jgrandja/spring-security-oauth-5-2-migrate

using new oauth2.0 client, redirect URL is not being masked from oauth security - is agin redirected to oauth server

theheapdump opened this issue · 3 comments

theheapdump commented

//////////////////////////////////////////////

SecurityConfig.java

/**

  • @author Joe Grandja
    */
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {

    // @Formatter:off
    @OverRide
    public void configure(WebSecurity web) {
    web.ignoring().antMatchers("/authorize/**");

    }
    // @Formatter:on

    // @Formatter:off
    @OverRide
    protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests().antMatchers("/", "/index.html", "/sign-in-widget-config").permitAll()
    .antMatchers("/authorize").permitAll().antMatchers(HttpMethod.GET, "/authorize").permitAll().and()
    .oauth2Client();
    }
    // @Formatter:on

    // @Formatter:off
    @bean
    public UserDetailsService users() {
    UserDetails user = User.withDefaultPasswordEncoder().username("user1").password("password").roles("USER")
    .build();
    return new InMemoryUserDetailsManager(user);
    }
    // @Formatter:on
    }

////////////////// application.yml ////////////////////

security:
oauth2:
client:
registration:
ping-federate:
provider: ***********
client-id: im_oic_client
client-name: ***********
client-secret: 37dH9j3f8yhYnOE53ak1z1UxMnfU0h7BT7qI556wpe0Jajz7WGQRQEq4DD2F5coz
authorization-grant-type: implicit
redirect-uri: http://127.0.0.1:8080/authorize
scope: email,phone,profile

//////////////////////////////////////

///////////////////////////// authorization controller ////////////////////////////////////

/*

  • Copyright 2012-2019 the original author or authors.
  • Licensed under the Apache License, Version 2.0 (the "License");
  • you may not use this file except in compliance with the License.
  • You may obtain a copy of the License at
  •  http://www.apache.org/licenses/LICENSE-2.0
  • Unless required by applicable law or agreed to in writing, software
  • distributed under the License is distributed on an "AS IS" BASIS,
  • WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  • See the License for the specific language governing permissions and
  • limitations under the License.
    */

import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId;

import java.util.Arrays;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.reactive.function.client.WebClient;

/**

  • @author Joe Grandja
    */
    @controller
    public class AuthorizationController {

    @value("${messages.base-uri}")
    private String messagesBaseUri;

    @Autowired
    private WebClient webClient;

    @GetMapping(value = "/authorize")
    public String authorization_code_grant(Model model) {
    System.out.println("I AM HERE");
    String[] messages = retrieveMessages("messaging-client-auth-code");
    Arrays.asList(messages).forEach(p -> System.out.println(p));
    model.addAttribute("messages", messages);
    return "index";
    }

// @GetMapping("/authorized") // registered redirect_uri for authorization_code
// public String authorized(Model model) {
// String[] messages = retrieveMessages("messaging-client-auth-code");
// model.addAttribute("messages", messages);
// return "index";
// }
//
// @GetMapping(value = "/authorize", params = "grant_type=client_credentials")
// public String client_credentials_grant(Model model) {
// String[] messages = retrieveMessages("messaging-client-client-creds");
// model.addAttribute("messages", messages);
// return "index";
// }
//
// @PostMapping(value = "/authorize", params = "grant_type=password")
// public String password_grant(Model model) {
// String[] messages = retrieveMessages("messaging-client-password");
// model.addAttribute("messages", messages);
// return "index";
// }

private String[] retrieveMessages(String clientRegistrationId) {
	return this.webClient.get().uri(this.messagesBaseUri).attributes(clientRegistrationId(clientRegistrationId))
			.retrieve().bodyToMono(String[].class).block();
}

}

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

theheapdump commented

access logs

first redirections ------>

127.0.0.1 - - [24/Apr/2020:15:59:26 +0530] "GET /oauth2/authorization/ping-federate HTTP/1.1" 302 -

------------ THIS IS ACCESS LOG OF REDIRECTION -------------------
127.0.0.1 - - [24/Apr/2020:15:59:52 +0530] "GET /authorize HTTP/1.1" 302 -
127.0.0.1 - - [24/Apr/2020:15:59:52 +0530] "GET /oauth2/authorization/ping-federate HTTP/1.1" 302 -

theheapdump commented

please let me know if you need any other info from my project !!

jgrandja commented

@anmoldeep0123 It's not clear to me the issue you are having? Pasting code this way doesn't really help. Please provide a minimal sample with details on the issue.