-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth2AuthorizationRequestRedirectFilter redirect should support Ajax request #6638
Comments
@xyting Please provide more information as I don't quite understand what you are trying to achieve. NOTE: Exposing the Please provide detailed information on the oauth client you need to configure and the flow / use case you are trying to acheive. |
@jgrandja Thanks your reply! Static Resouces, such as SPA, hosted in NginxLoading Data by AJAX RequestBecause all the data loading by AJAX request, and then Nginx request RESTful API servers to get data, RESTful API using |
@xyting Diagrams do not provide the detailed information that I need to help you troubleshoot. In the future, it would be very helpful if you could provide a complete and minimal sample that reproduces the issue and share it via a GitHub repository. This will allow us to efficiently troubleshoot and help resolve the issue. The sample should contain the minimum amount of code to reproduce the issue along with detailed steps on how to reproduce. Having said that, the main purpose of the I'm going to close this issue as |
Recently, I read the source code. I know what you say. However, if have an |
This seems to be a separate issue? Please keep issues separate going forward. Looks like you need to configure the |
@jgrandja Thanks! |
@jgrandja I bump into the same issue as @xyting I did not use customized RedirectStrategy, but use google OpenIDC IdP with OAuth2Login Sample. After tracing the code a little bit, and found the request matcher logic in
The
Then the AJAX call to data will simply got 401 instead of a redirect, which the browser will block since it will be a cross domain redirect. |
maybe as following will be better:
|
I've just run into this as well. Let me explain my use case.
Let's suppose for a second that it would work, then the process would be the following
Note: at this point I encountered #6374, but fortunately
@jgrandja For now I have to copy paste Many thanks! |
@laszlocsontos I think it makes more sense to edit the |
Thanks @rwinch for your suggestion and although #6812 seems similar, I don't have that problem, because I've already added There are basically three parts of the OAuth2 process.
Now that we have the big picture, suppose that we have an SPA and a completely stateless back-end with no session management. The SPA calls every endpoint (even
1) The problem is that
All that said, this would be the expected behaviour of
|
@laszlocsontos I also solve this by providing custom http.exceptionHandling().authenticationEntryPoint(AjaxSupportedAuthenticationEntryPoint()) |
@xyting I've already got a custom Could you please elaborate a bit more on how you've successfully integrated the OAuth2 flow with a single page app? |
@laszlocsontos It can be challenging integrating a SPA with You mention that your app is completely stateless, however, this is not actually true. After you authenticate with Spring Security, there is an authenticated session and therefore an Having the ajax client initiate the authorization request
It would be quite complicated to implement this with ajax and quite honestly I don't think it's even possible without introducing unnecessary complexity into the mix. My suggestion is to implement your setup like this:
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.loginPage("/oauth2/authorization/google")
... The end-user agent (browser) is in control here (not ajax), which is how Authorization Code Grant and OpenID Connect is designed for.
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.loginPage("/oauth2/authorization/google")
.defaultSuccessUrl("/the-page-that-delivers-spa")
... After user is redirected to |
Yes @jgrandja, it's challenging indeed. :)
I've actually disabled that with
Yeah, currently I couldn't achieve that with Spring Security's OAuth2 support indeed, but it would be possible to that with minimal engineering effort I believe. I'll explain below.
After trying to figure this out for quite a few days, I can say that there are two issues to solve which now prevents Spring Security's OAuth2 support from being a fully SPA friendly. 1) Unable to customize You tell Google (or whatever OAuth2) provider that your I've setup The problem is that
Suggestion: If you used a the 2) Yeah, I know there's redirect is in its name after all. :) If I could customize
Suggestion: You could expose that
The reason I'm doing this is because using the
Okay, so how do I make that redirect? Should
That was the argument against using implicit grants. JWTs cannot be revoked, if it's stolen all bets are off.
That kind of defeats the purpose of designing a stateless app and requires other strategies for handling pobbile CSRF attacks.
That's another round-trip for authentication. All that said, using I think Spring Security could be a bit more SPA friendly so that folks can build completely stateless apps with it. For the time being I'll be going with the second option, that is, will set a |
@laszlocsontos I didn't really get a response from you regarding my comments/suggestions. Based on your comments it seems to me that you're doing things differently than how OpenID Connect is designed to work. FYI, there have been a few SPA implementations using Please try the suggestion I have provided to re-configure your application setup. If you're still having issues then the next step is to provide a minimal sample with detailed steps on how to get up and running. Please see https://stackoverflow.com/help/mcve for what the expectation is for a minimal sample. It's much more efficient this way rather than having longer dialogue that can easily get lost in translation. |
@xyting @laszlocsontos We discovered a bug and the fix has been applied. It may fix the issue you are having. Please see this comment for more details. |
@jgrandja Thanks |
@jgrandja My team is migrating from Spring Security OAuth 2.5 to Spring Security 5. Previously we were leveraging the capability to set a custom |
This capability is available. Please review the reference documentation on Customizing the Authorization Request. |
@jgrandja Oh, I'm dumb, totally missed that. Thank you! |
Workaround for setting a custom redirection strategy by
CustomAuthorizationRedirectFilter.java @Component
public class CustomAuthorizationRedirectFilter extends OAuth2AuthorizationRequestRedirectFilter {
@SneakyThrows
public CustomAuthorizationRedirectFilter(
OAuth2AuthorizationRequestResolver authorizationRequestResolver,
AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository
) {
super(authorizationRequestResolver);
super.setAuthorizationRequestRepository(authorizationRequestRepository);
// Reflection hack to overwrite the parent's redirect strategy
RedirectStrategy customStrategy = new CustomStrategy();
Field field = OAuth2AuthorizationRequestRedirectFilter.class.getDeclaredField("authorizationRedirectStrategy");
field.setAccessible(true);
field.set(this, customStrategy);
}
private static class CustomStrategy implements RedirectStrategy {
@Override
public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
response.setStatus(HttpServletResponse.SC_OK);
response.setContentType("application/json");
response.getWriter().write("{ \"redirectUrl\": \"%s\" }".formatted(url));
}
}
} SecurityConfig.java @Component
@AllArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private final CustomAuthorizationRedirectFilter customRedirectFilter;
@Override
protected void configure(HttpSecurity httpSecurity) {
httpSecurity
.addFilterBefore(this.customRedirectFilter, OAuth2AuthorizationRequestRedirectFilter.class);
}
} |
Summary
I need
OAuth2AuthorizationRequestRedirectFilter
redirect
to support Ajax requestBackground
I before using
spring-security-oauth2
jar, I can provide customRedirectStrategy
to support Ajax request. Currently, I update my code to usingspring-security-oauth2-client
, one issue is theOAuth2AuthorizationRequestRedirectFilter
cannot customRedirectStrategy
, private final RedirectStrategy authorizationRedirectStrategy = new DefaultRedirectStrategy();Version
5.1.4.RELEASE
The text was updated successfully, but these errors were encountered: