Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add scheme/protocol variable for OAuth2 redirectUriTemplate #6239

Closed
zeratul021 opened this issue Dec 5, 2018 · 10 comments

Comments

@zeratul021
Copy link

commented Dec 5, 2018

Currently most of us use the default redirect URL:

{baseUrl}/{action}/oauth2/code/{registrationId}

These variables are populated in DefaultOAuth2AuthorizationRequestResolver#expandRedirectUri.

Due to our platform setup and constraints we need all our redirect URIs to start with https://
We would like to reuse the default URL but change only the protocol part.

Suggestion: add variables scheme, serverName and serverPort (naming aligned with ServletRequest for redirect URI templating.

@rwinch

This comment has been minimized.

Copy link
Member

commented Dec 6, 2018

@zeratul021 Thanks for reaching out!

Since you want the URL to be https, I assume your application accepts https connections? If so, you could force a redirect to https using

http
    // ...
    .requiresChannel()
        .anyRequest().requiresSecure()

Then the redirect would always be https.

It also seems that it is likely if you are overriding the scheme you would need to override the port. Does that sound accurate?

@zeratul021

This comment has been minimized.

Copy link
Author

commented Dec 7, 2018

@rwinch no problem.
The thing is our actual spring boot applications have to run on http only because they are deployed in custom CloudFoundry installation with TLS termination.

Our OAuth2 providers require strict 1:1 redirect URI matching and some of them require https-only scheme.

So in our setups, when user comes from http scheme I want him to be redirected after successful OAuth2 login to https scheme.

My intention with the new variables would help us to throw out this kind of config:

 redirect-uri: '${app.server-url}/login/oauth2/code/{registrationId}'

for:

redirect-uri: 'https://{serverName}/login/oauth2/code/{registrationId}'

I'm open to different approaches though!

@rwinch

This comment has been minimized.

Copy link
Member

commented Dec 11, 2018

It seems like you would then want to ensure you have setup your server properly for a proxy server. If that is done, then the default behavior will work for you.

Have you looked at https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server and https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server

@zeratul021

This comment has been minimized.

Copy link
Author

commented Dec 11, 2018

  1. I'm not sure if I need to configure anything extra as TomcatWebServerFactoryCustomizer detects CloudFoundry platform and enables useForwardHeaders. (not sure about tomcat.internal-proxies)
  2. could you please elaborate (if it's too verbose we might switch to discord/slack/etc) on how the default behaviour would work for the given problem:
    User coming over http://app.com/login, being redirected to sso, being redirected to ?default? redirect URI and ending up at https://app.com/ ?
@rwinch

This comment has been minimized.

Copy link
Member

commented Dec 12, 2018

Spring Security uses the scheme that is returned by HttpServletRequest. If you configure the proxy settings correctly, then HttpServletRequest will report that it was sent over https even if you are using SSL termination.

One thing that typically causes issues is that Tomcat support only works if the internal proxy matches the default regex. You can configure server.tomcat.internal-proxies=.* to see if that helps.

@zeratul021

This comment has been minimized.

Copy link
Author

commented Jan 14, 2019

Hello @rwinch , sorry for delay.

I checked our forwarding setup and it's working in our case.

However, what I'm trying to do is, irrespectively of what scheme the user originally used to access the CloudFoundry/standalone app, I want him to be redirected to secure (https) scheme after successful OAuth2 authentication.

Currently I'm doing that by providing redirect-uri with a hardcoded server url using https scheme:

app.server-url=https://myapp.com
security.oauth2.client.registration.mwasso.redirect-uri='${app.server-url}/login/oauth2/code/{registrationId}'

I would like to use just server url if the scheme variable was extracted, like this:

security.oauth2.client.registration.mwasso.redirect-uri='https://{serverName}/login/oauth2/code/{registrationId}'

Does that makes sense to you?

@rwinch

This comment has been minimized.

Copy link
Member

commented Jan 14, 2019

@zeratul021 Yes it does make sense to me. We would need to figure out how to handle the port too.

cc @jgrandja

@zeratul021

This comment has been minimized.

Copy link
Author

commented May 16, 2019

@rwinch has there been any discussion or triaging done between you guys?
Thanks for the update!

@rwinch

This comment has been minimized.

Copy link
Member

commented May 17, 2019

Thanks for the nudge @zeratul021! Is this something you could provide a PR for?

@zeratul021

This comment has been minimized.

Copy link
Author

commented May 18, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.