Spring Social losing auth token on redirect - spring

I'm trying to use Spring Social Facebook login along side form login, more or less following the guide here: http://www.baeldung.com/get-user-in-spring-security, only using header-based session management rather than cookies. Right now the login is successful. Facebook sends a 302 to my server at /api/signin/facebook, and my server sends a 302 to the post-sign-in url I've set on my ProviderSignInController along with the x-auth-token header. The issue is that when following the last redirect my browser throws away the auth token.
I think I want to just add the auth token as a query param on the final redirect uri, but I don't know how to intercept the final response. I've called setSignInInterceptors on my ProviderSignInController but that seems to be ignored after the first sign in. How can I keep my session information when it's not a cookie?

Just added the token as a query parameter and returned it from my custom SignInAdapter.signIn method. I feel like there's probably a better solution but I needed something.

Related

Spring OAuth2 redirect to original URL on successful auth

I'm able to successfully complete the OAuth auth, however am struggling with working how to then send the request back to the original requested URL. An example scenario is as follows:
Incoming request to: /some-protected-resource
As the user is not authorised yet we complete the OAuth flow.
As per the AbstractAuthenticationProcessingFilter docs the user is redirected back to webapp root when I don't have a AuthenticationSuccessHandler specified however I would like to redirect them back to whatever URL they originally requested.
I've tried specifying the SavedRequestAwareAuthenticationSuccessHandler however it doesn't seem like the OAuth requests go through the ExceptionTranslationFilter.
The default behavior is exactly what you want to achieve, so it might be that you customized the authorization process so it redirects you to the root.
Provide more details on your configuration.

spring oauth redirect back to original url after getting the access token

I have a web app with spring boot backend providing REST APIs and Angular.js front end as a single-page-application.
I'm new to the spring oauth setup so I'm not sure whether I'm doing it the right way.
I have my spring boot app configured as both the resource server as well as the oauth authentication server. Whenever the front end makes an api request that fails with a 401 response, I instructed the web developer to make a POST call to /oauth/token endpoint to get a user token. The request sort of like this:
POST /oauth/token HTTP/1.1
Host: localhost:8080
Authorization: Basic Z3J1Ym1hcmtldDp0dWFuZ291
Content-Type: application/x-www-form-urlencoded
grant_type=password&username=john.doe%40example.com&password=password
And the front end will get a user token and is able to sent API requests to protected api end points.
Now imagine a use case where anonymous user adds a bunch of stuff to his/her shopping cart and hit the check out button, which makes an API request to the backend that fails with 401. So user is redirected to the form login our frond end person wrote. When user enters his/her username/password, the UI code makes a POST request to /oauth/token and get a user token back.
Now the problem is that the user's shopping cart is lost as user has been redirected away. We are thinking of having a redirect_url and encode the shopping cart items into the redirect url and redirect to that url after user logs in successfully.
Question is, how do I do that. Doesn't look like the POST request to /oauth/token would take a redirect_url param and sends back a 302 response to that url. Is it solely the front end developer's responsibility to store the shopping cart and proceed when login finishes?
The password flow of the oauth2 spec is definitely not suited for this use case and doesn't support redirect uri. Flows that support redirects are the authorization code and implicit.
https://www.rfc-editor.org/rfc/rfc6749

Issue token to logged in user via spring

I have a Spring (3.2) based web app that a user can log into. The site will also provide an API secured via OAuth 2.0. My question then, is how do I go about generating a token for a logged in user?
The underlying idea here is that there will be a mobile app that opens up a web frame to the login page, which will eventually redirect to a url schema with an oauth token that the app will catch and then use for the api calls. Looking at the code for TokenEndpoint, I see that it defers token creation to a list of TokenGranter types. Should I be creating my own TokenGranter extended class, or am I looking at this all wrong?
I ended up writing a controller like this:
OAuthClientRequest request = OAuthClientRequest
.authorizationLocation(csOauthAuthorizeUrl)
.setClientId(csClientId)
.setRedirectURI(
UrlLocator.getBaseUrlBuilder().addSubpath(AUTH_CODE_HANDLER_URL).asUnEscapedString())
.setResponseType("code")
.buildQueryMessage();
UrlUtils.temporarilyRedirect(httpResponse, request.getLocationUri());
return null;
Then handling the code returned. My big problem here was that I had the /oauth/authorize endpoint set to use client credentials. Once I realized that tokens were being issued for the client ID instead of the user, it started to make sense.
So you want to use the Authorization Flow of OAuth. Spring has already support that, if you have configured the spring-security-oauth correctly, you just have to redirect the user/your mobile apps to /oauth/authorize?client_id=xxx&response_type=code this will redirect user to authorization page, if user has not login yet, it will redirect the user to login page then to the authorization page.
After the user completed the authorization process, it will redirect the user to an already registered redirect_url parameter with the authorization_code 'yourapp.com/callback?code=xxxx'.
Your application should exchange this authorization_code with the real token access to /oauth/token?grant_type=authorization_code&code=xxxx&client_id=xxxx&client_secret=xxxx
After that you will receive the token access that can be used to access the resource server.

In GWT: how to bookmark a page and be able to be redirected to it after authentication?

I have implemented an OAuth2 authentication mechanism in my GWT app. The OAuth2 server is based on Spring framework 3.x (using its Spring security OAuth2 implementation).
I am using the OAuth2 "Authorization code flow" to get the user authenticated (though implicit flow may have been a better choice in our case). So at first, the user is redirected to the OAuth2 server authentication page, he enters his credentials and if he is successfully authenticated, he is redirected back to a url with an oauth code. He will then make a second call to get an access token from the OAuth2 server.
Now, the issue is, we would like the user to be able to bookmark a page in the application and directly access it. If he has already authenticated then he would have direct access to it (no more auth involved). Otherwise, he would have to go into the OAuth2 authentication flow but in the end, should be redirected back to the bookmarked page he intended to access at the beginning.
How can I store this page url and get redirected to it after the user successfully authenticates ?
any help would be appreciated. Thanks!
EDITED
The initial url redirection is done via javascript's document.location.href
The way to maintain the original URI in an OAuth 2.0 Authorization Grant flow is to pass it in the state parameter so that the redirection endpoint can use it, after it exchange the authorization code for an access token, to redirect the user back to that URI.
FYI, this is exactly what Google suggests in the examples in their OAuth 2.0 documentation, e.g. https://developers.google.com/accounts/docs/OAuth2Login
Original answer:
The problem is using the hash part of the URL for the place, which is not sent to the server and thus cannot be used in the redirection to the OAuth2 server authentication page.
You have 2 (maybe 3) solutions:
stop using the hash for the place and switch to HTML5 History; either through gwt-pushstate at the History level, or a custom PlaceHistoryHandler.Historian if you use the Places API. That limits your audience though: http://caniuse.com/history
stop using an HTTP redirect, and instead use JavaScript so you can put the hash in the OAuth2 redirect_uri. So instead of redirecting, send an error page with the appropriate scripts bits.
some browsers append the hash to the URL after a redirection, so your OAuth2 server might be able to pick it (in JavaScript) and append it to the redirect_uri. That might depend on the HTTP status code used for redirecting (from experience, it works with a 301, but you don't want a 301 here). Needs testing.
You can do this using GWT activities and places.

Spring template connect to OpenSSO/JAAS secure endpoint

I'm trying to access a REST service via a server-to-server GET request that is secured by OpenSSO/Spring Security and am unable to. It's like my Spring Rest Template client is not stateful to hold the cookies it should as I get redirected through the authentication workflow.
When doing this with a browser, the initial request is redirected to OpenSSO, I'm challenged for my cert (PKI), I present it, get a response with my authentication cookie header. Then I am redirected back to my original destination, I present my auth cookie in the request header and I'm on my way.
This isn't happening in my server-to-server invocations.
I've searched for quite a while now and can't seem to find any solutions that hold onto this state across redirects!
Following the link in zagyi's comment may have worked, but I spent some more time and found the following solution, which does not involve overriding anything:
To handle the authentication cookie in the REST controller, you have to explicitly tell it to accept cookies. Before handling the call, add the following line of code:
CookieHandler.setDefault(new cookieManager(null, CookiePolicy.ACCEPT_ALL));

Resources