Spring OAuth redirect_uri not using https

前端未结

关注

 6  1994

爱一瞬间的悲伤

I have a Spring Boot 1.3.0 application with Spring Security OAuth included as a sort of SSO integration.

The problem is that the application is running in a non-SSL

相关标签:

6条回答

夕颜

2020-12-05 14:29
Since you have mentioned the use of oauth I think this will help someone to understand the flow of operation. This answer only applies if you are using a reverse proxy such as NGINX.

Cause of the problem,

Your spring boot application is running on the server with a address simlar to http://localhost:8080 . That's what all the spring boot app know about its host. You can inspect this behavior if you check the redirect url in facebook(or other oauth client) error page. It will look something like https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250),link&redirect_url=http%3A%2F%2Flocalhost%2Flogin%2Ffacebook

See the redirect_url is wrong.

So we need to somehow tell the application that it is hosted under this address.

Quick fix

If you are only looking to fix Facebook OAuth ( Or other oAuth provider), Adding following lines to client will fix.
```
facebook:
  client:
     preEstablishedRedirectUri: https://yourdomain.com/
     useCurrentUri: false
```
But, this will only fix the issue at hand ( Also not flexible). But if you need a more concrete solution which is portable, you need to solve this at the reverse proxy.

Open your nginx configuration for the app and change it reflecting as follows.
```
location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Will add the user's ip to the request, some apps need this
        proxy_set_header X-Forwarded-Proto $scheme; # will forward the protocole i.e. http, https
        proxy_set_header X-Forwarded-Port $server_port; # Will forward the port 
        proxy_set_header Host $host;                    # !Important will forward the host address
        proxy_pass http://localhost:8080/;
}
```
Okay so now, nginx is sending the information which were previously hidden to the spring boot app. But yet, spring app is not using this information. To tell it to use these information add the following line to the application.yml.
```
server.use-forward-headers = true
```
If you have your reverse proxy in a different node of the same network, you may want to configure the ip of the reverse proxy server with the following. ( replace with your IP)
```
server.tomcat.internal-proxies=192\.65\.210\.55
```
0 讨论(0)
发布评论:

提交评论
- 加载中...
闹比i

2020-12-05 14:35

you may need to use spring.oauth2.client.access-token-uri

configuration parameter changed after 1.3.0.M1

https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.3.0-M1-Configuration-Changelog

0 讨论(0)
发布评论:

提交评论
- 加载中...
孤街浪徒

2020-12-05 14:36
You may need to ensure that your application understands x-forwarded headers from your load balancer.

Putting this in my application.yml fixed my very similar problem with an application behind an AWS ELB:
```
server:
  tomcat:
    remote-ip-header: x-forwarded-for
    protocol-header: x-forwarded-proto
```
Edit: This can be simplified with the more generic configuration:
```
server:
  use-forward-headers: true
```
For Apache Tomcat use RemoteIpValve in server.xml (above AccessLogValve):
```
    <Valve className="org.apache.catalina.valves.RemoteIpValve" 
        protocolHeader="X-Forwarded-Proto" />
```
See also: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html.
0 讨论(0)
发布评论:

提交评论
- 加载中...
陌清茗

2020-12-05 14:37
My answer is for people using latest spring version, as the answers suggested above didnt work for me. I am using Spring Boot 2.3.5.RELEASE.

I had a the same issue, I am using Azure AD for oauth2 authentication. My application runs behind the reverse proxy and redirect uri formed was taking http rather than https.

After reading the document https://docs.spring.io/spring-security/site/docs/5.2.x/reference/html/oauth2.html#oauth2Client-auth-code-redirect-uri , I added below line in the application.properties files and it worked for me
```
spring.security.oauth2.client.registration.azure.redirect-uri=https://{baseHost}{basePort}{basePath}/login/oauth2/code/azure
```
0 讨论(0)
发布评论:

提交评论
- 加载中...
误落风尘

2020-12-05 14:47
After digging manually through the configuration classes I was able to find and add the following, which did the trick...
```
security.oauth2.client.pre-established-redirect-uri=https://[application_host]/login
security.oauth2.client.registered-redirect-uri=https://[application_host]/login
security.oauth2.client.use-current-uri=false
```
I'm not convinced there isn't a better way to solve the problem of forcing a HTTPS redirect URL, but this fix worked for me.
0 讨论(0)
发布评论:

提交评论
- 加载中...
南笙

2020-12-05 14:48
I had the same problem. I add theses two parameters to force HTTPS in redirect_uri :
```
preEstablishedRedirectUri: https://...
useCurrentUri: false
```
It works : "redirect_uri" is now using HTTPS
0 讨论(0)
发布评论:

提交评论
- 加载中...