Closed hildo closed 6 years ago
Just some more context. Here is the breakdown of my time spent waiting for the content when I load the url in my browser the first time....
That would result with a Connect timeout (which the above log states is the timeout encountered). However, when I shift-F5 in the browser to refresh the page, the time to connect is less, but the time waiting for the response is still > 250
So I'm going to hit a timeout either way.
Actually, I can't even get the Google aspect of the sample to work. I've followed the instructions, created an OAuth2 client in my Google account and updating the application.yaml with my client-id and client-secret. When I run the app and click on the Google link, it goes to my account, and I select my account, then it looks like it's sending an auth code back. But then my browser shows up with an error.
So, I can see the call back from google to localhost:8080/oauth2/authorize/code/google, but that ends up with a 302 error under the covers
Is there anything else to be done to get this basic sample working?
@hildo Can you post the stack trace for the error related to the access token request connect time out - Google?
I don't get any exception in the spring-boot process. What I see is
There are no callstacks in the Java process, and no call stacks in the browser.
If it helps, this is how I have the Client ID defined in my Google API console
And how that transcribed in my application.yml
If I have not done enough, please let me know. I thought I had followed the instructions, but I could have overlooked something?
Looks like you have things configured correctly. It really is as simple as setting the client-id and client-secret. The defaults for the rest of the config is in oauth2-clients-defaults.yml
.
Can you add this to your application.yml
and send me the log output.
logging:
level:
org.springframework.security: DEBUG
This should give me more information on the connect timeout issue.
This error is happening during the Access Token Request call in NimbusAuthorizationCodeTokenExchanger
on line 93:
tokenResponse = TokenResponse.parse(httpRequest.send());
Although the other issue you're having with the timing out while fetching the JwkSet (because of the 250ms timeout setting), there is no timeout set for connect or read while fetching the access token. So this explains why it hangs for a minute or so.
Just curious, did you make any changes to oauth2-clients-defaults.yml
? The uri it's using to fetch the token is:
token-uri: "https://accounts.google.com/o/oauth2/token"
Something is going on here. I haven't had any issues when testing the sample using a client configured in my google account. Seems like your network is having some issues here.
Have you tried configuring the facebook or github client? Maybe try either one of them and see what happens.
The debug log output may help further so please post that when you get a chance.
As far as the JwkSet timeout issue. I will address that so you can update the default connect/read timeout.
Related #4477
@hildo I just added a new feature that will allow you to provide a custom configuration for the underlying HTTP client. So now you can set the connect timeout and read timeout.
Here is a code sample to enable this:
@Configuration
public class ApplicationConfig {
@Bean
public HttpClientConfig httpClientConfig() {
HttpClientConfig httpClientConfig = new HttpClientConfig();
httpClientConfig.setConnectTimeout(60000);
httpClientConfig.setReadTimeout(60000);
return httpClientConfig;
}
}
Just a heads up that I won't be available over the next 2 weeks. However, @rwinch will be able to assist you if you have any other issues.
Thanks. The only change I have made to the default yml is, apparently, the scopes...
I'm not sure why I've done that. Up until now, I've been using the ZIP download of M3. However, I've now cloned the repo as there are now changes I'd like to try, wrt to the timeouts. So I'll ensure those values in the default yml are restored to what's originally in the repo.
Thanks for the help, and have a great break!
Hi. Just an update. Instead of using M3 of the sources, I've cloned the repository. I've been able to take advantage of configuring the HttpClientConfig and as a result I have been able to successfully interact with an Azure Active Directory (which is what I was really after) as well as a second Open ID connect endpoint. I am still having the same issue with integrating with Google. I've set up the logging as specified, and this is the output in the console running the sample code
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : /oauth2/authorization/code/google at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : /oauth2/authorization/code/google at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : /oauth2/authorization/code/google at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@727a9f93
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : /oauth2/authorization/code/google at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : /oauth2/authorization/code/google at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth2/authorization/code/google' doesn't match 'POST /logout
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy : /oauth2/authorization/code/google at position 6 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeRequestRedirectFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/code/google'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth2/authorization/code/google'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.web.DefaultRedirectStrategy : Redirecting to 'https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=http://localhost:8080/oauth2/authorize/code/google&client_id=107403879208-ctufv96i3pchbc1ha9hjsv45efvne1ql.apps.googleusercontent.com&scope=openid%20profile%20email%20address%20phone&state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6b197970. A new one will be created.
