Support OAuth2 redirect_uri for Forwarded Header

[mhyeon-lee]

Summary

When generating the redirect_uri from the DefaultOAuth2AuthorizationRequestResolver, apply the Forwarded Header to {baseUrl}.

Also, shouldProcessAuthorizationResponse of OAuth2AuthorizationCodeGrantFilter should be compared to redirect_uri based on Forwarded Header application.

Actual Behavior

• request: http://localhost/oauth2/authorization/google
• header: Forwarded host=192.168.0.1
• redirect_uri: http://localhost/login/oauth2/code/google

Expected Behavior

• redirect_uri: http://192.168.0.1/login/oauth2/code/google

Sample

The following test fails.

@Test
public void resolveWhenAuthorizationRequestRedirectUriTemplatedThenRedirectUriForwardedIPv4HostHeader() {
	ClientRegistration clientRegistration = this.registration2;
	String requestUri = this.authorizationRequestBaseUri + "/" + clientRegistration.getRegistrationId();
	MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
	request.setServletPath(requestUri);
	request.setScheme("http");
	request.setServerName("localhost");
	request.setServerPort(80);
	request.addHeader("Forwarded", "host=192.168.0.1");

	OAuth2AuthorizationRequest authorizationRequest = this.resolver.resolve(request);
	assertThat(authorizationRequest.getRedirectUri()).isNotEqualTo(
			clientRegistration.getRedirectUriTemplate());
	assertThat(authorizationRequest.getRedirectUri()).isEqualTo(
			"http://192.168.0.1/login/oauth2/code/" + clientRegistration.getRegistrationId());
}

[jgrandja]

@mhyeon-lee Thank you very much for your recent contributions!

As an FYI, the recommended approach to handle X-Forwarded-* headers is to use the ForwardedHeaderFilter.

Please see these resources for more detail.

Forwarded headers
Centralize handling of "Forwarded" headers to ForwardedHeaderFilter

Additional Resources for configuration

Proxy Server Configuration
Running Behind a Front-end Proxy Server

Does this make sense?

[mhyeon-lee]

Centralize handling of "Forwarded" headers to ForwardedHeaderFilter

I did not know if there was a ForwardedHeaderFilter.
Will the filterChain following the ForwardedHeaderFilter no longer care about the Forwarded header?

I think this filter is very useful if I understand what is right.
Thank you for letting me know.

If you do not need to proceed with this issue any further, you may close it with #5536 PR.

[jgrandja]

@mhyeon-lee

Will the filterChain following the ForwardedHeaderFilter no longer care about the Forwarded header?

The ForwardedHeaderFilter will wrap the request and adapt the required methods to account for the X-Forwarded-* headers. So when the request arrives to the DefaultOAuth2AuthorizationRequestResolver than the redirectUri will be built using the X-Forwarded-* headers because the wrapped request will return the forwarded headers.

Take a look at the javadoc and source for ForwardedHeaderFilter along with the resources I sent in the previous commit.

I'm going to close this issue and associated PR as the ForwardedHeaderFilter is the solution for this issue.

Thanks again for your contribution!

[ericis]

I'm going to try this out... I just submitted a related issue as a question to StackOverflow:
https://stackoverflow.com/questions/51404552/spring-boot-oauth-always-redirecting-to-http-ibm-cloud-cf-spring-boot-2

Sample project: https://github.com/ericis/oauth-cf-https-issue

... I'll report if proposed solution from @jgrandja works for me.

[ericis]

Worked! https://github.com/ericis/oauth-cf-https-issue

I added a basic flag in the example to turn off https (e.g. localhost) using a local Spring Profile.

	@Bean
	FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
		
	    final FilterRegistrationBean<ForwardedHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<ForwardedHeaderFilter>();
	    
	    filterRegistrationBean.setFilter(new ForwardedHeaderFilter());
	    filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);
	    
	    return filterRegistrationBean;
	}