royclarkson / spring-rest-service-oauth

A simple OAuth protected REST service built with Spring Boot and Spring Security OAuth
Apache License 2.0
664 stars 339 forks source link

Question #27

Closed daddykotex closed 9 years ago

daddykotex commented 9 years ago

I'm using two sources as guides to build an OAuth2 Authorization Server and a Resource Server. Your tutorial is one of them, and the other one is this tutorial.

I'd like to use a simple /oauth/authorize page like in the tutorial. But when I hit that URL over GET, I'm redirected with a 302 to /login, and if I try over POST, I get an error regarding the CSRF token.

What am I doing wrong here?

mariubog commented 9 years ago

Hi Probably would be helpful if you sent error messages but my guess would be your CSRF token errror on POST request is from the client side authentication on client side before you even try to authorize with Oauth authorization server. What happens if you disable csrf() token on your web security configuration on oauth client? I mean precisely this paragraph "Also, for the following to work, you will need to setup normal Spring Security and have a login page so that the end user can login with his credential at the oauth2 server so that he can approve the client for accessing the resource on his behalf. For example, as shown in the codes here."

daddykotex commented 9 years ago

Let's say I go to : http://localhost:8080/oauth/authorize?response_type=code&client_id=clientapp&redirect_url=http://client_host?key=value&scope=read

I get redirected to /login, which is not mapped, so I get this error :

Whitelabel Error Page

This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Jul 16 20:58:33 EDT 2015
There was an unexpected error (type=Not Found, status=404).
Not Found

If I use the POST, the first time I get a 403 error regarding the CSRF:

There was an unexpected error (type=Forbidden, status=403).
Expected CSRF token not found. Has your session expired?

Any other subsequent time, I get this :

There was an unexpected error (type=Forbidden, status=403).
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
daddykotex commented 9 years ago

I'm wondering why the redirection in the first place. I noticed it only happens when a WebSecurity @Configuration is there (extending the WebSecurityConfigurerAdapter).

mariubog commented 9 years ago

Hi You are redirected to login because it is basically how Oauth works. In order to be authenticated by Oauth server you have to be authenticated on the client side first in your case. How do you set your web security configuration? Your error has nothing to do with Oauth. You are not reaching Oauth server yet . Look at Roy's example and curl requests, he posts in his curl username and password and they are verified by web security and after positive verification you reach desired link on Oauth which is oauth/authorize I do not see your configuration so it is hard to be just guessing especially that you say you are mixing two approaches but CSRF is not checked by the Oauth server only by the client. And how do you form your post request? Use curl, it is the best, I had a problems with a lot of POST app clients.

daddykotex commented 9 years ago

Ok, I think I missed one of the core principles of the exchange. When you are redirected to /oauth/authorize, as a user, you must be logged because you need to give permission to the client so it can access your data. The only way an authorization code is generated is if the user is logged in and grant permission to the client.

daddykotex commented 9 years ago

Thanks again, sorry for that, the mistake is on my side!

royclarkson commented 9 years ago

@mariubog thanks for all the help replying to questions!