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@727a9f93
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /oauth2/authorize/code/google' doesn't match 'POST /logout
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 6 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeRequestRedirectFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth2/authorize/code/google'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:17:27.541 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 7 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeAuthenticationProcessingFilter'
2017-07-31 12:17:27.541 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/oauth2/authorize/code/google'; against '/oauth2/authorize/code/{clientAlias}'
2017-07-31 12:17:27.545 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Request is to process authentication
2017-07-31 12:17:27.545 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager : Authentication attempt using org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider
2017-07-31 12:18:31.377 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect
org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect
at org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:106) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:64) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider.authenticate(AuthorizationCodeAuthenticationProvider.java:106) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProcessingFilter.attemptAuthentication(AuthorizationCodeAuthenticationProcessingFilter.java:155) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.oauth2.client.authentication.AuthorizationCodeRequestRedirectFilter.doFilterInternal(AuthorizationCodeRequestRedirectFilter.java:101) [spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:350) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:265) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:199) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_111]
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method) ~[na:1.8.0_111]
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85) ~[na:1.8.0_111]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_111]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_111]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_111]
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[na:1.8.0_111]
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_111]
at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_111]
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) ~[na:1.8.0_111]
at sun.net.NetworkClient.doConnect(NetworkClient.java:175) ~[na:1.8.0_111]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) ~[na:1.8.0_111]
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) ~[na:1.8.0_111]
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) ~[na:1.8.0_111]
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) ~[na:1.8.0_111]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[na:1.8.0_111]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138) ~[na:1.8.0_111]
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032) ~[na:1.8.0_111]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[na:1.8.0_111]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316) ~[na:1.8.0_111]
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291) ~[na:1.8.0_111]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) ~[na:1.8.0_111]
at com.nimbusds.oauth2.sdk.http.HTTPRequest.toHttpURLConnection(HTTPRequest.java:623) ~[oauth2-oidc-sdk-5.21.jar!/:5.21]
at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:677) ~[oauth2-oidc-sdk-5.21.jar!/:5.21]
at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:649) ~[oauth2-oidc-sdk-5.21.jar!/:5.21]
at org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:98) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
... 60 common frames omitted
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Updated SecurityContextHolder to contain null Authentication
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@6c9b2c82
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] .a.SimpleUrlAuthenticationFailureHandler : Redirecting to /login?error
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.web.DefaultRedirectStrategy : Redirecting to '/login?error'
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-07-31 12:18:31.389 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-07-31 12:18:31.389 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6b197970. A new one will be created.
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@727a9f93
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Request 'GET /login' doesn't match 'POST /logout
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 6 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeRequestRedirectFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 7 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeAuthenticationProcessingFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher : Checking match of request : '/login'; against '/oauth2/authorize/code/{clientAlias}'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy : /login?error at position 8 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
That said, I'm happy with the changes that have been made so far. While it would be nice to use Google, I was only attempting that because my first attempt at AAD was failing. That is now succeeding and that is what I am really after.
Thanks for all the help!
@hildo I'm glad you got things working with Azure AD. I'm curious though why you're getting a connect time out using the Google client. I'm suspecting there is something going on with your network where https://accounts.google.com/o/oauth2/token
is being blocked.
Try doing a curl -v https://accounts.google.com/o/oauth2/token
on the same computer where the application is running and producing this error to confirm if it's your network.
Are you running the Google sample on your laptop/desktop or is this happening in a server environment?
Yes, I agree. The likely suspect is our network. It can be ... challenging. I will try this out a little later and get back. I am running this sample on my desktop, not in a server environment.
@hildo I'm going to close this issue assuming all is good on your end.
Also, we decided to remove HttpClientConfig
in favour of a client abstraction that will be configurable. However, we won't have time to get to this until after we release 5.0 on Nov 6. For now, we set the default read and connection timeouts to 30 secs so you should still be good.
See #4478 for further details.
@jgrandja We are facing the same issue. Can you provide us an example to set proxy? The issue is same as above for google OIDC.
