4

I want to authenticate users with an external OAuth provider in my reactive spring boot application.

Following the official tutorial, I successfully implemented the flow with the pre-configured providers (Google, Github, etc.). Changing the configuration to not-pre-configured providers can be done using these properties, e.g.:

spring.security.oauth2.client.registration.<providerName>.client-id=<clientId>
spring.security.oauth2.client.registration.<providerName>.client-secret=<clientSecret>
spring.security.oauth2.client.registration.<providerName>.redirect-uri={baseUrl}/login/oauth2/code/<providerName>
spring.security.oauth2.client.registration.<providerName>.provider=<providerName>
spring.security.oauth2.client.registration.<providerName>.client-authentication-method=basic
spring.security.oauth2.client.registration.<providerName>.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.<providerName>.authorization-uri=https://api.<providerName>.com/authorize
spring.security.oauth2.client.provider.<providerName>.token-uri=https://api.<providerName>.com/token

With this setup, the login page is prompted to the user, and the specified redirect url is called with the authCode:

redirect url called

However, this error page is returned, with no log entry or exception in the console (even if I set the logging.level.org.springframework.security=DEBUG property).

invalid credentials error

What could be the issue? Where can I even start debugging this?

nagy.zsolt.hun
  • 6,292
  • 12
  • 56
  • 95

2 Answers2

6

AuthenticationWebFilter.authenticate is the place to debug this. In my case user-info-uri attribute was missing

nagy.zsolt.hun
  • 6,292
  • 12
  • 56
  • 95
  • Rather than committing my OAuth 2.0 client secret to source control I just deleted the config line, committed, and went to bed. Completely forgot only to find things completely broken in the morning :) The hint about the missing config attribute is what got me back on track, actually. – Max Mar 14 '22 at 15:24
0

The problem you are seeing probably comes from the fact that session cookie is set to 'strict' or 'none' and http is being used. Session is used to corellate "state" attribute being passed back in login request from oauth2 provider.

If you have localhost development over http then set session cookie (JSESSIONID) to lax. That will cause cookies to be sent with login/oauth2/code/ and authorization will complete successfully. Easiest thing to try is just to set this in your spring boot app:

server.servlet.session.cookie.same-site=lax
tawek
  • 11
  • 2