Missing required UserInfo Uri in UserInfoEndpoint for Client Registration - spring-boot

I am facing with below error while accessing to api within OAuth2.0 credentials.
The examples on Internet containing user-info-uri credential, but I have only authorization-uri and token-uri. How can I successfully connect without user-info-uri ?
Authorization screen is successfully opened, but after that the error is shown:
[missing_user_info_uri] Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: aa-client-1
My application.yml like this :
spring:
security:
oauth2:
client:
registration:
aa-client-1:
client-id: XXXX-XXXXX-XXXX-XXX
client-secret: XXXX-XXXXX-XXXX-XXX
provider: A
scope: A:scope
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8080/login
provider:
A:
authorization-uri: https://someurls/authorize
token-uri: https://someurl/token
I want to login the API without user-info-uri.

Unfortunately, you must provide an user-info-uri if your grant type is authorization_code.
See GitHub discussion and Spring Security Source Code.
Perhaps this workaround may also applicable to your context.

Related

Spring Boot SAML and AWS Cognito

I have a working Cognito app client that utilizes user pool that is wired to use SAML. It accesses Azure AD as IdP. When I click "Launch Hosted UI" it properly redirects me to the login screen and upon authentication attempts to load my callback URL.
Now I want to wire this with a Spring Boot app.
I found this example developed by Joe Grandja that is using spring-security-saml2-service-provider to connect to a simple IdP.
The example is very compelling because all I really need to do is to provide correct configuration that in example provided like this:
spring:
security:
saml2:
relyingparty:
registration:
simplesamlphp:
signing.credentials:
- private-key-location: "classpath:credentials/rp-private.key"
certificate-location: "classpath:credentials/rp-certificate.crt"
identityprovider:
entity-id: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/metadata.php
verification.credentials:
- certificate-location: "classpath:credentials/idp-certificate.crt"
sso-url: https://simplesaml-for-spring-saml.apps.pcfone.io/saml2/idp/SSOService.php
However I'm lost at how to map information available to me from Cognito to these settings? For example values in signing.credentials?
Here's the list of settings I get from Cognito (all keys/names are bogus):
Pool Id: us-west-2_1B1AHf00
Pool ARN: arn:aws:cognito-idp:us-west-2:1234567898:userpool/us-west-2_1B1AHf00
Domain: https://blah-foo.auth.us-west-2.amazoncognito.com
App client: blahfoo-client
App client ID: 1b1l1a2f8oo83456c
Callback URL: http://localhost:8080
Login URL: https://blah-foo.auth.us-west-2.amazoncognito.com/login?client_id=1b1l1a2f8oo83456c&response_type=code&scope=email+openid&redirect_uri=http://localhost:8080
I also have a SAML-formatted file I got back from IdP but that is already plugged into Cognito so why would I put anything from it into the app configuration?
I wonder if part of spring-security-saml2-service-provider is to assemble that login URL and if I can get away with less settings that are given in the example?
Any pointers will be greatly appreciated
The signing.credentials section is if your app needs to sign things like an AuthnRequest. They are credentials that you own.
The items under identityprovider are things that Cognito would provide.
For Spring Boot 2.4+, if Cognito supports a SAML metadata endpoint, then you can provide that and Spring Security will discover the rest:
spring:
security:
saml2:
relyingparty:
registration:
simplesamlphp:
identityprovider:
metadata-uri: classpath:cognito/metadata/file/location
Or, for earlier versions, you can use RelyingPartyRegistrations:
#Bean
RelyingPartyRegistrationRepository registrations() {
String location = "classpath:cognito/metadata/file/location";
RelyingPartyRegistration registration =
RelyingPartyRegistrations.fromMetadataLocation(location)
.build();
return new InMemoryRelyingPartyRegistration(registration);
}
That said, the information that you've posted about Cognito's authentication endpoint appears OAuth-based, especially the Login URL. You may instead consider configuring your app for OAuth 2.0 and pointing at Cognito's OAuth endpoint.
I am posting the solution as a separate answer however credit and accepted answer go to #jzheaux
Basically the comment section provides the much needed hint: Even if you are wiring SAML-based Identity provider you will wire up Cognito using OAuth information given to you in the AWS console for User Pool
In my specific case the application.yaml then looks like this:
spring:
security:
oauth2:
client:
registration:
cognito:
client-id: 1ab2cd34efghi5jk6klmno7p8
client-secret: *********
scope: openid
redirect-uri: http://localhost:8080/login/oauth2/code/cognito
clientName: foobar-sandbox
provider:
cognito:
issuerUri: https://cognito-idp.us-west-2.amazonaws.com/us-west-2_abCDeFGHI
user-name-attribute: cognito:username
client-secret is found in General settings -> App clients -> Show Details