2017-10-12 15:48:30.779 DEBUG 15276 --- [nio-8080-exec-5] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener' 2017-10-12 15:48:30.790 DEBUG 15276 --- [nio-8080-exec-5] .w.AuthorizationCodeAuthenticationFilter : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect
org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect
at org.springframework.security.oauth2.client.web.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:111) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.oauth2.client.web.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:69) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.oauth2.oidc.client.authentication.OidcAuthorizationCodeAuthenticator.authenticate(OidcAuthorizationCodeAuthenticator.java:70) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.oauth2.oidc.client.authentication.OidcAuthorizationCodeAuthenticator.authenticate(OidcAuthorizationCodeAuthenticator.java:41) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.oauth2.client.authentication.DelegatingAuthorizationGrantAuthenticator.lambda$authenticate$2(DelegatingAuthorizationGrantAuthenticator.java:54) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[na:1.8.0_144]
at java.util.LinkedList$LLSpliterator.tryAdvance(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.ReferencePipeline.forEachWithCancel(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.AbstractPipeline.copyIntoWithCancel(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.FindOps$FindOp.evaluateSequential(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[na:1.8.0_144]
at java.util.stream.ReferencePipeline.findFirst(Unknown Source) ~[na:1.8.0_144]
at org.springframework.security.oauth2.client.authentication.DelegatingAuthorizationGrantAuthenticator.authenticate(DelegatingAuthorizationGrantAuthenticator.java:56) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider.authenticate(AuthorizationCodeAuthenticationProvider.java:91) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.0.0.M4.jar:na]
at org.springframework.security.oauth2.client.web.AuthorizationCodeAuthenticationFilter.attemptAuthentication(AuthorizationCodeAuthenticationFilter.java:138) ~[spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.oauth2.client.web.AuthorizationCodeRequestRedirectFilter.doFilterInternal(AuthorizationCodeRequestRedirectFilter.java:111) [spring-security-oauth2-client-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-5.0.0.M5.jar:5.0.0.M5]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:108) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC4.jar:5.0.0.RC4]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1457) [tomcat-embed-core-8.5.20.jar:8.5.20]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.20.jar:8.5.20]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [na:1.8.0_144]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [na:1.8.0_144]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.20.jar:8.5.20]
at java.lang.Thread.run(Unknown Source) [na:1.8.0_144]
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method) ~[na:1.8.0_144]
at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source) ~[na:1.8.0_144]
at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source) ~[na:1.8.0_144]
at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source) ~[na:1.8.0_144]
at java.net.AbstractPlainSocketImpl.connect(Unknown Source) ~[na:1.8.0_144]
at java.net.PlainSocketImpl.connect(Unknown Source) ~[na:1.8.0_144]
at java.net.SocksSocketImpl.connect(Unknown Source) ~[na:1.8.0_144]
at java.net.Socket.connect(Unknown Source) ~[na:1.8.0_144]
at sun.security.ssl.SSLSocketImpl.connect(Unknown Source) ~[na:1.8.0_144]
at sun.net.NetworkClient.doConnect(Unknown Source) ~[na:1.8.0_144]
at sun.net.www.http.HttpClient.openServer(Unknown Source) ~[na:1.8.0_144]
at sun.net.www.http.HttpClient.openServer(Unknown Source) ~[na:1.8.0_144]
at sun.net.www.protocol.https.HttpsClient.
@Rancho007 There is no API available as of now for configuring proxy settings. This will be coming in a later release though. For now, what you can do is create your own implementation of AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken>
and configure the Http Client to suit your needs. Here is a sample security configuration on how to plug-in your implementation:
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.tokenEndpoint()
.authorizationCodeTokenExchanger(this.authorizationCodeTokenExchanger());
}
private AuthorizationGrantTokenExchanger<AuthorizationCodeAuthenticationToken> authorizationCodeTokenExchanger() {
// Return your custom implementation that sets the timeout(s) and proxy settings for the Http Client
// Use NimbusAuthorizationCodeTokenExchanger as an example for implementation
return new NimbusAuthorizationCodeTokenExchanger();
}
}
https://github.com/Microsoft/azure-spring-boot/issues/247
I am not sure, but I have the same symptoms like here. If someone could help, it would be great
@sshogunn The default connection timeout needs to be increased in DefaultResourceRetriever
which is associated in RemoteJWKSet
. You will need to address this with the Microsoft team as they are not using Spring Security and instead using Nimbus library directly.
Hi Guys, Could you please suggest how to increase the timeout. I am getting the same exception as above -
com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Read timed out.Below is my source code.
Thank in advance.
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.servlet.config.annotation.CorsRegistry; import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
import com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationFilter;
@EnableWebSecurity @EnableGlobalMethodSecurity(securedEnabled = true,prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AADAuthenticationFilter aadAuthFilter;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/api/ppo/dashboard/dashboardstats").permitAll();
http.authorizeRequests().antMatchers("/api/ppo/dashboard/castats").permitAll();
http.authorizeRequests().antMatchers("/api/ppo/authenticate/privileges").permitAll();
http.authorizeRequests().antMatchers("/api/ppo/**").authenticated();
//http.authorizeRequests().antMatchers("/api/ppo/autenticate/**").permitAll();
http.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/").deleteCookies("JSESSIONID").invalidateHttpSession(true);
//http.authorizeRequests().anyRequest().permitAll();
http.csrf().disable();
http.cors();
// http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
http.addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class);
}
@Bean
public WebMvcConfigurer corsConfigurer() {
return new WebMvcConfigurer() {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/ppo/**").allowedMethods("GET", "POST", "PUT", "DELETE").allowedOrigins("*")
.allowedHeaders("*");
}
};
}
}
@vipinsaini434 You've configured AADAuthenticationFilter
, which is owned by the azure-spring-boot
. Please log this issue in the azure-spring-boot repo.
