After Spring Boot 2 upgade authorization server returns “At least one redirect_uri must be registered with the client.”Spring Auto login issueSecurity configuration with Spring-bootSpring Security OAuth2 Redirect LoopSpring Security Thymleaf static resources don't loadSpring Boot upgrade results in unresolvable circular referenceSpring boot security consider case insensitive username check for loginCustomize Spring Security for trusted spaceSpring-Security 5 always 302Spring boot security cannot log in after invalid credentialsTroubleshooting Spring Security JDBC example

Avoiding racist tropes in fantasy

Are there account age or level requirements for obtaining special research?

Are illustrations in novels frowned upon?

C++20 constexpr std::copy optimizations for run-time

If the first law of thermodynamics ensures conservation of energy, why does it allow systems to lose energy?

Is the term "small" applied differently between piston engine planes and jet engine planes?

Why do all fields in a QFT transform like *irreducible* representations of some group?

Slitherlink Fillomino hybrid

How do I request a longer than normal leave of absence period for my wedding?

How should I face my manager if I make a mistake because a senior coworker explained something incorrectly to me?

How to prevent cutting edges on my TV, HDMI-connected?

Dealing with an extrovert co-worker

Irish Snap: Variant Rules

How do applicants for an NSF fellowship come up with a research plan for the research statement part of the applications

Using `With[...]` with a list specification as a variable

Would this system work to purify water?

Why does wire gauge go down as the physical wire size goes up?

Why is Boris Johnson visiting only Paris & Berlin if every member of the EU needs to agree on a withdrawal deal?

Would it be possible to have a GMO that produces chocolate?

Can't stopover at Sapporo when going from Asahikawa to Chitose airport?

Sun setting in East!

Singleton Design Pattern implementation in a not traditional way

Why were the crew so desperate to catch Truman and return him to Seahaven?

Which note goes on which side of the stem?



After Spring Boot 2 upgade authorization server returns “At least one redirect_uri must be registered with the client.”


Spring Auto login issueSecurity configuration with Spring-bootSpring Security OAuth2 Redirect LoopSpring Security Thymleaf static resources don't loadSpring Boot upgrade results in unresolvable circular referenceSpring boot security consider case insensitive username check for loginCustomize Spring Security for trusted spaceSpring-Security 5 always 302Spring boot security cannot log in after invalid credentialsTroubleshooting Spring Security JDBC example






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.



https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4

 OAuth Error

 error="invalid_request", error_description="At least one redirect_uri must be registered with the client."


To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.



The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server



Clone the project and run the unit tests and you will see the failures.



Here are some of the key settings that can be found in the project on GitHub.



 public class AuthServerConfig extends AuthorizationServerConfigurerAdapter 

 private final String privateKey;

 private final String publicKey;

 private final AuthClientDetailsService authClientDetailsService;

 private final AuthenticationManager authenticationManager;

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public AuthServerConfig(
 @Value("$keyPair.privateKey") final String privateKey,
 @Value("$keyPair.publicKey") final String publicKey,
 final AuthClientDetailsService authClientDetailsService,
 final AuthUserDetailsService authUserDetailsService,
 final AuthenticationConfiguration authenticationConfiguration) throws Exception 
 this.privateKey = privateKey;
 this.publicKey = publicKey;
 this.authClientDetailsService = authClientDetailsService;
 this.authUserDetailsService = authUserDetailsService;
 this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
 

 @Override
 public void configure(final ClientDetailsServiceConfigurer clients) throws Exception 
 clients.withClientDetails(authClientDetailsService);
 

 @Override
 public void configure(final AuthorizationServerEndpointsConfigurer endpoints) 
 endpoints
 .authenticationManager(authenticationManager)
 .accessTokenConverter(accessTokenConverter())
 .userDetailsService(authUserDetailsService)
 .tokenStore(tokenStore());

 

 @Bean
 public TokenStore tokenStore() 
 return new JwtTokenStore(accessTokenConverter());
 


 @Bean
 public JwtAccessTokenConverter accessTokenConverter() 
 final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
 converter.setSigningKey(privateKey);
 converter.setVerifierKey(publicKey);
 return converter;
 



public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter 

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void init(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());
 


 @Configuration
 @Order(-20)
 protected class LoginConfig extends WebSecurityConfigurerAdapter 

 @Override
 protected void configure(HttpSecurity http) throws Exception 

 // @formatter:off
 http
 .requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
 .and()
 .logout().permitAll()
 .and()
 .authorizeRequests().anyRequest().authenticated()
 .and()
 .formLogin().loginPage(LOGIN).permitAll();
 // @formatter:on
 

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth.parentAuthenticationManager(authenticationManager);
 
 

public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public WebSecurityConfig(AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());





What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?






spring-boot spring-security







share|improve this question
























  • Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?

