Add scheme/protocol variable for OAuth2 redirectUriTemplate

[zeratul021]

Currently most of us use the default redirect URL:

{baseUrl}/{action}/oauth2/code/{registrationId}

These variables are populated in DefaultOAuth2AuthorizationRequestResolver#expandRedirectUri.

Due to our platform setup and constraints we need all our redirect URIs to start with https://
We would like to reuse the default URL but change only the protocol part.

Suggestion: add variables scheme, serverName and serverPort (naming aligned with ServletRequest for redirect URI templating.

[rwinch]

@zeratul021 Thanks for reaching out!

Since you want the URL to be https, I assume your application accepts https connections? If so, you could force a redirect to https using

http
    // ...
    .requiresChannel()
        .anyRequest().requiresSecure()

Then the redirect would always be https.

It also seems that it is likely if you are overriding the scheme you would need to override the port. Does that sound accurate?

[zeratul021]

@rwinch no problem.
The thing is our actual spring boot applications have to run on http only because they are deployed in custom CloudFoundry installation with TLS termination.

Our OAuth2 providers require strict 1:1 redirect URI matching and some of them require https-only scheme.

So in our setups, when user comes from http scheme I want him to be redirected after successful OAuth2 login to https scheme.

My intention with the new variables would help us to throw out this kind of config:

 redirect-uri: '${app.server-url}/login/oauth2/code/{registrationId}'

for:

redirect-uri: 'https://{serverName}/login/oauth2/code/{registrationId}'

I'm open to different approaches though!

[rwinch]

It seems like you would then want to ensure you have setup your server properly for a proxy server. If that is done, then the default behavior will work for you.

Have you looked at https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server and https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server

[zeratul021]

1. I'm not sure if I need to configure anything extra as TomcatWebServerFactoryCustomizer detects CloudFoundry platform and enables useForwardHeaders. (not sure about tomcat.internal-proxies)
2. could you please elaborate (if it's too verbose we might switch to discord/slack/etc) on how the default behaviour would work for the given problem:
   User coming over http://app.com/login, being redirected to sso, being redirected to ?default? redirect URI and ending up at https://app.com/ ?

[rwinch]

Spring Security uses the scheme that is returned by HttpServletRequest. If you configure the proxy settings correctly, then HttpServletRequest will report that it was sent over https even if you are using SSL termination.

One thing that typically causes issues is that Tomcat support only works if the internal proxy matches the default regex. You can configure server.tomcat.internal-proxies=.* to see if that helps.

[zeratul021]

Hello @rwinch , sorry for delay.

I checked our forwarding setup and it's working in our case.

However, what I'm trying to do is, irrespectively of what scheme the user originally used to access the CloudFoundry/standalone app, I want him to be redirected to secure (https) scheme after successful OAuth2 authentication.

Currently I'm doing that by providing redirect-uri with a hardcoded server url using https scheme:

app.server-url=https://myapp.com
security.oauth2.client.registration.mwasso.redirect-uri='${app.server-url}/login/oauth2/code/{registrationId}'

I would like to use just server url if the scheme variable was extracted, like this:

security.oauth2.client.registration.mwasso.redirect-uri='https://{serverName}/login/oauth2/code/{registrationId}'

Does that makes sense to you?

[rwinch]

@zeratul021 Yes it does make sense to me. We would need to figure out how to handle the port too.

cc @jgrandja

[zeratul021]

@rwinch has there been any discussion or triaging done between you guys?
Thanks for the update!

[rwinch]

Thanks for the nudge @zeratul021! Is this something you could provide a PR for?