After Spring Boot 2 upgade authorization server returns “At least one redirect_uri must be registered with the client.”Spring Auto login issueSecurity configuration with Spring-bootSpring Security OAuth2 Redirect LoopSpring Security Thymleaf static resources don't loadSpring Boot upgrade results in unresolvable circular referenceSpring boot security consider case insensitive username check for loginCustomize Spring Security for trusted spaceSpring-Security 5 always 302Spring boot security cannot log in after invalid credentialsTroubleshooting Spring Security JDBC example
Avoiding racist tropes in fantasy
Are there account age or level requirements for obtaining special research?
Are illustrations in novels frowned upon?
C++20 constexpr std::copy optimizations for run-time
If the first law of thermodynamics ensures conservation of energy, why does it allow systems to lose energy?
Is the term "small" applied differently between piston engine planes and jet engine planes?
Why do all fields in a QFT transform like *irreducible* representations of some group?
Slitherlink Fillomino hybrid
How do I request a longer than normal leave of absence period for my wedding?
How should I face my manager if I make a mistake because a senior coworker explained something incorrectly to me?
How to prevent cutting edges on my TV, HDMI-connected?
Dealing with an extrovert co-worker
Irish Snap: Variant Rules
How do applicants for an NSF fellowship come up with a research plan for the research statement part of the applications
Using `With[...]` with a list specification as a variable
Would this system work to purify water?
Why does wire gauge go down as the physical wire size goes up?
Why is Boris Johnson visiting only Paris & Berlin if every member of the EU needs to agree on a withdrawal deal?
Would it be possible to have a GMO that produces chocolate?
Can't stopover at Sapporo when going from Asahikawa to Chitose airport?
Sun setting in East!
Singleton Design Pattern implementation in a not traditional way
Why were the crew so desperate to catch Truman and return him to Seahaven?
Which note goes on which side of the stem?
After Spring Boot 2 upgade authorization server returns “At least one redirect_uri must be registered with the client.”
Spring Auto login issueSecurity configuration with Spring-bootSpring Security OAuth2 Redirect LoopSpring Security Thymleaf static resources don't loadSpring Boot upgrade results in unresolvable circular referenceSpring boot security consider case insensitive username check for loginCustomize Spring Security for trusted spaceSpring-Security 5 always 302Spring boot security cannot log in after invalid credentialsTroubleshooting Spring Security JDBC example
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.
https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4
OAuth Error
error="invalid_request", error_description="At least one redirect_uri must be registered with the client."
To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.
The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server
Clone the project and run the unit tests and you will see the failures.
Here are some of the key settings that can be found in the project on GitHub.
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
private final String privateKey;
private final String publicKey;
private final AuthClientDetailsService authClientDetailsService;
private final AuthenticationManager authenticationManager;
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public AuthServerConfig(
@Value("$keyPair.privateKey") final String privateKey,
@Value("$keyPair.publicKey") final String publicKey,
final AuthClientDetailsService authClientDetailsService,
final AuthUserDetailsService authUserDetailsService,
final AuthenticationConfiguration authenticationConfiguration) throws Exception
this.privateKey = privateKey;
this.publicKey = publicKey;
this.authClientDetailsService = authClientDetailsService;
this.authUserDetailsService = authUserDetailsService;
this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception
clients.withClientDetails(authClientDetailsService);
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints)
endpoints
.authenticationManager(authenticationManager)
.accessTokenConverter(accessTokenConverter())
.userDetailsService(authUserDetailsService)
.tokenStore(tokenStore());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(privateKey);
converter.setVerifierKey(publicKey);
return converter;
public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
@Configuration
@Order(-20)
protected class LoginConfig extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
// @formatter:off
http
.requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().permitAll()
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage(LOGIN).permitAll();
// @formatter:on
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
auth.parentAuthenticationManager(authenticationManager);
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public WebSecurityConfig(AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?
spring-boot spring-security
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
|
show 5 more comments
I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.
https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4
OAuth Error
error="invalid_request", error_description="At least one redirect_uri must be registered with the client."
To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.
The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server
Clone the project and run the unit tests and you will see the failures.
Here are some of the key settings that can be found in the project on GitHub.