    – jzheaux
    Mar 27 at 21:46












  • As for "how to register" with a ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.

    – jzheaux
    Mar 27 at 21:47












  • @jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!

    – Steve Mitchell
    Mar 28 at 16:06











  • Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.

    – jzheaux
    Apr 1 at 15:45











  • I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…

    – jzheaux
    Apr 1 at 16:38

















0















I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.



https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4

 OAuth Error

 error="invalid_request", error_description="At least one redirect_uri must be registered with the client."


To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.



The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server



Clone the project and run the unit tests and you will see the failures.



Here are some of the key settings that can be found in the project on GitHub.



 public class AuthServerConfig extends AuthorizationServerConfigurerAdapter 

 private final String privateKey;

 private final String publicKey;

 private final AuthClientDetailsService authClientDetailsService;

 private final AuthenticationManager authenticationManager;

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public AuthServerConfig(
 @Value("$keyPair.privateKey") final String privateKey,
 @Value("$keyPair.publicKey") final String publicKey,
 final AuthClientDetailsService authClientDetailsService,
 final AuthUserDetailsService authUserDetailsService,
 final AuthenticationConfiguration authenticationConfiguration) throws Exception 
 this.privateKey = privateKey;
 this.publicKey = publicKey;
 this.authClientDetailsService = authClientDetailsService;
 this.authUserDetailsService = authUserDetailsService;
 this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
 

 @Override
 public void configure(final ClientDetailsServiceConfigurer clients) throws Exception 
 clients.withClientDetails(authClientDetailsService);
 

 @Override
 public void configure(final AuthorizationServerEndpointsConfigurer endpoints) 
 endpoints
 .authenticationManager(authenticationManager)
 .accessTokenConverter(accessTokenConverter())
 .userDetailsService(authUserDetailsService)
 .tokenStore(tokenStore());

 

 @Bean
 public TokenStore tokenStore() 
 return new JwtTokenStore(accessTokenConverter());
 


 @Bean
 public JwtAccessTokenConverter accessTokenConverter() 
 final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
 converter.setSigningKey(privateKey);
 converter.setVerifierKey(publicKey);
 return converter;
 



public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter 

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void init(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());
 


 @Configuration
 @Order(-20)
 protected class LoginConfig extends WebSecurityConfigurerAdapter 

 @Override
 protected void configure(HttpSecurity http) throws Exception 

 // @formatter:off
 http
 .requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
 .and()
 .logout().permitAll()
 .and()
 .authorizeRequests().anyRequest().authenticated()
 .and()
 .formLogin().loginPage(LOGIN).permitAll();
 // @formatter:on
 

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth.parentAuthenticationManager(authenticationManager);
 
 

public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public WebSecurityConfig(AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());





What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?






spring-boot spring-security







share|improve this question
























  • Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?

    – jzheaux
    Mar 27 at 21:46












  • As for "how to register" with a ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.

    – jzheaux
    Mar 27 at 21:47












  • @jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!

    – Steve Mitchell
    Mar 28 at 16:06











  • Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.

    – jzheaux
    Apr 1 at 15:45











  • I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…

    – jzheaux
    Apr 1 at 16:38













0












0








0








I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.



https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4

 OAuth Error

 error="invalid_request", error_description="At least one redirect_uri must be registered with the client."


To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.



The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server



Clone the project and run the unit tests and you will see the failures.



