1

Is it possible to disable redirect to oauth2/authorization/{registrationId} in oauth2 client flow? I have following properties for oauth2 flow in Spring Cloud Gateway, but nowhere I didn't specify url oauth2/authorization/{registrationId}:

  security:
    oauth2:
      client:
        registration:
          smart_hub_client:
            provider: wso2is
            client-id: someid
            client-secret: somesecret
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/redirect_uri"
            scope: sso,openid
        provider:
          wso2is:
            authorization-uri: https://authserver/oauth2/authorize?loginPage=login.jsp
            token-uri: https://authserver.com/oauth2/token
            user-info-uri: https://authserver/oauth2/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://authserver.com/oauth2/jwks

enter image description here

The Request URL from screenshot is here: https://myscgapp/oauth2/authorization/smart_hub_client

UPDATE: I have updated conf from above to my example. The main problem - I have redirect loop. Maybe disabling https://myscgapp/oauth2/authorization/smart_hub_client can help? Or root cause is another?

I have such redirect loop: enter image description here

ColdDeath
  • 49
  • 6

1 Answers1

1

The OAuth2AuthorizationRequestRedirectFilter uses an OAuth2AuthorizationRequestResolver to initiate the Authorization Code grant flow by redirecting the end-user’s user-agent to the Authorization Server’s authorization endpoint.
The default implementation DefaultOAuth2AuthorizationRequestResolver matches on the (default) path /oauth2/authorization/{registrationId}.

You can customize this by providing a custom ServerOAuth2AuthorizationRequestResolver.

In the example below, the resolver will match on the path /auth/custom/sso/{registrationId} instead of /oauth2/authorization/{registrationId}.

@EnableWebFluxSecurity
public class SecurityConfig {

    @Autowired
    private ReactiveClientRegistrationRepository clientRegistrationRepository;

    @Bean
    SecurityWebFilterChain configure(ServerHttpSecurity http) {
        http
            .authorizeExchange(exchanges ->
                exchanges
                    .anyExchange().authenticated()
            )
            .oauth2Login(oauth2Login ->
                oauth2Login
                    .authorizationRequestResolver(getAuthorizationRequestResolver()));
        return http.build();
    }

    private ServerOAuth2AuthorizationRequestResolver getAuthorizationRequestResolver() {
        return new DefaultServerOAuth2AuthorizationRequestResolver(
                this.clientRegistrationRepository,
                new PathPatternParserServerWebExchangeMatcher(
                        "/auth/custom/sso/{registrationId}"));

    }
}
Eleftheria Stein-Kousathana
  • 5,871
  • 1
  • 21
  • 34
  • Thanks for your answer! According to my screen I have 3 auth requests: FIRST: smart_hub_client - points to my SCG app itself https://myscgapp/oauth2/authorization/smart_hub_client, SECOND: Request for auth code https://authserver/oauth2/authorize?loginPage=login.jsp&response_type=code&client_id=...... And THIRD request for exchange auth code to token: https://myscgapp/redirect_uri?code=92ee9c80-33e2-38f6-95ba-4d2d414ea9f2..... The QUESTION: Why do we need first request https://myscgapp/oauth2/authorization/smart_hub_client if request for auth code we already have in second request? – ColdDeath Dec 04 '20 at 12:43
  • The main problem that I have redirect loop. And I think the problem in this myscgapp/oauth2/authorization/smart_hub_client, Maybe I'm wrong. – ColdDeath Dec 04 '20 at 12:54
  • The request to "/oauth2/authorization/smart_hub_client" is what initiates the Authorization Request and ultimately starts the Authorization Code grant flow. – Eleftheria Stein-Kousathana Dec 04 '20 at 14:03
  • The request to "/oauth2/authorization/smart_hub_client" is likely not what is causing the redirect loop. I will take a look at your updated question and share some suggestions. – Eleftheria Stein-Kousathana Dec 04 '20 at 14:04
  • @ColdDeath it seems you have not set the redirect_uri correctly. Try setting it to "{baseUrl}/login/oauth2/code/wso2is". See the redirect URI section in the Spring Security reference docs https://docs.spring.io/spring-security/site/docs/current/reference/html5/#webflux-oauth2-login-sample-redirect – Eleftheria Stein-Kousathana Dec 04 '20 at 14:13
  • 1
    Eleftheria Stein-Kousathana thank you for keeping in touch and helping to solve my problem. It's very important for me. I have tried your variant - it doesn't work. Because my auth server awaits "{baseUrl}/redirect_uri". I got different error - invalid callback. Have you any ideas? How to solve it? thank you for keeping in touch and helping to solve my problem. It's very important for me. I have tried your variant - it doesn't work. Because my auth server awaits "{baseUrl}/redirect_uri". I got different error - invalid callback. Have you any ideas? How to solve it? – ColdDeath Dec 04 '20 at 16:18
  • @EleftheriaStein-Kousathana, could you help me, how to change default pattern for {baseUrl}/login/oauth2/code/wso2is? – Irina Dec 04 '20 at 17:40
  • @EleftheriaStein-Kousathana wso2is depends of provider name in application.yaml, but other part is hardcoded somewhere? – ColdDeath Dec 04 '20 at 17:46
  • I think it's bug. I have described how to check this behaviour: https://github.com/spring-projects/spring-security/issues/9261@EleftheriaStein-Kousathana, please take a look. – ColdDeath Dec 04 '20 at 20:05
  • @ColdDeath You can configure the redirect URI in the client. See this [SO question](https://stackoverflow.com/a/64677357/11430047) for how to do it. – Eleftheria Stein-Kousathana Dec 07 '20 at 08:21
  • @EleftheriaStein-Kousathana I have tried. It doesn't work. According to rate of SO answer, it was not helpful. – ColdDeath Dec 07 '20 at 19:47