Passing extra query/form parameters through spring social

Refresh

April 2019

Views

142 time

1

I'm building a Single Page Application using Spring Social and Spring Security generated by JHipster.

I'm trying to capture the original query parameters after a user has been authenticated by some social authentication provider.

Example:

calling /signin/someprovider?show=someEntityId and after a successful authentication redirects the user to /signup/ , I need a way to fetch 'someEntityID'.

I assume different http calls make it difficult to pass/store the parameters around. Is there some Spring built-in functionality I can use/reuse or how does one solve this problem?

UPDATE

The thread of requests looks like this:

(1) browser-> http://localhost:9060/signin/authenticationProvider?show=**someEntityId**

<- redirect to https://authenticationProvider... &state=SomeState

(2) browser -> https://authenticationProvider

<- redirect to http://localhost:9060/signin/google?state=SomeState&code=SomeCode

(3) browser-> http://localhost:9060/signin/authenticationProvider?state=SomeState&code=SomeCode

<- redirect to http://localhost:9060/social/signup

(4) browser -> http://localhost:9060/social/signup

This ends up in

 @GetMapping("/signup")
    public RedirectView signUp(WebRequest webRequest, @CookieValue(name = "NG_TRANSLATE_LANG_KEY", required = false, defaultValue = Constants.DEFAULT_LANGUAGE) String langKey) {
        try {
            Connection<?> connection = providerSignInUtils.getConnectionFromSession(webRequest);
            socialService.createSocialUser(connection, langKey.replace("\"", ""));

At this point it want to call a function with the original parameter someEntityId.

According to google oauth2 redirect_uri with several parameters the ?show=someEntityId parameter should be encoded in the state parameter of the Oauth2 request in order to survive from (1) to (3). In (3) the state parameter has to be added to the redirect uri, such that the original parameter can be decoded in (4).

It looks like a lot of work, or am I missing something? It would be nice if there would be a way to have a session variable in which I could store the parameters at (1) and fetch them again when in (4).

1 answers

0

Since version 1.1.3 Spring Social creates the state parameter on its own and uses it as a CSRF token, see https://pivotal.io/security/cve-2015-5258 - therefore you can (and should not) encode additional parameters in the state parameter.

Instead if the provider sign is enabled with a ProviderSignInController, a ProviderSignInInterceptor can be used to store such parameters intermediately in the session (in preSignIn(...) and postSignIn(...)).

I guess there is a similar approach if a SocialAuthenticationFilter is used.