Here are some of the key settings that can be found in the project on GitHub.



 public class AuthServerConfig extends AuthorizationServerConfigurerAdapter 

 private final String privateKey;

 private final String publicKey;

 private final AuthClientDetailsService authClientDetailsService;

 private final AuthenticationManager authenticationManager;

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public AuthServerConfig(
 @Value("$keyPair.privateKey") final String privateKey,
 @Value("$keyPair.publicKey") final String publicKey,
 final AuthClientDetailsService authClientDetailsService,
 final AuthUserDetailsService authUserDetailsService,
 final AuthenticationConfiguration authenticationConfiguration) throws Exception 
 this.privateKey = privateKey;
 this.publicKey = publicKey;
 this.authClientDetailsService = authClientDetailsService;
 this.authUserDetailsService = authUserDetailsService;
 this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
 

 @Override
 public void configure(final ClientDetailsServiceConfigurer clients) throws Exception 
 clients.withClientDetails(authClientDetailsService);
 

 @Override
 public void configure(final AuthorizationServerEndpointsConfigurer endpoints) 
 endpoints
 .authenticationManager(authenticationManager)
 .accessTokenConverter(accessTokenConverter())
 .userDetailsService(authUserDetailsService)
 .tokenStore(tokenStore());

 

 @Bean
 public TokenStore tokenStore() 
 return new JwtTokenStore(accessTokenConverter());
 


 @Bean
 public JwtAccessTokenConverter accessTokenConverter() 
 final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
 converter.setSigningKey(privateKey);
 converter.setVerifierKey(publicKey);
 return converter;
 



public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter 

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void init(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());
 


 @Configuration
 @Order(-20)
 protected class LoginConfig extends WebSecurityConfigurerAdapter 

 @Override
 protected void configure(HttpSecurity http) throws Exception 

 // @formatter:off
 http
 .requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
 .and()
 .logout().permitAll()
 .and()
 .authorizeRequests().anyRequest().authenticated()
 .and()
 .formLogin().loginPage(LOGIN).permitAll();
 // @formatter:on
 

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth.parentAuthenticationManager(authenticationManager);
 
 

public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public WebSecurityConfig(AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());





What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?






spring-boot spring-security







share|improve this question














I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.



https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4

 OAuth Error

 error="invalid_request", error_description="At least one redirect_uri must be registered with the client."


To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.



The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server



Clone the project and run the unit tests and you will see the failures.



Here are some of the key settings that can be found in the project on GitHub.



 public class AuthServerConfig extends AuthorizationServerConfigurerAdapter 

 private final String privateKey;

 private final String publicKey;

 private final AuthClientDetailsService authClientDetailsService;

 private final AuthenticationManager authenticationManager;

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public AuthServerConfig(
 @Value("$keyPair.privateKey") final String privateKey,
 @Value("$keyPair.publicKey") final String publicKey,
 final AuthClientDetailsService authClientDetailsService,
 final AuthUserDetailsService authUserDetailsService,
 final AuthenticationConfiguration authenticationConfiguration) throws Exception 
 this.privateKey = privateKey;
 this.publicKey = publicKey;
 this.authClientDetailsService = authClientDetailsService;
 this.authUserDetailsService = authUserDetailsService;
 this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
 

 @Override
 public void configure(final ClientDetailsServiceConfigurer clients) throws Exception 
 clients.withClientDetails(authClientDetailsService);
 

 @Override
 public void configure(final AuthorizationServerEndpointsConfigurer endpoints) 
 endpoints
 .authenticationManager(authenticationManager)
 .accessTokenConverter(accessTokenConverter())
 .userDetailsService(authUserDetailsService)
 .tokenStore(tokenStore());

 

 @Bean
 public TokenStore tokenStore() 
 return new JwtTokenStore(accessTokenConverter());
 


 @Bean
 public JwtAccessTokenConverter accessTokenConverter() 
 final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
 converter.setSigningKey(privateKey);
 converter.setVerifierKey(publicKey);
 return converter;
 



public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter 

 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void init(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());
 


 @Configuration
 @Order(-20)
 protected class LoginConfig extends WebSecurityConfigurerAdapter 

 @Override
 protected void configure(HttpSecurity http) throws Exception 

 // @formatter:off
 http
 .requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
 .and()
 .logout().permitAll()
 .and()
 .authorizeRequests().anyRequest().authenticated()
 .and()
 .formLogin().loginPage(LOGIN).permitAll();
 // @formatter:on
 

