The Auth Server generates a Failed Initialization of the InMemoryReactiveClientRegistrationRepository on the oauth2-client side when combined with Reverse Proxy. Wrong issuer
Closed this issue · 1 comments
The bug
As many of the people that decided to use this library i started by following the baeldung tutorial https://www.baeldung.com/spring-cloud-gateway-bff-oauth2.
Initial Setup 3 modules:
- Spring Gateway
- Spring Oauth2 Authorization Server
- Spring Oauth2 Resource
Current Setup:
- Spring Gateway with Spring addons dependency
- Spring Oauth2 Authorization Server
- Spring Oauth2 Resource
- Nginx Reverse Proxy in a docker container
From here everything was working fine, then i added a nginx reverse proxy. The issue happens when the /auth/.well-known/oauth-authorization-server endpoint get accessed via the reverse proxy. The issuer is equal to http://localhost instead of this pattern: {scheme}://{reverse-proxy-uri}/auth. I assume there is some kind of issuer validation. Before adding the reverse proxy the gateway was accessing the auth server resulting into the issuer value matching on both sides.
Code sample
The Nginx config:
`
events {
worker_connections 1024;
}
http {
map $external_ip $external_ip {
default "$EXTERNAL_IP";
}
server {
listen 80;
# Route for any path that starts with /auth (e.g., /auth, /auth/login, /auth/*)
location /auth/ {
rewrite ^/auth(/.*)$ $1 break;
proxy_pass http://host.docker.internal:8484;
proxy_set_header Host $host:${external_ip}/auth;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location = /auth {
rewrite ^/auth$ / break;
proxy_pass http://host.docker.internal:8484;
}
location ~ ^((/bff(/.*)?)|(/login(/.*)?)|(/oauth2(/.*)?)|(/logout)|(/login-options))$ {
proxy_pass http://host.docker.internal:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
`
The Gateway configuration:
`
gateway-port: 8080
server:
port: ${gateway-port}
client-id: authorization-code-client
client-secret:
client-name: gateway-code-consent-flow
scheme: http
hostname: localhost
reverse-proxy-port: 7080
reverse-proxy-uri: ${scheme}://${hostname}:${reverse-proxy-port}
auth-server-prefix: /auth
issuer-uri: ${reverse-proxy-uri}${auth-server-prefix}
spring:
application:
name: ms_gateway
security:
oauth2:
client:
registration:
spring:
client-id: ${client-id}
client-secret: ${client-secret}
client-name: ${client-name}
provider: spring
scope:
- openid
- profile
- user.read
redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
client-authentication-method: "client_secret_basic"
authorization-grant-type: authorization_code
provider:
spring:
issuer-uri: ${issuer-uri}
com:
c4-soft:
springaddons:
oidc:
ops:
- iss: ${issuer-uri}
authorities:
- path: ${authorities-json-path}
aud: ${audience}
client:
client-uri: ${reverse-proxy-uri}${gateway-prefix}
security-matchers: ${client-security-matchers}
permit-all: ${client-permit-all}
csrf: cookie-accessible-from-js
oauth2-redirections:
rp-initiated-logout: ACCEPTED
resourceserver:
permit-all: ${resource-server-permit-all}
`
What would make the authorization server returns http://localhost as the issuer field value intead of the full proxy uri?
Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
@rodrigosomoza This appears to be an environment related misconfiguration with nginx and Spring Authorization Server instead of a bug. I'm going to close this but please refer to my comment above.
Also, as an FYI, you might want to look at the latest SPA sample that was added in 1.4.