redirect_uri using http instead of https
We faced the same issue while running in OpenShift and authenticating against Microsoft Azure. Filtering seemed like hacking, the *.redirect-uri-template properties are now deprecated, and after returning from Azure the outgoing and incoming redirect URIs did not match.
After much searching, this simple entry in application.properties solved the issue:
server.forward-headers-strategy=framework
I also faced this problem and nothing worked after trying all solutions available on google and stack overflow. This resolved the problem for me:
- I upgraded the Spring-boot version to "2.3.1.RELEASE" and rebuilt the application. Then added this property in application.yml (talking about google here but i think it will work for facebook, okta and other identity provider platforms) :
security:
oauth2:
client:
registration:
google:
clientId: 'your google client id'
clientSecret: 'your google client secret'
redirect-uri: https://www.yourdomain.com/login/oauth2/code/google # important
Defining redirect-uri , did the work and that was only possible if you are working on a spring-boot 2.3.x and above release. Don't waste your time on "redirect-uri-template" as you will be facing problem when google redirects the user-agent back to your application. Spring will still be authenticating the redirect-uri internally.
If you are working behind a reverse proxy (may be nginx) the this should be your server configuration :
location / { absolute_redirect off; proxy_ssl_server_name on; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; proxy_pass http://127.0.0.1:8080; }
These settings on ngnix will make sure that Spring gets requests header which are coming in the request. I was using tomcat on port 8080 hence defined this in proxy_pass. You can change this for your application.
I hope this helps. Cheers.
I faced with exact the same problem but with Google.
Having the following architecture of microservices
Google Auth Server
Zuul Gateway (:8080)
/ \
/ \
/ \
Other OAuth2Client (:5000)
while running at local machine everything works fine, but in AWS Elastic Beanstalk I catch the very same exception.
After debugging, I found out that in my case, when OAuth2Client is behind Zuul proxy (they implemented in separate microservices) I really get different redirect_uri values in the check inside OAuth2LoginAuthenticationProvider:
if (!authorizationResponse.getRedirectUri().equals(authorizationRequest.getRedirectUri())) {
OAuth2Error oauth2Error = new OAuth2Error(INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
}
So in my case in AWS I have following values:
authorizationResponse.getRedirectUri()
http://[INNER_AWS_ESB_IP]:5000/auth/login/oauth2/code/google
authorizationRequest.getRedirectUri()
https://[MY_PROJECT_DOMAIN_NAME]/auth/login/oauth2/code/google
where [INNER_AWS_ESB_IP] is an IP address of inner network in AWS Elastic Beanstalk and [MY_PROJECT_DOMAIN_NAME] is a domain name of my project, which is hardcoded in application.yml as redirect-uri-template parameter.
I have the following config in application.yml of my OAuth2Client microservice
server:
port: 5000
servlet:
contextPath: /auth
use-forward-headers: true
spring:
security:
oauth2:
resource:
filter-order: 3
client:
registration:
google:
client-id: [REMOVED]
client-secret: [REMOVED]
redirect-uri-template: ${MY_PROJECT_DOMAIN_NAME:http://localhost:8080}/auth/login/oauth2/code/google
scope: profile,email
Loreno, what kind of architecture do you have? Can you share your config?
UPDATE
Seems that problem is connected directly with implementation of Spring Security Oauth2 Client in version science 5.0
Problem can be reproduced, if launch Zuul Gateway microservice on some separate virtual machine and other microservices should be launched at local machine ☝️ So Google should be called from the browser on VM.
The solution which helps me to avoid this problem is to add custom Filter with custom HttpServletRequestWrapper which can override method and return "right" URL to satisfy the check in OAuth2LoginAuthenticationProvider.java:115 ð
In the
application.ymlof the Oauth2 clientmyCloudPath: ${MY_PROJECT_DOMAIN_NAME:http://localhost:8080}In the
SecurityConfig@Value("${myCloudPath}") private String myCloudPath; @Override public void configure(HttpSecurity http) throws Exception { http. addFilterBefore(new MyCustomFilter(myCloudPath), OAuth2LoginAuthenticationFilter.class). ...Filter
public class MyCustomFilter implements Filter { private static final Logger logger = LogManager.getLogger(MyCustomFilter.class); private String myCloudPath; public MyCustomFilter(String myCloudPath) { this.myCloudPath= myCloudPath; } @Override public void init(FilterConfig filterConfiguration) throws ServletException { logger.info("MyCustomFilter init"); } public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { request = new MyHttpServletRequestWrapper((HttpServletRequest) request, myCloudPath); chain.doFilter(request, response); } @Override public void destroy() { logger.info("MyCustomFilter destroy"); } }HttpServletRequestWrapper
public class MyHttpServletRequestWrapper extends HttpServletRequestWrapper { public final String redirectUrl; public MyHttpServletRequestWrapper(HttpServletRequest request, String myCloudPath) { super(request); this.redirectUrl = myCloudPath + request.getRequestURI(); } @Override public StringBuffer getRequestURL() { return new StringBuffer(redirectUrl); } }
I encountered the same error when I m setting up a Spring Boot application to authenticate users using Facebook OAuth2 implementation. Nginx (functions as reverse proxy) is configured to front the web app and also to offload the SSL cert.
Initially, I tried to customize the property: redirect-uri-template so that the redirect uri can be hard-coded with https://{domain}/login/oauth2/code/facebook (this is because Facebook only accepts HTTPS protocol for valid OAuth Redirect URI). It didnt work as I encountered the same error: OAuth2AuthenticationException: [invalid_redirect_uri_parameter]
Then, I found the proposed solution in link, which works for me. So, it is basically to set the OAuth2 Login Application with server.use-forward-headers=true and remove the customized property: redirect-uri-template.
Hope it helps :)