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
private final String privateKey;
private final String publicKey;
private final AuthClientDetailsService authClientDetailsService;
private final AuthenticationManager authenticationManager;
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public AuthServerConfig(
@Value("$keyPair.privateKey") final String privateKey,
@Value("$keyPair.publicKey") final String publicKey,
final AuthClientDetailsService authClientDetailsService,
final AuthUserDetailsService authUserDetailsService,
final AuthenticationConfiguration authenticationConfiguration) throws Exception
this.privateKey = privateKey;
this.publicKey = publicKey;
this.authClientDetailsService = authClientDetailsService;
this.authUserDetailsService = authUserDetailsService;
this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception
clients.withClientDetails(authClientDetailsService);
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints)
endpoints
.authenticationManager(authenticationManager)
.accessTokenConverter(accessTokenConverter())
.userDetailsService(authUserDetailsService)
.tokenStore(tokenStore());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(privateKey);
converter.setVerifierKey(publicKey);
return converter;
public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
@Configuration
@Order(-20)
protected class LoginConfig extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
// @formatter:off
http
.requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().permitAll()
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage(LOGIN).permitAll();
// @formatter:on
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
auth.parentAuthenticationManager(authenticationManager);
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public WebSecurityConfig(AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?
spring-boot spring-security
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still saysname="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove thecom.medzerotest dependency from the pom as well as a few test classes in thedomaindirectory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?
– jzheaux
Mar 27 at 21:46
As for "how to register" with aClientDetailsService, the registered uri should come back as part of your query to yourconsumerRepository. Note that it returns aConsumer, which extendsClientDetails. Note sure if you've already poked in that area, though.
– jzheaux
Mar 27 at 21:47
@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!
– Steve Mitchell
Mar 28 at 16:06
Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.
– jzheaux
Apr 1 at 15:45
I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…
– jzheaux
Apr 1 at 16:38
|
show 5 more comments
I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.
https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4
OAuth Error
error="invalid_request", error_description="At least one redirect_uri must be registered with the client."
To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.
The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server
Clone the project and run the unit tests and you will see the failures.
Here are some of the key settings that can be found in the project on GitHub.
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
private final String privateKey;
private final String publicKey;
private final AuthClientDetailsService authClientDetailsService;
private final AuthenticationManager authenticationManager;
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public AuthServerConfig(
@Value("$keyPair.privateKey") final String privateKey,
@Value("$keyPair.publicKey") final String publicKey,
final AuthClientDetailsService authClientDetailsService,
final AuthUserDetailsService authUserDetailsService,
final AuthenticationConfiguration authenticationConfiguration) throws Exception
this.privateKey = privateKey;
this.publicKey = publicKey;
this.authClientDetailsService = authClientDetailsService;
this.authUserDetailsService = authUserDetailsService;
this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception
clients.withClientDetails(authClientDetailsService);
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints)
endpoints
.authenticationManager(authenticationManager)
.accessTokenConverter(accessTokenConverter())
.userDetailsService(authUserDetailsService)
.tokenStore(tokenStore());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(privateKey);
converter.setVerifierKey(publicKey);
return converter;
public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
@Configuration
@Order(-20)
protected class LoginConfig extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
// @formatter:off
http
.requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().permitAll()
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage(LOGIN).permitAll();
// @formatter:on
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
auth.parentAuthenticationManager(authenticationManager);
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public WebSecurityConfig(AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?
spring-boot spring-security
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
I upgraded our authorization server from Spring Boot 1.5.13.RELEASE to 2.1.3.RELEASE, and now I can authenticate, but I can no longer access the site. Here is the resulting URL and error after the POST to /login.
https://auth-service-test-examle.cfapps.io/oauth/authorize?client_id=proxy-service&redirect_uri=http://test.example.com/login&response_type=code&state=QihbF4
OAuth Error
error="invalid_request", error_description="At least one redirect_uri must be registered with the client."
To troubleshoot, I started a fresh project based on the Spring Security 5.1.4.RELEASE sample "oauth2authorizationserver." I layered on the features used in our Spring Boot 1.5.13 authorization server making sure the unit tests passed (except one test class). If I @Ignore the failing tests and deploy the code I get the problem described above.
