Spring Security OAuth2 Could not obtain access token

Refresh

April 2019

Views

656 time

1

I have a spring security oauth client which is authenticating against a custom auth0 provider. For getting the UserAuthorizationUri, i need to make a post request to a rest endpoint which is a wrapper on top of auth0. So i have extended OAuth2ClientContextFilter and used a custom redirect strategy.Now the application is redirecting to the auth provider and after login ,access token is failing with CSRF error

  2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.web.util.matcher.OrRequestMatcher  : No matches found
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request '/login' matched by universal pattern '/**'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: [email protected] A new one will be created.
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]af35197
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 4 of 12 in additional filter chain; firing Filter: 'CsrfFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 5 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /login' doesn't match 'POST /logout
2018-01-18 12:01:21.465 DEBUG 28785 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : /login?code=F9WkgL_98BFFZkef&state=27ef0714353cf5d119ab088609e3a701950302ae8238c3210f0909590ffaa38b37c087274a73ebc24ae2cbb7de055ce94ebffdff5f7a00a74c80fdd0a9c046ee63596996b408b444151839c8d01eef820ecd77fc9316525b22ed4e7a078e008e44297604bb90be6d3e809b90659b1a384706f712243c9a7d8538817851d0ea2c2a5ba65c580e4b844e14af773498adbae6cf6b882fa2d487d43621a146e78a0b670030e1632295f132b36b4e6259080a478ba789aa4bb2902e7c6d25178e8964184250 at position 6 of 12 in additional filter chain; firing Filter: 'OAuth2ClientAuthenticationProcessingFilter'
2018-01-18 12:01:21.466 DEBUG 28785 --- [nio-8080-exec-3] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/login'
2018-01-18 12:01:21.466 DEBUG 28785 --- [nio-8080-exec-3] uth2ClientAuthenticationProcessingFilter : Request is to process authentication
2018-01-18 12:01:21.467 DEBUG 28785 --- [nio-8080-exec-3] uth2ClientAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Could not obtain access token

        Caused by: org.springframework.security.oauth2.common.exceptions.InvalidRequestException: Possible CSRF detected - state parameter was required but no state could be found
            at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getParametersForTokenRequest(AuthorizationCodeAccessTokenProvider.java:255) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]
            at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.obtainAccessToken(AuthorizationCodeAccessTokenProvider.java:209) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]

App config

security:
  oauth2:
    client:
      clientId: xxx
      clientSecret: xxxx
      userAuthorizationUri: https://x.amazonaws.com/v1/login
      accessTokenUri: https://x.amazonaws.com/v1/getToken
      tokenName: oauth_token
      authenticationScheme: query
      clientAuthenticationScheme: form
      additional-information:
        env: test
    resource:
      userInfoUri: https://x.amazonaws.com/v1/userInfo?env=test

Application.java

@SpringBootApplication
@EnableOAuth2Sso
public class NauthtestApplication extends SpringBootServletInitializer {

    @Bean
    public NAuth2ClientContextFilter oauth2ClientContextFilter() {
        NAuth2ClientContextFilter filter = new NAuth2ClientContextFilter();
        return filter;
    }

    public static void main(String[] args) {
        SpringApplication.run(NauthtestApplication.class, args);
    }
}

Custom Filter

public class NAuth2ClientContextFilter extends OAuth2ClientContextFilter implements Filter, InitializingBean {

Custom Redirect Strategy

public class NAuthRedirectStrategy  implements RedirectStrategy {

    private String clientId="xxx";

    @Override
    public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {

        System.out.println("Reached the custom redirect strategy");

        NAuthLoginRequest loginRequest = new NAuthLoginRequest();
        loginRequest.setClientId(clientId);
        loginRequest.setEnv("test");
        loginRequest.setClaims(Arrays.asList("user","groups"));
        loginRequest.setCallbackUrl("http://localhost:8080/login");

        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_JSON);
        RestTemplate restTemplate = new RestTemplate();
        ObjectMapper mapper = new ObjectMapper();
        HttpEntity<String> loginRestRequest = new HttpEntity<String>(mapper.writeValueAsString(loginRequest), headers);

        ResponseEntity<String> loginResponse = restTemplate.exchange(url, HttpMethod.POST,loginRestRequest, String.class);
        System.out.println("Login Response redirect url is " + loginResponse.getBody());
        String redirectUrl = loginResponse.getBody().substring(1,loginResponse.getBody().length()-1);;
        response.sendRedirect(redirectUrl);

    }

0 answers