search

vert-x3 / vertx-web

HTTP web applications for Vert.x
Apache License 2.0
1.11k stars 531 forks source link

Oauth2 (GitHub) Revoke needs Cookies? #2339

Open exmoria opened 1 year ago

exmoria commented 1 year ago

Version

4.3.7

Context

Upon successful authentication using the OAuth2Auth handler, a session should be instantiated and I should be able to access the '/protected' route, but instead I'm getting 404 responses. Am I missing something here?

https://user-images.githubusercontent.com/39838515/211918950-737e36ae-3316-4a22-a157-3e43653113fb.mp4

I've included the relevant code snippet:

        OAuth2Auth githubAuth = GithubAuth.create(vertx, CLIENT_ID_GITHUB, CLIENT_SECRET_GITHUB);

        OAuth2AuthHandler oAuth2AuthHandler =
                OAuth2AuthHandler.create(vertx, githubAuth, "http://localhost:8080/callback")
                        .setupCallback(router.route("/callback"));
        oAuth2AuthHandler = oAuth2AuthHandler.withScope("read:user");

        router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)));
        router.route("/protected/*").handler(oAuth2AuthHandler);

        router.get("/protected").handler(ctx -> ctx.response().end("Welcome to the protected resource!"));

        router.get("/")
                .handler(ctx -> ctx.response()
                        .putHeader("Content-Type", "text/html")
                        .end("""
                                <html>
                                      <body>
                                        <p>
                                          <a href="/protected">Navigate to the protected resource</a>
                                        </p>
                                      </body>
                                    </html>"""));
pmlopes commented 1 year ago

I believe the "callback" url isn't being properly configured, I'll debug the situation, and on the meantime, you can try to do:

        router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)));
        router.route("/protected/*").handler(
          OAuth2AuthHandler.create(vertx, githubAuth, "http://localhost:8080/callback")
            .withScope("profile")
            .setupCallback(router.route("/callback")));

As doing it all inline, might trigger the right setup.

exmoria commented 1 year ago

The OAuth2AuthHandler seems to be working as expected after all, but only with the futures-based API.

My router instance was probably referencing another object - a silly mistake on my part. For anyone that should happen to come across this issue in the future, make sure to declare your router instance as final:

final Router router = Router.router(vertx);

I'm also working on a project using the mutiny bindings and the issue persists there. Getting 404s with the github provider like in the video snippet above, and missing scopes with the google provider:

57457

I've managed to track down an issue where someone was having similar troubles in the past: https://github.com/smallrye/smallrye-mutiny-vertx-bindings/issues/502

Also, on a somewhat related note, there seems to be an issue with the github provider when performing revocations of access/refresh tokens with: 

oauth2.revoke(ctx.user())

The exception:

Failed to logout user io.vertx.core.impl.NoStackTraceThrowable: Forbidden: Cookies must be enabled to use GitHub.

Token revocations using the google provider seem to be working as intended and will prompt for re-authentication.