 @Override
 protected void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth.parentAuthenticationManager(authenticationManager);
 
 

public class WebSecurityConfig extends WebSecurityConfigurerAdapter 
 private final AuthUserDetailsService authUserDetailsService;

 @Autowired
 public WebSecurityConfig(AuthUserDetailsService authUserDetailsService) 
 this.authUserDetailsService = authUserDetailsService;
 

 @Override
 public void configure(AuthenticationManagerBuilder auth) throws Exception 
 auth
 .userDetailsService(authUserDetailsService)
 .passwordEncoder(new BCryptPasswordEncoder());





What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?






spring-boot spring-security




spring-boot spring-security






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 27 at 16:41









Steve MitchellSteve Mitchell

431 silver badge6 bronze badges




431 silver badge6 bronze badges















  • Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?

    – jzheaux
    Mar 27 at 21:46












  • As for "how to register" with a ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.

    – jzheaux
    Mar 27 at 21:47












  • @jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!

    – Steve Mitchell
    Mar 28 at 16:06











  • Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.

    – jzheaux
    Apr 1 at 15:45











  • I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…

    – jzheaux
    Apr 1 at 16:38

















  • Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?

    – jzheaux
    Mar 27 at 21:46












  • As for "how to register" with a ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.

    – jzheaux
    Mar 27 at 21:47












  • @jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!

    – Steve Mitchell
    Mar 28 at 16:06











  • Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.

    – jzheaux
    Apr 1 at 15:45











  • I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…

    – jzheaux
    Apr 1 at 16:38
















Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?

– jzheaux
Mar 27 at 21:46






Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?

– jzheaux
Mar 27 at 21:46














As for "how to register" with a ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.

– jzheaux
Mar 27 at 21:47






As for "how to register" with a ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.

– jzheaux
Mar 27 at 21:47














@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!

– Steve Mitchell
Mar 28 at 16:06





@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!

– Steve Mitchell
Mar 28 at 16:06













Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.

– jzheaux
Apr 1 at 15:45





Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.

– jzheaux
Apr 1 at 15:45













I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…

– jzheaux
Apr 1 at 16:38





I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…

– jzheaux
Apr 1 at 16:38












1 Answer
1






active

oldest

votes


















2















It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.



You can do one of two things:



Add redirect_uris, one for each client



Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:



public class MyClientDetailsService implements ClientDetailsService 
 private final MyRespository myRepository;

 public ClientDetails loadClientByClientId(String clientId) 
 return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
 

 private static class MyClientDetails extends MyDomainObject implements ClientDetails 
 private final MyDomainObject mine;

 public MyClientDetails(MyDomainObject delegate) 
 this.delegate = delegate;
 

 // implement ClientDetails methods, delegating to your domain object

 public Set<String> getRegisteredRedirectUri() 
 return this.delegate.getRedirectUris();



This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.



Add a custom RedirectResolver



Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.



public MyRedirectResolver implements RedirectResolver 
 private final RedirectResolver delegate = new DefaultRedirectResolver();

 public String resolveRedirect(String redirectUri, ClientDetails clientDetails) 
 try 
 return this.delegate.resolveRedirect(redirectUri, clientDetails);
 catch ( InvalidRequestException ire ) 
 // do custom resolution






share|improve this answer
























    Your Answer






    StackExchange.ifUsing("editor", function ()
    StackExchange.using("externalEditor", function ()
    StackExchange.using("snippets", function ()
    StackExchange.snippets.init();
    );
    );
    , "code-snippets");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "1"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55382404%2fafter-spring-boot-2-upgade-authorization-server-returns-at-least-one-redirect-u%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    2















    It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.



    You can do one of two things:



    Add redirect_uris, one for each client



    Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:



    public class MyClientDetailsService implements ClientDetailsService 
     private final MyRespository myRepository;

     public ClientDetails loadClientByClientId(String clientId) 
     return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
     

     private static class MyClientDetails extends MyDomainObject implements ClientDetails 
     private final MyDomainObject mine;

     public MyClientDetails(MyDomainObject delegate) 
     this.delegate = delegate;
     

     // implement ClientDetails methods, delegating to your domain object

     public Set<String> getRegisteredRedirectUri() 
     return this.delegate.getRedirectUris();



    This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.



