tut-spring-boot-oauth2 icon indicating copy to clipboard operation
tut-spring-boot-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon spring-guides

"State" parameter is too short with @EnableOAuth2Sso

Open Oleg3n opened this issue 6 years ago • 5 comments

Auth request from Zuul app to ORY Hydra returns "The state is missing or has less than 8 characters and is therefore considered too weak" error. The generated by spring request is like "/oauth2/auth?client_id=my-client3&redirect_uri=http://127.0.0.1:8099/login&response_type=code&scope=openid%20offline&state=bl891E" where "state" param is 5 or 6 chracters length. The app has 2 classes:

@EnableDiscoveryClient
@EnableZuulProxy
@SpringBootApplication
public class Zuul5Application {

	public static void main(String[] args) {
		SpringApplication.run(Zuul5Application.class, args);
	}
}

@EnableOAuth2Sso
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(HttpSecurity http) throws Exception {
		http
			.anonymous()
				.disable()
			.httpBasic()
				.disable()
			.authorizeRequests()
				.antMatchers("/login**", "/webjars/**", "/error**", "/oauth2/**")
					.permitAll()
				.anyRequest().authenticated()
			;
	}
}

application.yml

zuul:
  ignoredServices: '*'
  routes:
    resourceS:
      path: /user/**
      serviceId: resS-service
      sensitiveHeaders:
      strip-prefix: true
  add-proxy-headers: true      

security:
  oauth2:
    client:
      client-id: my-client3
      client-secret: secret3
      scope:
        - openid
        - offline
      user-authorization-uri: ${app.auth-server}/oauth2/auth
      access-token-uri: ${app.auth-server}/oauth2/token
    resource:
      user-info-uri: ${app.auth-server}/userinfo
      token-info-uri: ${app.adm-server}/oauth2/introspect

ribbon:
  ReadTimeout: 5000
  ConnectTimeout: 5000
  MaxAutoRetries: 2

Is something wrong with configuration?

Oleg3n avatar Jan 30 '19 16:01 Oleg3n

Facing the same issue. Has this been solved for you? Below is my configuration:

security:
    basic:
        enabled: false
    oauth2:
        client:
            clientId: pgm-backend
            clientSecret: QYXs34SNyBAN2aLHZL6YuBOkmTnqyWQCJw==
            accessTokenUri: https://auth.************.com/oauth2/token
            userAuthorizationUri: https://auth.************.com/oauth2/auth
            redirectUri: http://localhost:9095/authorize
            scope:
              - openid
              - offline
        resource:
            userInfoUri: https://auth.************.com/userinfo
            preferTokenInfo: false

ryzmd avatar Jul 26 '19 09:07 ryzmd

Are you guys able to generate a token after redirect?

akohli96 avatar Aug 01 '19 15:08 akohli96

@akohli96 Not really. . I'm stuck with multiple redirects back and forth ending with ERR_TOO_MANY_REDIRECTS

ryzmd avatar Aug 01 '19 15:08 ryzmd

I am stuck too. After authenticating user, I cant seem to generate the token.https://stackoverflow.com/questions/54605167/unable-to-expose-endpoint-in-spring-boot-to-receive-authorization-code-from-goog?noredirect=1&lq=1

akohli96 avatar Aug 02 '19 03:08 akohli96

@Oleg3n I was able to solve this issue, I wrote my own AuthorizationRequestResolver which implements OAuth2AuthorizationRequestResolver. That resolver was taking care of creating state parameter. And my resolve method builds OAuth2AuthorizationRequest which uses a custom StateGenerator where I give the length as 32.

Now bean of this is added to the http.oauth2login() method in the following way.

               .oauth2Login()
                    .authorizationEndpoint()
                        .baseUri(authorizationUri)
                        .authorizationRequestResolver(customAuthorizationRequestResolver())
                        .and()

ryzmd avatar Aug 08 '19 10:08 ryzmd