The problem is reproducible in the AuthenticationTests.loginSucceeds() JUnit test that passed before the upgrade. It expects a 302, but now it gets a 403 because it goes to the root of the authentication server. I published the entire example on GitHub
spring-security-5-upgrade_sso-auth-server
Clone the project and run the unit tests and you will see the failures.
Here are some of the key settings that can be found in the project on GitHub.
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter
private final String privateKey;
private final String publicKey;
private final AuthClientDetailsService authClientDetailsService;
private final AuthenticationManager authenticationManager;
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public AuthServerConfig(
@Value("$keyPair.privateKey") final String privateKey,
@Value("$keyPair.publicKey") final String publicKey,
final AuthClientDetailsService authClientDetailsService,
final AuthUserDetailsService authUserDetailsService,
final AuthenticationConfiguration authenticationConfiguration) throws Exception
this.privateKey = privateKey;
this.publicKey = publicKey;
this.authClientDetailsService = authClientDetailsService;
this.authUserDetailsService = authUserDetailsService;
this.authenticationManager = authenticationConfiguration.getAuthenticationManager();
@Override
public void configure(final ClientDetailsServiceConfigurer clients) throws Exception
clients.withClientDetails(authClientDetailsService);
@Override
public void configure(final AuthorizationServerEndpointsConfigurer endpoints)
endpoints
.authenticationManager(authenticationManager)
.accessTokenConverter(accessTokenConverter())
.userDetailsService(authUserDetailsService)
.tokenStore(tokenStore());
@Bean
public TokenStore tokenStore()
return new JwtTokenStore(accessTokenConverter());
@Bean
public JwtAccessTokenConverter accessTokenConverter()
final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey(privateKey);
converter.setVerifierKey(publicKey);
return converter;
public class GlobalAuthenticationConfig extends GlobalAuthenticationConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public GlobalAuthenticationConfig(final AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
@Configuration
@Order(-20)
protected class LoginConfig extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception
// @formatter:off
http
.requestMatchers().antMatchers(LOGIN, "/oauth/authorize", "/oauth/confirm_access")
.and()
.logout().permitAll()
.and()
.authorizeRequests().anyRequest().authenticated()
.and()
.formLogin().loginPage(LOGIN).permitAll();
// @formatter:on
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
auth.parentAuthenticationManager(authenticationManager);
public class WebSecurityConfig extends WebSecurityConfigurerAdapter
private final AuthUserDetailsService authUserDetailsService;
@Autowired
public WebSecurityConfig(AuthUserDetailsService authUserDetailsService)
this.authUserDetailsService = authUserDetailsService;
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception
auth
.userDetailsService(authUserDetailsService)
.passwordEncoder(new BCryptPasswordEncoder());
What else needs to be done in Spring Boot 2.1.3.RELEASE to redirect the user back to the original webpage?
spring-boot spring-security
spring-boot spring-security
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
asked Mar 27 at 16:41
Steve MitchellSteve Mitchell
431 silver badge6 bronze badges
431 silver badge6 bronze badges
Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still saysname="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove thecom.medzerotest dependency from the pom as well as a few test classes in thedomaindirectory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?
– jzheaux
Mar 27 at 21:46
As for "how to register" with aClientDetailsService, the registered uri should come back as part of your query to yourconsumerRepository. Note that it returns aConsumer, which extendsClientDetails. Note sure if you've already poked in that area, though.
– jzheaux
Mar 27 at 21:47
@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!
– Steve Mitchell
Mar 28 at 16:06
Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.
– jzheaux
Apr 1 at 15:45
I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…
– jzheaux
Apr 1 at 16:38
|
show 5 more comments
Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still saysname="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove thecom.medzerotest dependency from the pom as well as a few test classes in thedomaindirectory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?
– jzheaux
Mar 27 at 21:46
As for "how to register" with aClientDetailsService, the registered uri should come back as part of your query to yourconsumerRepository. Note that it returns aConsumer, which extendsClientDetails. Note sure if you've already poked in that area, though.
– jzheaux
Mar 27 at 21:47
@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!
– Steve Mitchell
Mar 28 at 16:06
Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.
