3

I recently upgraded the project to SpringBoot 2.6.6 from 2.1.3.RELEASE (which in turn upgraded spring security from 5.1.4-RELEASE to 5.6.2). In my project, I have authorization-code flow and it uses redirect-uri for both code and token requests from IDM. And I notices that that the redirect-uri used in the token request is different compared to the one initially used for authorization code request. The only difference is it replaced https with http.

The token request was failing with HTTP 400 error because of the mismatch in the redirect URI. It is working fine with old version of spring boot/security.

Also as part of migration to SpringBoot 2.6.6, we are forced to use the property spring.security.oauth2.client.registration.foo.redirect-uri instead of spring.security.oauth2.client.registration.foo.redirect-uri-template since its deprecated.

I've configured the redirect-uri property as below

spring.security.oauth2.client.registration.foo.redirect-uri={baseUrl}/login/oauth2/code/foo

but if I change the value to https://{baseHost}{basePort}{basePath}/login/oauth2/code/foo its able to get the token and no issues in log in process.

Any idea why its changing the scheme to http for the token request in exchange for authorization-code? Is there any way to set it with https other than specifying the baseScheme?

EDIT: Provider configuration

foo.base.url=https://fooauth.acme.com

spring.security.oauth2.client.provider.foo.authorization-uri=${foo.base.url}/v1/oauth/authorize
spring.security.oauth2.client.provider.foo.token-uri=${foo.base.url}/v1/oauth/token
spring.security.oauth2.client.provider.foo.user-info-uri=${foo.base.url}/v1/users/info
spring.security.oauth2.client.provider.foo.user-name-attribute=userName
spring.security.oauth2.client.provider.foo.logout-uri=${foo.base.url}/v1/oauth/logout?post_logout_redirect_uri=
Master Po
  • 1,497
  • 1
  • 23
  • 42
  • As far as I remember, it takes baseScheme value from the actual request (see org.springframework.security.oauth2.client.web.server.DefaultServerOAuth2AuthorizationRequestResolver#expandRedirectUri). Could you please share the provider part of the oauth configuration in application.properties? – Andrey Grigoriev May 31 '22 at 09:23
  • @AndreyGrigoriev I just added the provider config in question. I was working fine with old version are you aware of any changes came in spring security releases for this? – Master Po May 31 '22 at 09:35
  • No, I'm not. But these are the commits that are related to redirectUri resolution: https://github.com/spring-projects/spring-security/commit/7cfb17a8a39dbdd0819b64c2b95f10ac85d184af https://github.com/spring-projects/spring-security/commit/23ce7173803ed50a458b6de4e75bfe7bdb51bc2e https://github.com/spring-projects/spring-security/commit/0ed919f072d36e83a541482f7d3a34cfe68aff90 – Andrey Grigoriev May 31 '22 at 09:55

1 Answers1

2

Finally I'm able to resolve this by following this spring security issue. And the same is described here in this answer

I added the bean as below

@Bean
FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
    final FilterRegistrationBean<ForwardedHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<ForwardedHeaderFilter>();
    filterRegistrationBean.setFilter(new ForwardedHeaderFilter());
    filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);

    return filterRegistrationBean;
}

Now I don't even need to split the {baseUrl} into finer variables.

Master Po
  • 1,497
  • 1
  • 23
  • 42