    Add a custom RedirectResolver



    Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.



    public MyRedirectResolver implements RedirectResolver 
     private final RedirectResolver delegate = new DefaultRedirectResolver();

     public String resolveRedirect(String redirectUri, ClientDetails clientDetails) 
     try 
     return this.delegate.resolveRedirect(redirectUri, clientDetails);
     catch ( InvalidRequestException ire ) 
     // do custom resolution






    share|improve this answer





























      2















      It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.



      You can do one of two things:



      Add redirect_uris, one for each client



      Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:



      public class MyClientDetailsService implements ClientDetailsService 
       private final MyRespository myRepository;

       public ClientDetails loadClientByClientId(String clientId) 
       return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
       

       private static class MyClientDetails extends MyDomainObject implements ClientDetails 
       private final MyDomainObject mine;

       public MyClientDetails(MyDomainObject delegate) 
       this.delegate = delegate;
       

       // implement ClientDetails methods, delegating to your domain object

       public Set<String> getRegisteredRedirectUri() 
       return this.delegate.getRedirectUris();



      This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.



      Add a custom RedirectResolver



      Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.



      public MyRedirectResolver implements RedirectResolver 
       private final RedirectResolver delegate = new DefaultRedirectResolver();

       public String resolveRedirect(String redirectUri, ClientDetails clientDetails) 
       try 
       return this.delegate.resolveRedirect(redirectUri, clientDetails);
       catch ( InvalidRequestException ire ) 
       // do custom resolution






      share|improve this answer



























        2














        2










        2









        It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.



        You can do one of two things:



        Add redirect_uris, one for each client



        Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:



        public class MyClientDetailsService implements ClientDetailsService 
         private final MyRespository myRepository;

         public ClientDetails loadClientByClientId(String clientId) 
         return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
         

         private static class MyClientDetails extends MyDomainObject implements ClientDetails 
         private final MyDomainObject mine;

         public MyClientDetails(MyDomainObject delegate) 
         this.delegate = delegate;
         

         // implement ClientDetails methods, delegating to your domain object

         public Set<String> getRegisteredRedirectUri() 
         return this.delegate.getRedirectUris();



        This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.



        Add a custom RedirectResolver



        Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.



        public MyRedirectResolver implements RedirectResolver 
         private final RedirectResolver delegate = new DefaultRedirectResolver();

         public String resolveRedirect(String redirectUri, ClientDetails clientDetails) 
         try 
         return this.delegate.resolveRedirect(redirectUri, clientDetails);
         catch ( InvalidRequestException ire ) 
         // do custom resolution






        share|improve this answer













        It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.



        You can do one of two things:



        Add redirect_uris, one for each client



        Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:



        public class MyClientDetailsService implements ClientDetailsService 
         private final MyRespository myRepository;

         public ClientDetails loadClientByClientId(String clientId) 
         return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
         

         private static class MyClientDetails extends MyDomainObject implements ClientDetails 
         private final MyDomainObject mine;

         public MyClientDetails(MyDomainObject delegate) 
         this.delegate = delegate;
         

         // implement ClientDetails methods, delegating to your domain object

         public Set<String> getRegisteredRedirectUri() 
         return this.delegate.getRedirectUris();



        This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.



        Add a custom RedirectResolver



        Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.



        public MyRedirectResolver implements RedirectResolver 
         private final RedirectResolver delegate = new DefaultRedirectResolver();

         public String resolveRedirect(String redirectUri, ClientDetails clientDetails) 
         try 
         return this.delegate.resolveRedirect(redirectUri, clientDetails);
         catch ( InvalidRequestException ire ) 
         // do custom resolution







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Apr 8 at 20:45









        jzheauxjzheaux

        3,0443 gold badges11 silver badges22 bronze badges




        3,0443 gold badges11 silver badges22 bronze badges





















            Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.







            Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.



















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55382404%2fafter-spring-boot-2-upgade-authorization-server-returns-at-least-one-redirect-u%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

            Image
            Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
            Read more

            Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

            Image
            Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
            Read more

            Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

            Image
            What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
            Read more