How to adapt spring security to work with Ali Cloud's OAuth2 endpoint

I am trying to get spring-oauth2 to work with Ali Cloud's OAuth endpoint. I have the following in my application.yml.
security:
oauth2:
client:
registration:
alicloud:
clientId: foo
clientSecret: bar
redirectUriTemplate: "{baseUrl}/login/oauth2/code/{registrationId}"
authorizationGrantType: authorization_code
scope:
- openid
- profile
provider:
alicloud:
authorizationUri: https://signin.aliyun.com/oauth2/v1/auth
tokenUri: https://oauth.aliyun.com/v1/token
jwkSetUri: https://oauth.aliyun.com/v1/keys
Things seem to get to the point where the code needs to be exchanged for an access_token. However, DefaultAuthorizationCodeTokenResponseClient.getTokenResponse seems to package the request with HTTP Basic authentication. This works for Google and I imagine most of the rest of the big providers. But Ali Cloud's endpoint requires the client_id and client_secret in the POST body. The converter that seems to create this request is OAuth2AuthorizationCodeGrantRequestEntityConverter. It doesn't seem easy to override it.
What can I do to overcome this?

spring boot 2 M5 oauth authentication issue

I'm using Sprig boot 2 M5 and spring oauth
I have this configuration for my oauth client app
security:
oauth2:
client:
registration:
my-client:
client-id: blabla
client-secret: asecret
client-name: a name
provider: my-provider
scope: read
redirect-uri: https://localhost:8780/dp
authentication-method: basic
authorization-grant-type: authorization_code
provider:
my-provider:
authorization-uri: https://blabla/oauth-server/oauth/authorize
token-uri: https://blaba/oauth-server/oauth/token
user-info-uri: https://lmfr:8780/user
user-name-attribute: username
I was expecting to be redirected to the login page of my Oauth provider but instead I get redirected to the default spring login page.
any suggestion ?
Remove the redirect-uri then it should work
See also this bug

spring oauth2 authorization code flow , configuration for VK (Vkontakte)

I'm using social network Vkontakte as Oauth2 authorization server. So I have several steps:
1) get code with request with request_type=code
2) get accessToken when I send request to access token uri
So I want to use Spring Oauth2, but I should get authorization code first, then access token, i've tried to add to application.yml :
authorized-grant-types: authorization_code
it's my application.yml:
security:
oauth2:
client:
clientId: [clientId]
clientSecret: [clientSecret]
accessTokenUri: https://oauth.vk.com/access_token
userAuthorizationUri: https://oauth.vk.com/authorize
tokenName: access_token
registered-redirect-uri: http://localhost:8080/login
resource:
token-info-uri: http://localhost:8080/user
but actually it doesn't help. If somebody faced it and know how to configure Spring Oauth2 app - will be grateful for help
Actually after couple days of investigation i figured out that Spring OAuth2 completely implementing all features and configuration to my client application uses the authorization code grant to obtain an access token from Vkontakte (the Authorization Server)
The only thing i need to do if i take as sample Spring Boot and OAuth2 social login simple is to populate application.yml with correct creds for my Authorization server:
security:
oauth2:
client:
clientId: xxxxxxx
clientSecret: xxxxxxxxxxx
accessTokenUri: https://oauth.vk.com/access_token
userAuthorizationUri: https://oauth.vk.com/authorize
tokenName: code
authenticationScheme: query
clientAuthenticationScheme: form
grant-type: authorization_code
resource:
userInfoUri: https://api.vk.com/method/users.get
The only problem i faced was providing correct token name and userInfoUri to retrieve logged user info.
According token name it is name of authorization code your get after passing authoriztion(response_type=token name, it calls code in my case) and use to get access token.
Hope it will be helpful people face the same problem

Spring Boot oauth2: How to set the resource parameter in the authorization request to make adfs happy?

I'm trying to set up a spring boot app that uses oauth2 with Active Directory Federation Services as the authentication provider. I started with the tutorial here...
https://spring.io/guides/tutorials/spring-boot-oauth2/
... and got the facebook example to work. Then, I started adapting it to work with ADFS. It is close to working, but ADFS expects a resource parameter to be passed with the authorization request and I can't figure out how to set it. Here's what I've got so far in the config...
security:
oauth2:
client:
clientId: spring-boot-test-client
userAuthorizationUri: https://domain/adfs/oauth2/authorize
access-token-uri: https://domain/adfs/oauth2/token
tokenName: code
authenticationScheme: query
clientAuthenticationScheme: form
grant-type: authorization_code
When I click the login link, it redirects to https://domain/adfs/oauth2/authorize?client_id=spring-boot-test-client&redirect_uri=http://localhost:8080/login&response_type=code&state=rjzfyZ
I've tried setting the security:oauth2:client:id, the security:oauth2:client:resourceids and the security:oauth2:resource:id, but none of those seemed to affect the first redirect. Any idea what I should set to get the resource included in that first redirect?
Answering my own question here... It may be a hack, but I just appended the resource to the userAuthorizationUri
security:
oauth2:
client:
clientId: spring-boot-test-client
userAuthorizationUri: https://domain/adfs/oauth2/authorize?resource=RelyingPartyTrustIdentifier
access-token-uri: https://domain/adfs/oauth2/token
tokenName: code
authenticationScheme: query
clientAuthenticationScheme: form
grant-type: authorization_code
Now, I'm getting the login form.

Resources