0

Last few days for some users, there are multiple (like thousands) oauth2 callback calls after first oauth auth request. There is no user activity, only first request into app which causes to redirect user to google account login/auth page with callback url and then only never-ending flood of GET oauth callback requests like this:

/application/page
/application/auth (scribe auth servlet, redirects user to accounts.google.com)
/application/authcallback
/application/authcallback
/application/authcallback
/application/authcallback
...

My workflow is as follows:

  1. filter detects if there is some logged user in session, if not, redirects to auth servlet
  2. auth servlet uses scribe oauth service to construct authorization url and redirects user to auth himself against google (accounts.google.com) and follow callback to
  3. auth callback servlet verifies access token and log user in

problem is that first 2 steps are only repeated once (that is ok), but after there is endless flood of valid callback requests originated somewhere else/by something else and every request happens to share same session

AuthServlet

ServiceBuilder builder = new ServiceBuilder(); 
OAuthService service = builder.provider(Google2Api.class)
    .apiKey(CLIENT_ID)
    .apiSecret(CLIENT_SECRET)
    .callback(OAUTH_CALLBACK_URL)
    .scope("https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile")
    .build();
        
HttpSession sess = req.getSession(); 
sess.setAttribute(OAUTH_SERVICE_SESS_KEY, service);
    
String state = new BigInteger(130, new SecureRandom()).toString(32);
sess.setAttribute(OAUTH_STATE, state);
        
String authUrl = service.getAuthorizationUrl(null) + state;
                
resp.sendRedirect(authUrl);

CallbackServlet

OAuthService service = (OAuthService) sess.getAttribute(ScribeAuthServlet.OAUTH_SERVICE_SESS_KEY);
String code = req.getParameter("code"); 
Token token = service.getAccessToken(null, new Verifier(code)); 

// id_token & state check

String user = idToken.get("email");

sess.setAttribute("loggedUser", user);
resp.sendRedirect(APP_HOMEPAGE);

I am unable to find out what may cause the problem, as it involves only 1 of 1000 users, if it may be caused by some extension, browser config, network policy, ...?

Any ideas?

user3686724
  • 603
  • 1
  • 5
  • 15
  • those /authcallback GET requests differs in `code` parameter – user3686724 Feb 11 '22 at 10:08
  • please include [example] – Linda Lawton - DaImTo Feb 11 '22 at 11:38
  • as this affects roughly 1 of 1000 users interacting with our app, i can hardly provide `reproducible` example @DaImTo – user3686724 Feb 11 '22 at 11:42
  • Welcome to stack please read [ask] If we cant see what you are doing how can we help? – Linda Lawton - DaImTo Feb 11 '22 at 11:49
  • thought it was obvious from oauth flow "log" provided before. anyway - question edited @DaImTo – user3686724 Feb 11 '22 at 12:04
  • again hard to help without seeing your code. I did see something like this once with Asp .net core the cookies were not setting properly so the system didnt detect it had been authorized so it just kept going around and around requesting access. Your going to have to debug into it to figure out what part of the authorization isnt being detected and is failing. – Linda Lawton - DaImTo Feb 11 '22 at 12:06
  • auth + callback servlet code added to question, all these requests are within same session(id) @DaImTo – user3686724 Feb 11 '22 at 12:15
  • there is some evolution, besides of these flood auth requests, there has been one user's visit which do not cycle these auth/callback requests, but fetches (=many GET requests to app) every url-like-pattern in the page (so every a href, every ajax url, everything which looks like url) – user3686724 Feb 16 '22 at 09:16
  • and it looks very similar to this https://stackoverflow.com/questions/59033709/why-is-chrome-flooding-my-site-with-get-requests?rq=1 @DaImTo – user3686724 Feb 16 '22 at 09:34
  • After I turned on rate-limiting, there is some interesting change, so far without any limits, there was endless count of these flood requests, as long as they were receiving some ok http response (302 redirect), but after rate-limiting was put in place and returns http 429 too many requests, this flood immediately stops. So there is few "flood" requests with http 302 and after first http 429 the flood immediately terminats – user3686724 Feb 21 '22 at 08:19

0 Answers0