Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth 2 Autoconfiguration 401 Error for preflight request #7444

Closed
rolaca11 opened this issue Sep 16, 2019 · 3 comments
Closed

OAuth 2 Autoconfiguration 401 Error for preflight request #7444

rolaca11 opened this issue Sep 16, 2019 · 3 comments
Assignees
@jgrandja
Labels
for: external-project For an external project and not something we can fix

Comments

@rolaca11
Copy link

rolaca11 commented Sep 16, 2019
edited

Summary

OAuth 2 Autoconfigurer doesn't take into account the preflight requests sent by browsers typically before requests with Authorization header.

Actual Behavior

The browser sends a request with method OPTIONS with some Access-Control-Allow-* headers. Even though the request has been set up for HTTP Basic authentication, this preflight request doesn't have this yet.

Because of this, Spring Security falsely responds with a 401 status and the message "access-denied"

Expected Behavior

The browser sends a request with method OPTIONS with some Access-Control-Allow-* headers. Even though the request has been set up for HTTP Basic authentication, this preflight request doesn't have this yet.

Spring Security realises that this is only a preflight request and responds with a status code of 200, allowing the browser to continue with the real request.

Configuration

The configuration comes from the org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure. More specifically, from class org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration:89, where only the fullyAuthenticated option is passed and there is no exception set for when a preflight request arrives.

Version

The version is: org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.8.RELEASE

Sample

https://bitbucket.org/rolaca11/spring-security-sample/
In this project, the /rest/oauth/token resource should be queried.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 16, 2019
@rolaca11
Copy link
Author

I tried implementing a workaround, where I register a filter checking for preflight requests, which solves the immediate problem of these kinds of requests resulting in 401 Unauthorized status.

However, in order for it to have an effect, I need to set the highest precedence to the configuration bean. This, however, hijacks the request from the desired filter chain as well, resulting in all kinds of errors along the way, when the browser sends the real authentication request.

@jgrandja
Copy link
Contributor

@rolaca11 Please do not double post. This issue should have originally been logged to the Spring Security OAuth project. Closing in favour of spring-security-oauth#1749

@jgrandja jgrandja self-assigned this Sep 17, 2019
@jgrandja jgrandja added for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 17, 2019
@rolaca11
Copy link
Author

Sorry, didn't mean to double post. I just found the proper repository after I created this issue and didn't find a close button.

Close #7444

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
for: external-project For an external project and not something we can fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rolaca11 @jgrandja @spring-projects-issues