Open frjtrifork opened 5 years ago
I tried your workaround and it worked. Here's the configuration, for completeness:
@EnableWebSecurity(debug = true)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.tokenEndpoint()
.accessTokenResponseClient(accessTokenResponseClient())
.and()
.userInfoEndpoint()
.oidcUserService(oidcUserService);
}
@Bean
OAuth2AccessTokenResponseClient accessTokenResponseClient() {
return new NimbusAuthorizationCodeTokenResponseClient();
}
}
That didn't resolve the root cause, though. It runs now, as I reconfigured my application registration - somehow. I unfortunately don't recall what the change was to make it work. But anyway, there should not be an exception.
@frjtrifork: did you solve it for you in the meantime, too? Did you report this issue over at Spring Security?
@berndgoetz I tried to use in this way that you had mentioned but did not worked!
Anyone has a solution for this? I'm facing the same 401 INVALID_RESPONSE_TOKEN :/
I followed the instructions, but once I run the application for the first time in a fresh browser window I am redirected to the login on https://login.microsoftonline.com - after authentication I get into a redirect loop
This exception is thrown for each redirection:
If I add a breakpoint in ObjectMapper.java:3084 and execute
com.microsoft.applicationinsights.core.dependencies.apachecommons.io.IOUtils.toString(new InputStreamReader(src))
- I can see the reason for the objectmapper error is that it is not the expected response - but an error that is returned from azure:{"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'client_id'.\r\nTrace ID: b213ff3a-e431-49de-9922-31361ad50e00\r\nCorrelation ID: a15eac5e-b75b-4d82-a7ff-47398e37583f\r\nTimestamp: 2018-12-12 08:28:11Z","error_codes":[900144],"timestamp":"2018-12-12 08:28:11Z","trace_id":"b213ff3a-e431-49de-9922-31361ad50e00","correlation_id":"a15eac5e-b75b-4d82-a7ff-47398e37583f"}
At the very least I would suggest that you when handle the error and log it / show it.
The culprit of the error is that org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient#getTokenResponse does this:
The exception thrown when objectmapper fails to map to an OAuth2AccessTokenResponse is not a RestClientException - so the OAuth2AuthorizationException is not thrown.
If I change from
DefaultAuthorizationCodeTokenResponseClient
to using the deprecatedNimbusAuthorizationCodeTokenResponseClient
I get the actual error message from the endpoint instead of a jackson START_ARRAY error.I realize that this code is part of the Spring framework - but since you are providing a sample it would be nice if the sample worked - or at least told you the error instead of hiding it as is the state currently.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.