Authorization_code grant redirection issue

ghz 1years ago ⋅ 4716 views

Question

I have implemented authorization_code grant flow which works fine when my Auth Server is run locally.

  • A client is getting redirected to auth server login page through /oauth/authorize end point.

  • On successful login it is getting redirected to the redirect_uri provided in the /oauth/authorize call where it is getting the authorization_code.

Very well.

The problem is when the Auth Server is put behind proxy the last step where after successful login client is supposed to get the authorization_code on redirected resource is not working at all. It is always getting redirected to Auth Server's root.

To handle this I created a UsernamePasswordAuthenticationFilter where I configured AuthenticationSuccessHandler as below

@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
    SavedRequestAwareAuthenticationSuccessHandler savedSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
    savedSuccessHandler.setUseReferer(true);
    return savedSuccessHandler;
}

@Bean
public UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() throws Exception
{
    UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new UsernamePasswordAuthenticationFilter();

    usernamePasswordAuthenticationFilter.setAuthenticationManager(authenticationManager());
    usernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(successRedirectHandler());

    return usernamePasswordAuthenticationFilter;
}

I also did some configurations at proxy level as suggested here.

<VirtualHost *:443>
ServerName my.domain.com
ProxyPass / http://127.0.0.1:8080/
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
</VirtualHost>

And adding below to my application.properties

server.use-forward-headers=true

But none of the above worked. I tried some other options as well but I guess they are not worth mentioning here.

I can't figure out if something is getting missed or some misconfiguration.

Update: On successful login redirection is not happening to /ouath/authorize itself but in case of login failure it is getting redirected to login page with /login?error

Also, it is running locally on Tomcat but on Wildfly behind proxy. I debugged it and found that there is a library in Tomcat : org.apache.coyote.http11.AbstractHttp11Processor which maintains a RequestInfo object holding the original /oauth/authorize request with all the parameters. When debugged over Wildfly no such object could be found. I am sharing the below for reference. I guess now it is more related to server than proxy.

Debugging on tomcat Debugging on
tomcat


Answer

With the original problem still remaining a mystery I got the implementation finally working (not a proper solution though). Below is the complete setup

  • I tried packaging and running application as a jar but then faced issues with loading JSPs. For this some solutions suggested to place all the JSPs under /src/main/resources/META-INF/resources/WEB-INF/jsp folder. But in my case I couldn't get it working. As a solution instead of packaging the application as a jar I packaged it as a WAR with JSPs in their default and ran it as a jar with embedded Apache Tomcat versioned 8.5.27 (Spring Boot 1.5.10.RELEASE)

  • For running JSPs over Tomcat below was added in the pom file

Note : Some solutions I came across suggested <scope> to be valued provided. In my case it worked without it. Explicitly mentioning it as commented below.

   <dependency>
        <groupId>org.apache.tomcat.embed</groupId>
        <artifactId>tomcat-embed-jasper</artifactId>
        <!--<scope>provided</scope>-->
    </dependency>
   <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>jstl</artifactId>
        <!--<scope>provided</scope>-->
    </dependency>

I hope this is helpful in case someone stumbles upon the same problem. Any answers/comments are welcome.