Disable redirect to oauth2/authorization/{registrationId} in oauth2 flow?

[SMakhrov]

Hi!
Is it possible to disable redirect to oauth2/authorization/{registrationId} in oauth2 flow?
I have following properties for oauth2 flow in Spring Cloud Gateway, but nowhere I didn't specify url oauth2/authorization/{registrationId}:

security:
    oauth2:
      client:
        registration:
          smart_hub_client:
            provider: wso2is
            client-id: gateway
            client-secret: secret
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/redirect_uri"
            scope: openid
        provider:
          wso2is:
            authorization-uri: http://localhost:8090/uaa/oauth/authorize
            token-uri: http://uaa:8090/uaa/oauth/token
            user-info-uri: http://uaa:8090/uaa/userinfo
            user-name-attribute: sub
            jwk-set-uri: http://uaa:8090/uaa/token_keys

But I see it in my request chain:

The Request URL from screenshot is here: https://uaa:8090/oauth2/authorization/smart_hub_client

[eleftherias]

Hi, @SMakhrov. I saw your SO post, please avoid cross-posting support requests. StackOverflow is a great place for help, and team members all allocate dedicated time to be on there answering questions. Posting there will make it clearer for community members who run into similar issues.

For reference, here is the origin SO post: https://stackoverflow.com/questions/65136895/disable-redirect-to-oauth2-authorization-registrationid-in-oauth2-client-flow

[SMakhrov]

@eleftherias, after investigation with colleagues it looks like bug.

Initial conditions:
Origin resource: https://origin
Spring Cloud Gateway as reverse proxy: https://gateway
OAuth2 server (WSO2): https://authserver

I have pure Spring Cloud Gateway and only this config:

application.yaml

server:
  port: 80
spring:
  cloud:
    gateway:
      default-filters:
        - TokenRelay
      routes:
        - id: root
          uri: https://origin
          predicates:
            - Path=/**
          filters:
            - RemoveRequestHeader=Cookie

  security:
    oauth2:
      client:
        registration:
          smart_hub_client:
            provider: wso2is
            client-id: myclientid
            client-secret: mysecret
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/redirect_uri"
            scope: sso,openid
        provider:
          wso2is:
            authorization-uri: https://authserver/oauth2/authorize?loginPage=login.jsp
            token-uri: https://authserver/oauth2/token
            user-info-uri: https://authserver/oauth2/userinfo
            user-name-attribute: sub
            jwk-set-uri: https://authserver/oauth2/jwks 

Additional info - https://authserver (WSO2) has registered callback for gateway (Spring Cloud Gateway): https://gateway/redirect_uri

Expected behaviour:

1. Request to https://gateway/index.html [Request for target page]
2. Redirect to https://gateway/login.html [Login page]
3. Entering credentials
4. Redirect to https://authserver/oauth2/authorize?sessionDataKey=1395e077-fd53-4bf2-b687-62b99cbe4ba9 [Request for auth code]
5. Redirect to https://gateway/redirect_uri?code=3c073c5b-7053-3c51-b596-703a1a05a94f&state=whFXtmq6A_CFNutF5lF3ra5AC_uV9XUj8C1lW7EBqXU%3D&session_state=e24c580be6437c9f54e13eb34292201baed1de2387e5738530a3f4f5378248ee.xX-bQwyQ0ixMZPaB5hEAoQ [Request for token]
6. Response with 200 on page https://gateway/index.html [Return of target page]

Actual behaviour:

1. Request to https://gateway/index.html [Request for target page]
2. Redirect to https://gateway/login.html [Login page]
3. Entering credentials
4. Redirect to https://authserver/oauth2/authorize?sessionDataKey=1395e077-fd53-4bf2-b687-62b99cbe4ba9 [Request for auth code]
5. Redirect to https://gateway/redirect_uri?code=3c073c5b-7053-3c51-b596-703a1a05a94f&state=whFXtmq6A_CFNutF5lF3ra5AC_uV9XUj8C1lW7EBqXU%3D&session_state=e24c580be6437c9f54e13eb34292201baed1de2387e5738530a3f4f5378248ee.xX-bQwyQ0ixMZPaB5hEAoQ [Request for token]
6. Redirect to https://gateway/oauth2/authorization/smart_hub_client [What is it ???]
7. Redirect to https://authserver/oauth2/authorize?loginPage=login.jsp&response_type=code&client_id=NyNzZ6xfutKJRxorF8nexiQ4A5ga&scope=sso%20openid&state=rj2PJ-hnQHs5icXj5jW6FUANMRY07_kWrRUpG3jCQJk%3D&redirect_uri=https://gateway/redirect_uri&nonce=Yov17acl7Kt_S_FQqd2Cl-Tm2_IMFknfwuqVTGf4Zys [Something went wrong after 6]
   Eternal cycle with repeating from 5 to 7.

@eleftherias , @jgrandja, @rwinch , @jzheaux , anyone, please help.

[SMakhrov]

I guess the problem might be in incorrect state=whFXtmq6A_CFNutF5lF3ra5AC_uV9XUj8C1lW7EBqXU%3D .
Part with %3D may fail all flow and we have incorrect state at every request. Because this we probably have infinite loop. %3D it's actually url encoded symbol '='. Why Spring is adding this symbol to state?