Also, see this comment
@jgrandja thank you. I will raise it with them.Though i check, it's already there but no solution.Also i checked the comment you mentioned but could not understand how to increase connection timeout in DefaultResourceRetriever.
@sshogunn The default connection timeout needs to be increased in
DefaultResourceRetriever
which is associated inRemoteJWKSet
. You will need to address this with the Microsoft team as they are not using Spring Security and instead using Nimbus library directly.
@jgrandja Could you please assist how to increase timeout using 'DefaultResourceRetriever' . i searched a lot but not getting any resource to update it.
@vipinsaini434 I did not work on the azure-spring-boot
repo so I'm not familiar with how this would be configured. You will need to address that team and ask them. Have you logged an issue to the repo?
Hello everyone, if someone is looking the solution for this problem(com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Read timed out.) in azure-spring-boot library. I request you to download source code for nimbus library. Modify default timeout parameter and try. In my case i have done the same thing and prepared custom jar instead of nimbus jar. This has resolved my issue. Any issue please ping me. Happy to help as I have wasted lot of time to figure out the cause ans solution.
Hi Team, Do we have any ETA for it's fix?
With the recent release of 5.1, you now have the ability to configure the connect/read timeouts via a supplied RestOperations
.
Please see #5601 for more details and specifically #5547 and #5603 that are related to this issue.
The solution provided is to allow a RestOperations
to be supplied to either DefaultAuthorizationCodeTokenResponseClient
(for the Token Request) and/or NimbusJwtDecoderJwkSupport
(for the JWKSet retrieval).
For example, if you need to increase the timeout for the Token Request than you would perform the following configuration steps:
1) Instantiate a RestTemplate
(or a RestOperations
implementation) and configure the connect and/or read timeouts to your requirements.
2) Instantiate DefaultAuthorizationCodeTokenResponseClient
and supply it the RestOperations
via setRestOperations()
3) Now supply the configured DefaultAuthorizationCodeTokenResponseClient
as follows:
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.tokenEndpoint()
.accessTokenResponseClient(defaultAuthorizationCodeTokenResponseClient())
If you need to increase the timeout for the JWKSet retrieval then this still needs to be addressed in #5717. We've already added the capability for supplying the NimbusJwtDecoderJwkSupport
a configured RestOperations
via setRestOperations
. However, the next step is to allow the configured NimbusJwtDecoderJwkSupport
to be supplied to OidcAuthorizationCodeAuthenticationProvider
.
Our plan is to address #5717 shortly.
Does this answer your question @laxmikant4644 ?
Thanks for the detailed response @jgrandja Yes with #5717 , we should be good but wouldn't it be better to go with https://github.com/Microsoft/azure-spring-boot/pull/418
@laxmikant4644
wouldn't it be better to go with Microsoft/azure-spring-boot#418
Exposing fine-grained configuration, for example, jwk-set.connect-timeout
and jwk-set.read-timeout
is another option but it only addresses those 2 specific configurations for an HTTP Client.
A more flexible option is to allow the user to configure an HTTP Client (eg. RestTemplate
) and supply it to NimbusJwtDecoderJwkSupport
. This provides the user the ultimate flexibility as they are free to configure whatever they need for the underlying HTTP Client.
@vipinsaini434 I come across the same problem and got a better solution:
ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
JWKSource jwkSource = null;
// connection timeout and read timeout can be configured here
ResourceRetriever jwkRetriever = new DefaultResourceRetriever(100000, 100000);
jwkSource = new RemoteJWKSet(new URL(jsonWebKeyFileURL), jwkRetriever);
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
JWSKeySelector keySelector = new JWSVerificationKeySelector(jwsAlgorithm, jwkSource);
jwtProcessor.setJWSKeySelector(keySelector);
JWTClaimsSet claimsSet = jwtProcessor.process(token, null);
This is a question: I am trying out the v5 oauth changes, eventually hoping to try the open id client support. I'm running the boot oauth2login same in the 5.0.0 M3 release. I have added a new client to connect to an Azure Active Directory account I have. It is working... I can see the token coming back. But it fails when validating the token.
This is the call stack I see in the system.out for the process running the sample
From what I have pieced together, the framework is attempting to retrieve the keys from the jwk-set-uri value and not getting the value in time. When I debug this, the default values of 250 ms is used for both the connect and read timeout for the nimbus classes involved.
When I load the same URL using my browser, it completes. To the URL is valid. However, from where I'm running, it usually takes >400 ms to load. I'm happy to says it's caused by my network, but I'm not going to be able to change this.
Is there any chance that those timeouts will be configurable? I feel like if I can just increase those timeouts, this will work just fine.
Thanks for any help. Ed