OAuth2 client fails when redirecting from the authorization step

Question

In my current spring-boot, I am trying sign in the user using an external OAuth2 server. The problem right now is that when I execute the application, after the authorization being successful, the user should be redirected back to the application. When this happens, I got an error.

My application.properties file:

spring.security.oauth2.client.registration.mercadolivre.provider=mercadolivre
spring.security.oauth2.client.registration.mercadolivre.client-id=...
spring.security.oauth2.client.registration.mercadolivre.client-secret=...
spring.security.oauth2.client.registration.mercadolivre.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.mercadolivre.redirect-uri=http://localhost:8080/
spring.security.oauth2.client.provider.mercadolivre.authorization-uri=https://auth.mercadolivre.com.br/authorization
spring.security.oauth2.client.provider.mercadolivre.token-uri=https://api.mercadolibre.com/oauth/token

My security configuration class:

@Configuration
public class Security extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .oauth2Login();
    }
}

The error I am facing right now:

What is the problem here?

update

I try add this line to my applicatio.properties file:

spring.security.oauth2.client.registration.mercadolivre.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}

and now I am getting this error:

with the browser developer console open:

score 0 · Answer 1 · answered Apr 04 '20 at 00:04

0

Change the redirect-uri to something else... It's better if you use a template string like the one the reference uses:

spring.security.oauth2.client.registration.mercadolivre.redirect-uri={baseUrl}/login/oauth2/code/{registrationId}

That's the uri that will process the authorization code the authorization server sends back. If you want the user to be redirected to some page after successful authentication, do something like this in configure():

http.
    ...
    .oauth2Login()
        .defaultSuccessUrl("/");

answered Apr 04 '20 at 00:04

NatFar

2,090
1
12
29

I need map this `redirect-uri` in my controller, and do some processing with the data received? – Kleber Mota Apr 04 '20 at 00:56
Nope! Spring Security does that for you automatically in OAuth2LoginAuthenticationFilter – NatFar Apr 04 '20 at 02:23
Ok, I've tried that, but now I am getting this error: `[invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: 406 Not Acceptable: [Media is not supported]`. – Kleber Mota Apr 04 '20 at 14:38
Are you sure you have the correct token uri? The endpoint you provided isn't sending back a response with an "application/json" media type – NatFar Apr 04 '20 at 15:24
I use exactly the url's shown here: https://developers.mercadolivre.com.br/en_us/authentication-and-authorization#Server-side – Kleber Mota Apr 04 '20 at 15:50
I think the problem is that Spring makes the POST for the authenntication code with FORM parameters, whereas mercadolibre expects no body, only query parameters – NatFar Apr 04 '20 at 17:06
Is it possible change this Spring behavior? – Kleber Mota Apr 04 '20 at 17:39
It'd hidden deep in the Spring Security oauth classes... The class you're interested in is OAuth2AuthorizationCodeGrantRequestEntityConverter, which is in OAuth2AccessTokenResponseHttpMessageConverter , which is in DefaultAuthorizationCodeTokenResponseClient, which is in OAuth2AuthorizationCodeAuthenticationProvider, which is in OAuth2LoginAuthenticationProvider. I suggest you ask that as a new question. – NatFar Apr 05 '20 at 03:21

OAuth2 client fails when redirecting from the authorization step

1 Answers1

Linked