5

I am trying to get spring security oauth2 setup on my application in Google app engine. Everything seems to work fine locally but when i deploy to app engine things start to break down. After I authenticate through google its forwarding me to a Whitelabel error page. In the console I see this error:

http://my-application.appspot.com/login?state=t…m&session_state=8b67f5df659a8324430803973b9e1726e39fd454..1ae3&prompt=none 
401 (Unauthorized)

I setup my auth with this application.yml file:

security:
  oauth2:
client:
  clientId: client-key
  clientSecret: secret-key
  accessTokenUri: https://www.googleapis.com/oauth2/v4/token
  userAuthorizationUri: https://accounts.google.com/o/oauth2/v2/auth
  clientAuthenticationScheme: form
  scope:
    - openid
    - email
    - profile
    - https://www.googleapis.com/auth/cloud-platform
resource:
  userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
  preferTokenInfo: true

My security config looks somethign like this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .and()
            .authorizeRequests()
            .antMatchers("/static/**").permitAll()
            .antMatchers("/**").hasAuthority("ROLE_ADMIN")
            .anyRequest().authenticated()
        .and()
            .exceptionHandling()
            .accessDeniedPage("/403");
}

I have configured the Oauth ID on the google credential pages to allow authorized javascript origins to be:

http://my-application.appspot.com
https://my-application.appspot.com
http://localhost:8080

And the authorized redirect URIs to:

http://my-application.appspot.com/login
https://my-application.appspot.com/login
http://localhost:8080/login

Any ideas why i might be getting unauthorized errors once I deploy to GAE?

Thanks,

Craig

craigtb
  • 647
  • 5
  • 12
  • 30
  • Are you sure that the user you are trying to authenticate with has the "ROLE_ADMIN" authority? – Juan Carlos Mendoza Jul 27 '17 at 02:59
  • Positive. I have tried stripping that out and leaving it with just oauth authentication on all pages and it still gives the same error. – craigtb Jul 27 '17 at 12:36
  • If possible, can you share a minimal, reproducible sample project on GitHub? – Kyle Anderson Jul 30 '17 at 17:07
  • I was able to resolve this. Turns out it had to do with the app.yaml file (which I unfortunately did not post here). The issue seems to be with spring security and running an application on multiple instances. It seemed like the security was not being passed between instances when it was trying to load js libraries and other resources. Have yet to research how to resolve this. – craigtb Jul 30 '17 at 23:05

1 Answers1

2

Your problem is about Authorization, maybe missed step on fully authorizing application, such as moving your client_secret.json to your working directory.

https://developers.google.com/drive/v3/web/quickstart/java#step_1_turn_on_the_api_name

Step 1: Turn on the Drive API

  1. Use this wizard to create or select a project in the Google Developers Console and automatically turn on the API. Click Continue, then Go to credentials. On the Add credentials to your project page, click the Cancel button.

    1. At the top of the page, select the OAuth consent screen tab. Select an Email address, enter a Product name if not already set, and click the Save button. Select the Credentials tab, click the Create credentials button and select OAuth client ID.

    2. Select the application type Other, enter the name "Drive API Quickstart", and click the Create button.

    3. Click OK to dismiss the resulting dialog.

    4. Click the file_download (Download JSON) button to the right of the client ID.

    5. Move this file to your working directory and rename it client_secret.json.

helpful link : GCM http 401 authorization error

vaquar khan
  • 10,864
  • 5
  • 72
  • 96
  • This was resolved by only using one instance. It SEEMS the authentication isn't passing across servers. Havent had a chance to look into that yet. – craigtb Aug 02 '17 at 19:06