redirect_uri using http instead of https

Question

I\'m using spring stack (Spring Boot 2.0.1.RELEASE) for creating a site that delegues user authentication/registration to Facebook via OAuth2. When I click the \"login with

Answer 1

I faced with exact the same problem but with Google.

Having the following architecture of microservices

Google Auth Server


  Zuul Gateway (:8080)
     /   \
    /     \
   /       \
Other      OAuth2Client (:5000)

while running at local machine everything works fine, but in AWS Elastic Beanstalk I catch the very same exception.

After debugging, I found out that in my case, when OAuth2Client is behind Zuul proxy (they implemented in separate microservices) I really get different redirect_uri values in the check inside OAuth2LoginAuthenticationProvider:

if (!authorizationResponse.getRedirectUri().equals(authorizationRequest.getRedirectUri())) {
    OAuth2Error oauth2Error = new OAuth2Error(INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE);
    throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}

So in my case in AWS I have following values:

authorizationResponse.getRedirectUri()
http://[INNER_AWS_ESB_IP]:5000/auth/login/oauth2/code/google

authorizationRequest.getRedirectUri()
https://[MY_PROJECT_DOMAIN_NAME]/auth/login/oauth2/code/google

where [INNER_AWS_ESB_IP] is an IP address of inner network in AWS Elastic Beanstalk and [MY_PROJECT_DOMAIN_NAME] is a domain name of my project, which is hardcoded in application.yml as redirect-uri-template parameter.

I have the following config in application.yml of my OAuth2Client microservice

server:
  port: 5000
  servlet:
     contextPath: /auth
  use-forward-headers: true

spring:
  security:
    oauth2:
      resource:
        filter-order: 3
      client:
        registration:
          google:
            client-id:  [REMOVED]
            client-secret: [REMOVED]
            redirect-uri-template: ${MY_PROJECT_DOMAIN_NAME:http://localhost:8080}/auth/login/oauth2/code/google
            scope: profile,email

Loreno, what kind of architecture do you have? Can you share your config?

UPDATE

Seems that problem is connected directly with implementation of Spring Security Oauth2 Client in version science 5.0

Problem can be reproduced, if launch Zuul Gateway microservice on some separate virtual machine and other microservices should be launched at local machine ☝️ So Google should be called from the browser on VM.

The solution which helps me to avoid this problem is to add custom Filter with custom HttpServletRequestWrapper which can override method and return "right" URL to satisfy the check in OAuth2LoginAuthenticationProvider.java:115