Skip to content

oauth2Login() generates authorization links for "client_credentials" grant type #9457

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
denisw opened this issue Feb 15, 2021 · 2 comments
Closed

oauth2Login() generates authorization links for "client_credentials" grant type #9457

denisw opened this issue Feb 15, 2021 · 2 comments
Assignees
@denisw
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Milestone
5.5.0-RC2

Comments

@denisw
Copy link
Contributor

denisw commented Feb 15, 2021

Describe the bug

In Spring Security WebFlux, OAuth2LoginSpec#getLinks populates the returned map with authorization links for all registered client registrations, even for those using the "client_credentials" grant type meant for server-to-server authentication. This has the following consequences:

This means that if you have two client registration A with grant type authorization_code and another registration B with client_credentials, the authorization entry point created by Spring Security WebFlux redirects to the default login page (/login) rather than directly to the authorization flow of A (/oauth2/authorization/A). Even worse, that login page will show an authorization link for registration B even though it is not possible for a user to log in through the client_credentials OAuth2 flow. In fact, following this link yields a 500 error as DefaultServerOAuth2AuthorizationRequestResolver (sensibly) does not support client_credentials.

To Reproduce

  1. Create a Spring Boot application with WebFlux and Spring Security
  2. Define two client registrations within spring.security.oauth2.client.registration in application.yml:
    • a with authorization-grant-type: authorization_code
    • b with authorization-grant-type: client_credentials
  3. Configure a ServerHttpSecurity bean protecting some path with oauth2Login()
  4. Start the application
  5. Navigate to the protected path

Expected behavior

I get redirected to /oauth2/authorization/a and then to the OAuth2 provider's login page.
@denisw denisw added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Feb 15, 2021
@jgrandja
Copy link
Contributor

Thanks for the report @denisw.

The one thing to keep in mind is that the default login page is meant to be used for development / testing only. Production applications will supply their own custom login page.

Having said that, I agree that only authorization_code configured ClientRegistration's should be displayed only.

Would you be interested in submitting a PR for this fix?

@jgrandja jgrandja removed the status: waiting-for-triage An issue we've not yet triaged label Feb 22, 2021
@jgrandja jgrandja added this to the 5.5.0-M3 milestone Feb 22, 2021
@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Feb 22, 2021
@denisw
Copy link
Contributor Author

denisw commented Feb 23, 2021

Thank you for the reply, @jgrandja! I'll have a go at creating a pull request. 🙂

@denisw denisw mentioned this issue Feb 23, 2021
Closed
@jgrandja jgrandja assigned denisw and unassigned jgrandja Mar 8, 2021
@eleftherias eleftherias modified the milestones: 5.5.0-M3, 5.5.0-RC1 Mar 15, 2021
@jgrandja jgrandja modified the milestones: 5.5.0-RC1, 5.5.0 Apr 9, 2021
@jgrandja jgrandja changed the title Spring Security WebFlux generates authorization links for OAuth2 client registrations with "client_credentials" grant type oauth2Login() generates authorization links for "client_credentials" grant type Apr 14, 2021
@spring-projects-issues spring-projects-issues added status: backported An issue that has been backported to maintenance branches and removed for: backport-to-5.4.x labels Apr 14, 2021
Closed
Closed
@jgrandja jgrandja mentioned this issue Apr 14, 2021
Closed
jgrandja pushed a commit that referenced this issue Apr 14, 2021
@denisw @jgrandja
Limit oauth2Login() links to redirect-based flows
67d5520 
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
jgrandja pushed a commit that referenced this issue Apr 14, 2021
@denisw @jgrandja
Limit oauth2Login() links to redirect-based flows
d3af4f7 
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
jgrandja pushed a commit that referenced this issue Apr 14, 2021
@denisw @jgrandja
Limit oauth2Login() links to redirect-based flows
521706d 
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes gh-9457
@jzheaux jzheaux modified the milestones: 5.5.0, 5.5.0-RC2 Apr 27, 2021
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@denisw
Limit oauth2Login() links to redirect-based flows
01c0f0b 
This prevents the generated login page from showing links for
authorization grant types like "client_credentials" which are
not redirect-based, and thus not meant for interactive use in
the browser.

Closes spring-projectsgh-9457
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@denisw denisw

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: backported An issue that has been backported to maintenance branches type: bug A general bug
Projects
None yet
Milestone
5.5.0-RC2
Development

Successfully merging a pull request may close this issue.

Limit OAuth2 login links to redirect-based flows denisw/spring-security
5 participants
@denisw @jzheaux @eleftherias @jgrandja @spring-projects-issues