Unable to set User-Agent on oauth2-client causes issues with some oauth2 servers.

[Woodham]

Summary

Not sure if this would be considered a bug or feature request, however it is causing issues trying to authenticate with an oauth2 server.

When using the oauth2-client, it's not possible to set the User-Agent for the requests made to authenticate and retrieve the user info. This causes issues for some oauth2 servers - specifically those behind Cloudflare, which blocks requests without a user-agent.

The specific server I'm having trouble with is Discord.

If I replace NimbusAuthorizationCodeTokenResponseClient.java and NimbusUserInfoResponseClient.java to add a User-Agent header in the requests, everything works as expected. (Any user agent works, as long as it's not blank).

Actual Behavior

Without overriding the classess to add a User-Agent, I get a 403 for both of those requests.

Expected Behavior

I am able to complete the oauth2-client flow.

Configuration

I'm using Spring Boot 2.0 (latest snapshot) Autoconfiguration.

Version

Spring Security 5, specifically for oauth2-client.

[jgrandja]

@Woodham The spec does not require the User-Agent header for the Token Request or UserInfo Request so it's not a bug. Interesting that Discord requires this header as I've tested on a few different providers and no issues related to this.

As you already figured out, you are able to override the defaults via oauth2Login().userInfoEndpoint().accessTokenResponseClient() and oauth2Login().userInfoEndpoint().userService() by providing your own implementation of each so that should get you by for now.

I'll give this one some thought and see what we can do to make this work without you having to override the defaults.

[Woodham]

Thanks @jgrandja, I thought that might be the case. I can't tell whether it's a Discord requirement or just a side-effect of it being behind Cloudflare - but either way I agree it isn't part of the spec. Perhaps an easier way of configuring the http client used in general would be useful?

Either way, thanks for confirming there wasn't a better way to configure it right now :)

[chutch1122]

I just ran into this issue when attempting to use Spring Security 5 with Discord as well.

It appears that it's a side-effect of Discord being behind Cloudflare. The Cloudflare error code that is coming back is 1010. See their support site documentation on this error.

[XYUU]

@jgrandja @Woodham You mentioned this feature, this PR can meet

#5266

for example:

.oauth2Login().tokenEndpoint().accessTokenResponseClient(new DefaultAccessTokenResponseClient().addMethod(ClientAuthenticationMethod.POST, (headers, body, request) -> {
headers.add("User-Agent", "You need");
body.add("client_id", request.getClientRegistration().getClientId());
body.add("client_secret", request.getClientRegistration().getClientSecret());
}))

[chutch1122]

@Woodham I managed to work around this deficiency by creating a proxy that tacks on a User-Agent header.

Here's a docker container that does the job:
https://hub.docker.com/r/chutch1122/discord-gateway/

The source is here:
https://github.com/chutch1122/discord-gateway

[XYUU]

I'm trying to use Spring's own dependencies to solve various scenarios and reuse as much code as possible, which would be small.

[rsuurd]

I wrote an article about this: https://medium.com/fourscouts/spring-boot-oauth2-with-discord-as-provider-fbe81ba2a721

The code is far from perfect but should hopefully help someone else stumbling across this issue.

[jgrandja]

@Woodham With the recent release of Spring Security 5.1, you can now customize the Token Request and UserInfo request. For your use case, you'll be able to add the User-Agent header.

See the reference for customizing the Token Request and UserInfo request.