Using Spring Security 5 oauth I successfully ran through the whole authentication/authorization cycle using Google as OAuth provider, but I am stuck if I use an OAuth provider that I made myself, running on a different application.
I'm using the following 2 dependencies:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
Using Google, I just configured this:
spring.security.oauth2.client.registration.google.client-id=xxx
spring.security.oauth2.client.registration.google.client-secret=xxx
When using Google (or Facebook, Github or Okta), there is a default configuration that takes care of other settings.
Now I created my own OAuth provider. This is also a Spring Boot application configured with @EnableAuthorizationServer
and otherwise fairly standard, though it has custom principals. This is also running on localhost but port 8081. The configuration in the resource server is as such:
spring.security.oauth2.client.registration.bx.client-id=xxx
spring.security.oauth2.client.registration.bx.client-secret=xxx
spring.security.oauth2.client.registration.bx.client-name=bx
spring.security.oauth2.client.registration.bx.provider=bx
spring.security.oauth2.client.registration.bx.scope=user
spring.security.oauth2.client.registration.bx.redirect-uri-template=http://localhost:8080/login/oauth2/code/bx
spring.security.oauth2.client.registration.bx.client-authentication-method=basic
spring.security.oauth2.client.registration.bx.authorization-grant-type=authorization_code
spring.security.oauth2.client.provider.bx.authorization-uri=http://localhost:8081/oauth/authorize
spring.security.oauth2.client.provider.bx.token-uri=http://localhost:8081/oauth/token
spring.security.oauth2.client.provider.bx.user-info-uri=http://localhost:8081/oauth/userInfo
spring.security.oauth2.client.provider.bx.user-name-attribute=name
When trying to use this to log in I am properly redirected to the OAuth provider, where I can log in and allow access to the requested scope using the default generated interface:
After hitting authorize, I get stuck on the callback part. I can see a callback to
http://localhost:8080/login/oauth2/code/bx?code=xxx&state=xxx
coming back from the oauth server and this results in a default HTML page in Spring being shown with the information:
Your login attempt was not successful, try again.
Reason: [authorization_request_not_found]
Login with OAuth 2.0
bx
The log in the resource server is quite long, but I extracted the helpful part:
19:20:07.985 [http-nio-8080-exec-9] DEBUG o.a.coyote.http11.Http11InputBuffer - Received [GET /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3463.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://localhost:8081/oauth/authorize?response_type=code&client_id=brain&scope=user&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D&redirect_uri=http://localhost:8080/login/oauth2/code/bx
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=4DE280E17D7ED7969E9AF2434E8292E9
]
19:20:07.986 [http-nio-8080-exec-9] DEBUG o.a.t.u.http.Rfc6265CookieProcessor - Cookies: Parsing b[]: JSESSIONID=4DE280E17D7ED7969E9AF2434E8292E9
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.a.catalina.connector.CoyoteAdapter - Requested cookie session id is 4DE280E17D7ED7969E9AF2434E8292E9
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.a.c.a.AuthenticatorBase - Security checking request GET /login/oauth2/code/bx
19:20:07.987 [http-nio-8080-exec-9] DEBUG org.apache.catalina.realm.RealmBase - No applicable constraints defined
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.a.c.a.AuthenticatorBase - Not subject to any constraint
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.b.w.s.f.OrderedRequestContextFilter - Bound request context to thread: org.apache.catalina.connector.RequestFacade@15328743
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No HttpSession currently exists
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
19:20:07.987 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 4 of 14 in additional filter chain; firing Filter: 'CorsFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', GET]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login/oauth2/code/bx'; against '/logout'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', POST]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login/oauth2/code/bx' doesn't match 'POST /logout
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', PUT]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login/oauth2/code/bx' doesn't match 'PUT /logout
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - Trying to match using Ant [pattern='/logout', DELETE]
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Request 'GET /login/oauth2/code/bx' doesn't match 'DELETE /logout
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.matcher.OrRequestMatcher - No matches found
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 6 of 14 in additional filter chain; firing Filter: 'OAuth2AuthorizationRequestRedirectFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login/oauth2/code/bx'; against '/oauth2/authorization/{registrationId}'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.security.web.FilterChainProxy - /login/oauth2/code/bx?code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D at position 7 of 14 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.w.u.m.AntPathRequestMatcher - Checking match of request : '/login/oauth2/code/bx'; against '/login/oauth2/code/*'
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.s.s.o.c.w.OAuth2LoginAuthenticationFilter - Request is to process authentication
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.apache.tomcat.util.http.Parameters - Set encoding to UTF-8
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.apache.tomcat.util.http.Parameters - Decoding query null UTF-8
19:20:07.989 [http-nio-8080-exec-9] DEBUG o.apache.tomcat.util.http.Parameters - Start processing with input [code=7NVdAE&state=LnjR4J2NO8W26whMWU1GKm03pAaesgrtSPpiuElcJS0%3D]
19:20:07.991 [http-nio-8080-exec-9] DEBUG o.s.s.o.c.w.OAuth2LoginAuthenticationFilter - Authentication request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:145)
... and some more stack trace that doesn't seem relevant
When looking at the source code of where the exception is being thrown, from https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2LoginAuthenticationFilter.java it is showing the following code starting at line 145:
OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.removeAuthorizationRequest(request);
if (authorizationRequest == null) {
OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
What does this message mean exactly? How could I have gotten in this state?
Or am I supposed to add a handler myself for the callback url and write custom code to obtain the actual access token? Surely the library should be handling this? Why is this case handled automatically for Google as OAuth provider?
I'm happy to provide any code/further configuration.
These error means , that authorization request doesn't found. authorization request
is stored in session, so some how session is not getting stored. by default session is managed by cookie
.
So I think that might be because you are running everything on localhost, so first cookie is set by localhost:8080
to store the authorization request session data, & when you login to localhost:8081
it'll set another cookie for it's session.
I have the same issue like you. After I researched this problem i found the answer on https://github.com/spring-projects/spring-security/issues/5946 . The only thing you need is config you hosts file. Here is my config. I'm using Windows:
*127.0.0.1 localhost auth-server*
May be it's helpful. I'm using Google translate to write the answer.
I was able to fix this by forcing a session to be created on the endpoint that redirects to the oauth2 jose flow. Spring's default session creation policy is "if required". My theory was that it was redirecting to the openId flows without first creating a session.
http.authorizeRequests()
.mvcMatchers("/<yourProvider>/login")
.authenticated()
.anyRequest()
.permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.and()
...
If anyone has any better ideas or solutions please comment or post.
Our client is configured to go to the /yourProvider/login in order to authorize.
I got the same error but the problem was not session but wrongly configured "user-attribute-name".
Analysis steps
Everything began to work.
如果您在 Kubernetes 上运行或在负载均衡器后面运行并且忘记激活“粘性会话”以便您的请求最终在不同的主机上,您也会收到此消息。
I had the same error but not in a local context but with a real network context. The problem was that the application server nginx had the rule SameSite=Strict; This broke the redirection process of the oauth authorization code flow. This is well explained here even if, in this case, this is not the spring security library which is involved.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.