I'm trying to reach a Spring Boot API hosted on a server with my Angular application, but I have some CORS issues.
CORS Error in the console
Redirection Flow
I tried several things, I added my URLs in both keycloak and Spring, and I think I found the origin of the problem but can't seems to resolve it.
I believe the problem comes from the fact that keycloak redirects to http://user-service.cubetech-app.fr/sso/login instead of the HTTPS version of that url. I read that when the browser detect a redirection on a different hostname it change the Origin header to null, and I think this is what creates the CORS error.
I don't know how to force HTTPS on the internal redirection.
For further informations, my spring backend and my keycloak server are hosted on my VPS, in a docker, and behind a traefik reverse-proxy that enables HTTPS with Let's Encrypt.
Check the webOrigins value of the client you use in Keycloak.
Realm settings-> clients -> {your client}
Related
I‘m not new in either Spring boot or Spring Security but I am in Spring Authentication‘s Server.
Description
I have tree apps:
a spring boot backend,
a flutter frontend and
a Keycloak for authentification.
The Backend has only one login method, that is oauth2 and is client of Keycloak. The login method for the Backend is already implemented and is working, using Authorization code.
The flutter should also log into the Backend using Authorization code, but this part is not yet implemented.
The Backend is the part I‘m responsible of and the workflow should be following:
The user on Flutter tries to login
The Flutter App then requests login from Backend App
Backend App, as an authorization server with only one login method which is Keycloak, redirects the user to Keycloak.
The first authentification and authorization happens on Keycloak.
The Keycloak redirect the user on the Backend.
The Backend finds out who the user is and authorizes him.
The Backend redirect the user to Flutter‘s scheme and then flutter open (or continue).
The Flutter calls the Backend to get tokens.
Now my question is how should I configure the Backend, so that it behaves as Authorization‘s server?
This I what I‘ve tried.
I‘ve used the newly created spring-authorization-server. So my SecurityFilterChain already contains:
…
http
.oauth2Login(withDefaults())
…
Now my backend is resource server for itself and client of itself (I can‘t dissociate it now). So I‘m thinking of
adding .oauth2ResourceServer with the configuration of this same server for verifying the tokens I will issue, and
adding .oauth2Client with again the configurations pointing to this server, for the Flutter app being able to login.
Now I don‘t know how to turn my backend into Autorization server, and to be more precise, how to turn on authorization code for user login.
Thanks for reading. Any help would be appreciated.
I have a spring boot application integrated with Azure AD SAML login. I have followed this sample to achieve this. It works fine in localhost but on deployment to a prod url, it keeps giving below error
the redirect uri that I see in the authorization request URL starts with http. This is contradictory because Azure App Registration does not allow to configure any non https URLs and only exception is localhost.
In order to match URLs, I tried editing App Registration's manifest in Azure portal to make it http. Now, it seems URLs match but then I get below error:
I have also tried setting https URL both on azure portal and application.properties using "azure.activedirectory.redirect-uri-template" as mentioned in stack overflow post here but that also does not work.
I have also gone through this post but that also didn't help.
Any help would be much appreciated.
In order to solve the error of redirecting to https but the redirect_uri in request still starts with http, there are two similar issues:
1. The HTTPS requests terminate at the proxy and the proxy then uses HTTP protocol to communicate to your Tomcat server. You will face this if you deploy your code on cloud providers like App Service. Answer is here.
In application.properties:
security.oauth2.client.pre-established-redirect-uri=https://yourappurl.net/login
security.oauth2.client.registered-redirect-uri=https://yourappurl.net/login
security.oauth2.client.use-current-uri=false
server.tomcat.remote-ip-header=x-forwarded-for
server.tomcat.protocol-header=x-forwarded-proto
server.tomcat.use-relative-redirects=true
server.use-forward-headers=true
server.tomcat.internal-proxies=.*
2. Add server.forward-headers-strategy=native in applications.properties. Answer is here. For more about this setting, see here.
I have an Angular App with a Spring Boot Backend. I use "azure-active-directory-spring-boot-starter" for the authentication via Azure AD. Everything works fine locally.
After the successful external (azure) login "https://local.../login/oauth2/code/azure?code=..." is called.
The request headers on this request contain authorization cookies from azure and the response header contains two "set-cookie"-entries: JSESSIONID, XSRF-TOKEN
After that request the user is logged in as expected.
With the production setup however it seems, that cookies are not set successfully.
The application runs on a Tomcat 9 behind a apache reverse proxy. The azure login itself is successful.
Also the request headers contain the two cookies, however "set-cookie" is not set. Any ideas how to solve this?
This is Spring MVC application and host on Heroku which has valid ssl certificate.
When I click on the following link from the spring mvc web application
https://www.website.com/auth/facebook
It redirects to this link
https://www.facebook.com/v2.5/dialog/oauth?client_id=1234567890&response_type=code&redirect_uri=http%3A%2F%2Fwww.website.com%2Fauth%2Ffacebook&scope=email&state=62b62bad-f8c8-44a3-bacf-a13ce12dfcce
In this, redirect_uri takes http instead https. How to forced https to redirect_uri?
I have followed the solution mentioned in this question
Spring OAuth redirect_uri not using https
and created following file but it didn't work.
The application.propeties file contains
server.tomcat.remote-ip-header=X-Forwarded-For
server.tomcat.protocol-header=X-Forwarded-Proto
server.use-forward-headers=true
security.oauth2.client.pre-established-redirect-uri=https://www.website.com/login
security.oauth2.client.registered-redirect-uri=https://www.website.com/login
security.oauth2.client.use-current-uri=false
If you are using .net core application then in Configure Method at Startup.cs file add the following line of It should be work.
app.Use((context, next) =>
{
if (context.Request.Headers["x-forwarded-proto"] == "https")
{
context.Request.Scheme = "https";
}
return next();
});
Go to Facebook Developer, Below Products tab go to Facebook login
Make sur Enfore https is set to yes
Then in valid oauth reidrect url add https urls
Change your site Url to https:
and I am really surprised how Facebook redirects you to http!
From 1st may all the redirects should redirected to https. Even in your localhost, you need to create a self-signed certificate to get facebook login working.
I have a spring app running on tomcat and I've set up two connectors 8080 and 8443. I use 8443 for authentication and 8080 for the application. After authentication JSESSIONID is added with secure notation and thus it's not available in HTTP.
How can I create two types of authentication when authenticating with HTTPS so that HTTP would also be authenticated. I set my authentication with:
SecurityContextHolder.getContext().setAuthentication(authentication);
This should work out of the box. The session cookie that's set is shared for http & https. Examine the cookie and verify if the domain, path & protocol are correctly set. Also you should verify your spring security configuration. Example here
Also you should really be using only https instead of serving any content through http - the overhead is insignificant while giving a big security benefit.
You can not do it and it has nothing to do with Tomcat.
The issue is the browser will not send the same cookies that it was using for HTTPS to the HTTP URL. You will have to login twice. You could potentially do some very nasty things to somewhat accomplish this (like allowing session ids in the URL and/or some javascript to perform some autologin) but I highly recommend you do not do that.
The only solution I can see to make this work safely might be to use SAML single sign-on. Otherwise you really should serve everything you want authorization for under HTTPS (ie requires login).