– jzheaux
Apr 1 at 15:45
I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…
– jzheaux
Apr 1 at 16:38
Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says
name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?– jzheaux
Mar 27 at 21:46
Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says
name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove the com.medzero test dependency from the pom as well as a few test classes in the domain directory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?– jzheaux
Mar 27 at 21:46
As for "how to register" with a
ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.– jzheaux
Mar 27 at 21:47
As for "how to register" with a
ClientDetailsService, the registered uri should come back as part of your query to your consumerRepository. Note that it returns a Consumer, which extends ClientDetails. Note sure if you've already poked in that area, though.– jzheaux
Mar 27 at 21:47
@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!
– Steve Mitchell
Mar 28 at 16:06
@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!
– Steve Mitchell
Mar 28 at 16:06
Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.
– jzheaux
Apr 1 at 15:45
Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.
– jzheaux
Apr 1 at 15:45
I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…
– jzheaux
Apr 1 at 16:38
I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…
– jzheaux
Apr 1 at 16:38
|
show 5 more comments
1 Answer
1
active
oldest
votes
It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.
You can do one of two things:
Add redirect_uris, one for each client
Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:
public class MyClientDetailsService implements ClientDetailsService
private final MyRespository myRepository;
public ClientDetails loadClientByClientId(String clientId)
return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
private static class MyClientDetails extends MyDomainObject implements ClientDetails
private final MyDomainObject mine;
public MyClientDetails(MyDomainObject delegate)
this.delegate = delegate;
// implement ClientDetails methods, delegating to your domain object
public Set<String> getRegisteredRedirectUri()
return this.delegate.getRedirectUris();
This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.
Add a custom RedirectResolver
Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.
public MyRedirectResolver implements RedirectResolver
private final RedirectResolver delegate = new DefaultRedirectResolver();
public String resolveRedirect(String redirectUri, ClientDetails clientDetails)
try
return this.delegate.resolveRedirect(redirectUri, clientDetails);
catch ( InvalidRequestException ire )
// do custom resolution
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55382404%2fafter-spring-boot-2-upgade-authorization-server-returns-at-least-one-redirect-u%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.
You can do one of two things:
Add redirect_uris, one for each client
Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:
public class MyClientDetailsService implements ClientDetailsService
private final MyRespository myRepository;
public ClientDetails loadClientByClientId(String clientId)
return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
private static class MyClientDetails extends MyDomainObject implements ClientDetails
private final MyDomainObject mine;
public MyClientDetails(MyDomainObject delegate)
this.delegate = delegate;
// implement ClientDetails methods, delegating to your domain object
public Set<String> getRegisteredRedirectUri()
return this.delegate.getRedirectUris();
This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.
Add a custom RedirectResolver
Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.
public MyRedirectResolver implements RedirectResolver
private final RedirectResolver delegate = new DefaultRedirectResolver();
public String resolveRedirect(String redirectUri, ClientDetails clientDetails)
try
return this.delegate.resolveRedirect(redirectUri, clientDetails);
catch ( InvalidRequestException ire )
// do custom resolution
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
add a comment |
It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.
You can do one of two things:
Add redirect_uris, one for each client
Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:
public class MyClientDetailsService implements ClientDetailsService
private final MyRespository myRepository;
public ClientDetails loadClientByClientId(String clientId)
return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
private static class MyClientDetails extends MyDomainObject implements ClientDetails
private final MyDomainObject mine;
public MyClientDetails(MyDomainObject delegate)
this.delegate = delegate;
// implement ClientDetails methods, delegating to your domain object
public Set<String> getRegisteredRedirectUri()
return this.delegate.getRedirectUris();
This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.
Add a custom RedirectResolver
Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.
public MyRedirectResolver implements RedirectResolver
private final RedirectResolver delegate = new DefaultRedirectResolver();
public String resolveRedirect(String redirectUri, ClientDetails clientDetails)
try
return this.delegate.resolveRedirect(redirectUri, clientDetails);
catch ( InvalidRequestException ire )
// do custom resolution
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
add a comment |
It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.
