You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
OAuth 2 Autoconfigurer doesn't take into account the preflight requests sent by browsers typically before requests with Authorization header.
Actual Behavior
The browser sends a request with method OPTIONS with some Access-Control-Allow-* headers. Even though the request has been set up for HTTP Basic authentication, this preflight request doesn't have this yet.
Because of this, Spring Security falsely responds with a 401 status and the message "access-denied"
Expected Behavior
The browser sends a request with method OPTIONS with some Access-Control-Allow-* headers. Even though the request has been set up for HTTP Basic authentication, this preflight request doesn't have this yet.
Spring Security realises that this is only a preflight request and responds with a status code of 200, allowing the browser to continue with the real request.
Configuration
The configuration comes from the org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure. More specifically, from class org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration:89, where only the fullyAuthenticated option is passed and there is no exception set for when a preflight request arrives.
Version
The version is: org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.8.RELEASE
I tried implementing a workaround, where I register a filter checking for preflight requests, which solves the immediate problem of these kinds of requests resulting in 401 Unauthorized status.
However, in order for it to have an effect, I need to set the highest precedence to the configuration bean. This, however, hijacks the request from the desired filter chain as well, resulting in all kinds of errors along the way, when the browser sends the real authentication request.
@rolaca11 Please do not double post. This issue should have originally been logged to the Spring Security OAuth project. Closing in favour of spring-security-oauth#1749
Summary
OAuth 2 Autoconfigurer doesn't take into account the preflight requests sent by browsers typically before requests with Authorization header.
Actual Behavior
The browser sends a request with method OPTIONS with some Access-Control-Allow-* headers. Even though the request has been set up for HTTP Basic authentication, this preflight request doesn't have this yet.
Because of this, Spring Security falsely responds with a 401 status and the message "access-denied"
Expected Behavior
The browser sends a request with method OPTIONS with some Access-Control-Allow-* headers. Even though the request has been set up for HTTP Basic authentication, this preflight request doesn't have this yet.
Spring Security realises that this is only a preflight request and responds with a status code of 200, allowing the browser to continue with the real request.
Configuration
The configuration comes from the org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure. More specifically, from class org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerSecurityConfiguration:89, where only the fullyAuthenticated option is passed and there is no exception set for when a preflight request arrives.
Version
The version is: org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.8.RELEASE
Sample
https://bitbucket.org/rolaca11/spring-security-sample/
In this project, the /rest/oauth/token resource should be queried.
The text was updated successfully, but these errors were encountered: