I'm using Sprig boot 2 M5 and spring oauth
I have this configuration for my oauth client app
security:
oauth2:
client:
registration:
my-client:
client-id: blabla
client-secret: asecret
client-name: a name
provider: my-provider
scope: read
redirect-uri: https://localhost:8780/dp
authentication-method: basic
authorization-grant-type: authorization_code
provider:
my-provider:
authorization-uri: https://blabla/oauth-server/oauth/authorize
token-uri: https://blaba/oauth-server/oauth/token
user-info-uri: https://lmfr:8780/user
user-name-attribute: username
I was expecting to be redirected to the login page of my Oauth provider but instead I get redirected to the default spring login page.
any suggestion ?
Remove the redirect-uri then it should work
See also this bug
Related
Our Spring Boot application acts as an OAuth2 client and, by default, contacts the identity provider's (here: Keycloak) endpoint for its "OAuth Well-Known Configuration Information" configured by this Spring property:
spring.security.oauth2.client.provider.keycloak.issuer-uri
The problem is, that any #SpringBootTest then also attempts to connect to such a server which fails immediately. So, for integration testing, I'd like to replace the above issuer-uri with the propeties jwk-set-uri, authorization-uri and token-uri which don't prevent the application from starting.
So, I created the following application.yml which does its job but I think it's not very obvious for other team members what happens here.
spring:
security:
oauth2:
client:
registration:
keycloak:
provider: keycloak
client-id: ${app.authentication.client-id}
client-secret: ${app.authentication.client-secret}
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/login/oauth2/code/keycloak"
scope: openid
provider:
keycloak:
user-name-attribute: preferred_username
---
spring:
config:
activate:
on-profile: default
security:
oauth2:
client:
provider:
keycloak:
issuer-uri: ${app.authentication.server-url}
---
spring:
config:
activate:
on-profile: integration-test
security:
oauth2:
client:
provider:
keycloak:
jwk-set-uri: ${app.authentication.server-url}
authorizationUri: ${app.authentication.server-url}
tokenUri: ${app.authentication.server-url}
Is there soem other apporach how to diable the issuer-uri and replace it by the three above properties when testing?
I am facing with below error while accessing to api within OAuth2.0 credentials.
The examples on Internet containing user-info-uri credential, but I have only authorization-uri and token-uri. How can I successfully connect without user-info-uri ?
Authorization screen is successfully opened, but after that the error is shown:
[missing_user_info_uri] Missing required UserInfo Uri in UserInfoEndpoint for Client Registration: aa-client-1
My application.yml like this :
spring:
security:
oauth2:
client:
registration:
aa-client-1:
client-id: XXXX-XXXXX-XXXX-XXX
client-secret: XXXX-XXXXX-XXXX-XXX
provider: A
scope: A:scope
authorization-grant-type: authorization_code
redirect-uri: http://localhost:8080/login
provider:
A:
authorization-uri: https://someurls/authorize
token-uri: https://someurl/token
I want to login the API without user-info-uri.
Unfortunately, you must provide an user-info-uri if your grant type is authorization_code.
See GitHub discussion and Spring Security Source Code.
Perhaps this workaround may also applicable to your context.
I am trying to get spring-oauth2 to work with Ali Cloud's OAuth endpoint. I have the following in my application.yml.
security:
oauth2:
client:
registration:
alicloud:
clientId: foo
clientSecret: bar
redirectUriTemplate: "{baseUrl}/login/oauth2/code/{registrationId}"
authorizationGrantType: authorization_code
scope:
- openid
- profile
provider:
alicloud:
authorizationUri: https://signin.aliyun.com/oauth2/v1/auth
tokenUri: https://oauth.aliyun.com/v1/token
jwkSetUri: https://oauth.aliyun.com/v1/keys
Things seem to get to the point where the code needs to be exchanged for an access_token. However, DefaultAuthorizationCodeTokenResponseClient.getTokenResponse seems to package the request with HTTP Basic authentication. This works for Google and I imagine most of the rest of the big providers. But Ali Cloud's endpoint requires the client_id and client_secret in the POST body. The converter that seems to create this request is OAuth2AuthorizationCodeGrantRequestEntityConverter. It doesn't seem easy to override it.
What can I do to overcome this?
I'm using social network Vkontakte as Oauth2 authorization server. So I have several steps:
1) get code with request with request_type=code
2) get accessToken when I send request to access token uri
So I want to use Spring Oauth2, but I should get authorization code first, then access token, i've tried to add to application.yml :
authorized-grant-types: authorization_code
it's my application.yml:
security:
oauth2:
client:
clientId: [clientId]
clientSecret: [clientSecret]
accessTokenUri: https://oauth.vk.com/access_token
userAuthorizationUri: https://oauth.vk.com/authorize
tokenName: access_token
registered-redirect-uri: http://localhost:8080/login
resource:
token-info-uri: http://localhost:8080/user
but actually it doesn't help. If somebody faced it and know how to configure Spring Oauth2 app - will be grateful for help
Actually after couple days of investigation i figured out that Spring OAuth2 completely implementing all features and configuration to my client application uses the authorization code grant to obtain an access token from Vkontakte (the Authorization Server)
The only thing i need to do if i take as sample Spring Boot and OAuth2 social login simple is to populate application.yml with correct creds for my Authorization server:
security:
oauth2:
client:
clientId: xxxxxxx
clientSecret: xxxxxxxxxxx
accessTokenUri: https://oauth.vk.com/access_token
userAuthorizationUri: https://oauth.vk.com/authorize
tokenName: code
authenticationScheme: query
clientAuthenticationScheme: form
grant-type: authorization_code
resource:
userInfoUri: https://api.vk.com/method/users.get
The only problem i faced was providing correct token name and userInfoUri to retrieve logged user info.
According token name it is name of authorization code your get after passing authoriztion(response_type=token name, it calls code in my case) and use to get access token.
Hope it will be helpful people face the same problem
I'm trying to set up a spring boot app that uses oauth2 with Active Directory Federation Services as the authentication provider. I started with the tutorial here...
https://spring.io/guides/tutorials/spring-boot-oauth2/
... and got the facebook example to work. Then, I started adapting it to work with ADFS. It is close to working, but ADFS expects a resource parameter to be passed with the authorization request and I can't figure out how to set it. Here's what I've got so far in the config...
security:
oauth2:
client:
clientId: spring-boot-test-client
userAuthorizationUri: https://domain/adfs/oauth2/authorize
access-token-uri: https://domain/adfs/oauth2/token
tokenName: code
authenticationScheme: query
clientAuthenticationScheme: form
grant-type: authorization_code
When I click the login link, it redirects to https://domain/adfs/oauth2/authorize?client_id=spring-boot-test-client&redirect_uri=http://localhost:8080/login&response_type=code&state=rjzfyZ
I've tried setting the security:oauth2:client:id, the security:oauth2:client:resourceids and the security:oauth2:resource:id, but none of those seemed to affect the first redirect. Any idea what I should set to get the resource included in that first redirect?
Answering my own question here... It may be a hack, but I just appended the resource to the userAuthorizationUri
security:
oauth2:
client:
clientId: spring-boot-test-client
userAuthorizationUri: https://domain/adfs/oauth2/authorize?resource=RelyingPartyTrustIdentifier
access-token-uri: https://domain/adfs/oauth2/token
tokenName: code
authenticationScheme: query
clientAuthenticationScheme: form
grant-type: authorization_code
Now, I'm getting the login form.