You can do one of two things:
Add redirect_uris, one for each client
Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:
public class MyClientDetailsService implements ClientDetailsService
private final MyRespository myRepository;
public ClientDetails loadClientByClientId(String clientId)
return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
private static class MyClientDetails extends MyDomainObject implements ClientDetails
private final MyDomainObject mine;
public MyClientDetails(MyDomainObject delegate)
this.delegate = delegate;
// implement ClientDetails methods, delegating to your domain object
public Set<String> getRegisteredRedirectUri()
return this.delegate.getRedirectUris();
This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.
Add a custom RedirectResolver
Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.
public MyRedirectResolver implements RedirectResolver
private final RedirectResolver delegate = new DefaultRedirectResolver();
public String resolveRedirect(String redirectUri, ClientDetails clientDetails)
try
return this.delegate.resolveRedirect(redirectUri, clientDetails);
catch ( InvalidRequestException ire )
// do custom resolution
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
It's important that OAuth 2.0 clients register a redirect_uri with Authorization Servers as an Open Redirector mitigation. As such, Spring Boot 2.1.x has this as its default behavior, which is why you're seeing the error.
You can do one of two things:
Add redirect_uris, one for each client
Ideally, you'd update your clients to each have a registered redirect_uri, which would likely be retrieved in an implementation of ClientDetailsService:
public class MyClientDetailsService implements ClientDetailsService
private final MyRespository myRepository;
public ClientDetails loadClientByClientId(String clientId)
return new MyClientDetails(this.myRepository.getMyDomainObject(clientId));
private static class MyClientDetails extends MyDomainObject implements ClientDetails
private final MyDomainObject mine;
public MyClientDetails(MyDomainObject delegate)
this.delegate = delegate;
// implement ClientDetails methods, delegating to your domain object
public Set<String> getRegisteredRedirectUri()
return this.delegate.getRedirectUris();
This setup with the private subclass - while not necessary - is nice because it doesn't tie the domain object directly to Spring Security.
Add a custom RedirectResolver
Or, you can customize the RedirectResolver, though this wouldn't secure against Open Redirects, which was the original reason for the change.
public MyRedirectResolver implements RedirectResolver
private final RedirectResolver delegate = new DefaultRedirectResolver();
public String resolveRedirect(String redirectUri, ClientDetails clientDetails)
try
return this.delegate.resolveRedirect(redirectUri, clientDetails);
catch ( InvalidRequestException ire )
// do custom resolution
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
answered Apr 8 at 20:45
jzheauxjzheaux
3,0443 gold badges11 silver badges22 bronze badges
3,0443 gold badges11 silver badges22 bronze badges
add a comment |
add a comment |
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55382404%2fafter-spring-boot-2-upgade-authorization-server-returns-at-least-one-redirect-u%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Steve, when I run that test using your sample, the HTML template doesn't get populated, e.g. the hidden input field still says
name="$_csrf.parameterName", for example. This means that the csrf token doesn't get extracted. After manually bypassing that, I get a Spring Session exception. Actually, I also had to remove thecom.medzerotest dependency from the pom as well as a few test classes in thedomaindirectory. Am I doing something wrong with your sample to reproduce the error you are trying to fix?– jzheaux
Mar 27 at 21:46
As for "how to register" with a
ClientDetailsService, the registered uri should come back as part of your query to yourconsumerRepository. Note that it returns aConsumer, which extendsClientDetails. Note sure if you've already poked in that area, though.– jzheaux
Mar 27 at 21:47
@jzheaux The csrf template variables are populated when I run that same test on 1.5.13.RELEASE, so either I have an issue with my ThymeLeaf set-up, or I need to configure csrf on 2.1.3.RELEASE. I'll see what I find. Thank you!
– Steve Mitchell
Mar 28 at 16:06
Steve, were you able to make any progress on getting the GitHub project into a state that reproduces your issue? I'm happy to take another look. I believe I can also help you get passed the password encoder issue that you detail in the readme.
– jzheaux
Apr 1 at 15:45
I went ahead and added a PR to your repo that fixes the loginSucceeds task. I didn't change anything relative to the two problems you mentioned, making me wonder how it is related. Can you help me understand the connection? github.com/smitchell/spring-security-5-upgrade_sso-auth-server/…
– jzheaux
Apr 1 at 16:38