Question
I have implemented authorization_code grant flow which works fine when my Auth Server is run locally.
-
A client is getting redirected to auth server login page through
/oauth/authorize
end point. -
On successful login it is getting redirected to the
redirect_uri
provided in the/oauth/authorize
call where it is getting theauthorization_code
.
Very well.
The problem is when the Auth Server is put behind proxy the last step
where after successful login client is supposed to get the
authorization_code
on redirected resource is not working at all. It is
always getting redirected to Auth Server's root.
To handle this I created a UsernamePasswordAuthenticationFilter
where I
configured AuthenticationSuccessHandler as below
@Bean
public SavedRequestAwareAuthenticationSuccessHandler successRedirectHandler() {
SavedRequestAwareAuthenticationSuccessHandler savedSuccessHandler = new SavedRequestAwareAuthenticationSuccessHandler();
savedSuccessHandler.setUseReferer(true);
return savedSuccessHandler;
}
@Bean
public UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter() throws Exception
{
UsernamePasswordAuthenticationFilter usernamePasswordAuthenticationFilter = new UsernamePasswordAuthenticationFilter();
usernamePasswordAuthenticationFilter.setAuthenticationManager(authenticationManager());
usernamePasswordAuthenticationFilter.setAuthenticationSuccessHandler(successRedirectHandler());
return usernamePasswordAuthenticationFilter;
}
I also did some configurations at proxy level as suggested here.
<VirtualHost *:443>
ServerName my.domain.com
ProxyPass / http://127.0.0.1:8080/
RequestHeader set X-Forwarded-Proto https
RequestHeader set X-Forwarded-Port 443
ProxyPreserveHost On
</VirtualHost>
And adding below to my application.properties
server.use-forward-headers=true
But none of the above worked. I tried some other options as well but I guess they are not worth mentioning here.
I can't figure out if something is getting missed or some misconfiguration.
Update: On successful login redirection is not happening to
/ouath/authorize
itself but in case of login failure it is getting
redirected to login page with /login?error
Also, it is running locally on Tomcat but on Wildfly behind proxy. I
debugged it and found that there is a library in Tomcat :
org.apache.coyote.http11.AbstractHttp11Processor
which maintains a
RequestInfo
object holding the original /oauth/authorize
request with all
the parameters. When debugged over Wildfly no such object could be found. I am
sharing the below for reference. I guess now it is more related to server than
proxy.
Answer
With the original problem still remaining a mystery I got the implementation finally working (not a proper solution though). Below is the complete setup
-
I tried packaging and running application as a jar but then faced issues with loading JSPs. For this some solutions suggested to place all the JSPs under
/src/main/resources/META-INF/resources/WEB-INF/jsp
folder. But in my case I couldn't get it working. As a solution instead of packaging the application as a jar I packaged it as a WAR with JSPs in their default and ran it as a jar with embedded Apache Tomcat versioned 8.5.27 (Spring Boot 1.5.10.RELEASE) -
For running JSPs over Tomcat below was added in the pom file
Note : Some solutions I came across suggested <scope>
to be valued
provided
. In my case it worked without it. Explicitly mentioning it as
commented below.
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-jasper</artifactId>
<!--<scope>provided</scope>-->
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<!--<scope>provided</scope>-->
</dependency>
I hope this is helpful in case someone stumbles upon the same problem. Any answers/comments are welcome.