentioned this issue Jul 11, 2020
Closed
@jgrandja jgrandja assigned schnapster and unassigned jgrandja Jul 16, 2020
schnapster added a commit to schnapster/spring-security that referenced this issue Jul 16, 2020
@schnapster
Whitelist OAuth2AuthenticationException
b15c705 
Add mixins for
- OAuth2AuthenticationException
- OAuth2Error

Closes spring-projectsgh-8797
@schnapster schnapster mentioned this issue Jul 16, 2020
Merged
@jgrandja jgrandja changed the title OAuth2AuthenticationException should be whitelisted OAuth2AuthenticationException should be in allowlist Jul 21, 2020
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.3.x labels Jul 21, 2020
Closed
jgrandja pushed a commit that referenced this issue Jul 21, 2020
@schnapster @jgrandja
Add OAuth2AuthenticationException to allowlist
57db8e5 
Add mixins for
- OAuth2AuthenticationException
- OAuth2Error

Closes gh-8797
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@schnapster schnapster

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.4.0-RC1
Development

No branches or pull requests
3 participants
@schnapster @jgrandja @spring-projects-issues