using new oauth2.0 client, redirect URL is not being masked from oauth security - is agin redirected to oauth server

theheapdump commented 4 years ago

//////////////////////////////////////////////

SecurityConfig.java

/**

@author Joe Grandja */ @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter {

// @formatter:off @Override public void configure(WebSecurity web) { web.ignoring().antMatchers("/authorize/**");

} // @formatter:on

// @formatter:off @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests().antMatchers("/", "/index.html", "/sign-in-widget-config").permitAll() .antMatchers("/authorize").permitAll().antMatchers(HttpMethod.GET, "/authorize").permitAll().and() .oauth2Client(); } // @formatter:on

// @formatter:off @Bean public UserDetailsService users() { UserDetails user = User.withDefaultPasswordEncoder().username("user1").password("password").roles("USER") .build(); return new InMemoryUserDetailsManager(user); } // @formatter:on }

////////////////// application.yml ////////////////////

security: oauth2: client: registration: ping-federate: provider: client-id: im_oic_client client-name: client-secret: 37dH9j3f8yhYnOE53ak1z1UxMnfU0h7BT7qI556wpe0Jajz7WGQRQEq4DD2F5coz authorization-grant-type: implicit redirect-uri: http://127.0.0.1:8080/authorize scope: email,phone,profile

//////////////////////////////////////

///////////////////////////// authorization controller ////////////////////////////////////

/*

Copyright 2012-2019 the original author or authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License. */

import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId;

import java.util.Arrays;

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Controller; import org.springframework.ui.Model; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.reactive.function.client.WebClient;

/**

@author Joe Grandja */ @Controller public class AuthorizationController {

@Value("${messages.base-uri}") private String messagesBaseUri;

@Autowired private WebClient webClient;

@GetMapping(value = "/authorize") public String authorization_code_grant(Model model) { System.out.println("I AM HERE"); String[] messages = retrieveMessages("messaging-client-auth-code"); Arrays.asList(messages).forEach(p -> System.out.println(p)); model.addAttribute("messages", messages); return "index"; }

// @GetMapping("/authorized") // registered redirect_uri for authorization_code // public String authorized(Model model) { // String[] messages = retrieveMessages("messaging-client-auth-code"); // model.addAttribute("messages", messages); // return "index"; // } // // @GetMapping(value = "/authorize", params = "grant_type=client_credentials") // public String client_credentials_grant(Model model) { // String[] messages = retrieveMessages("messaging-client-client-creds"); // model.addAttribute("messages", messages); // return "index"; // } // // @PostMapping(value = "/authorize", params = "grant_type=password") // public String password_grant(Model model) { // String[] messages = retrieveMessages("messaging-client-password"); // model.addAttribute("messages", messages); // return "index"; // }

private String[] retrieveMessages(String clientRegistrationId) {
    return this.webClient.get().uri(this.messagesBaseUri).attributes(clientRegistrationId(clientRegistrationId))
            .retrieve().bodyToMono(String[].class).block();
}

}

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

theheapdump commented 4 years ago

access logs

first redirections ------>

127.0.0.1 - - [24/Apr/2020:15:59:26 +0530] "GET /oauth2/authorization/ping-federate HTTP/1.1" 302 -

------------ THIS IS ACCESS LOG OF REDIRECTION ------------------- 127.0.0.1 - - [24/Apr/2020:15:59:52 +0530] "GET /authorize HTTP/1.1" 302 - 127.0.0.1 - - [24/Apr/2020:15:59:52 +0530] "GET /oauth2/authorization/ping-federate HTTP/1.1" 302 -

theheapdump commented 4 years ago

please let me know if you need any other info from my project !!

jgrandja commented 4 years ago

@anmoldeep0123 It's not clear to me the issue you are having? Pasting code this way doesn't really help. Please provide a minimal sample with details on the issue.

jgrandja / spring-security-oauth-5-2-migrate

using new oauth2.0 client, redirect URL is not being masked from oauth security - is agin redirected to oauth server #6