Description
Summary
When configuring a WebFlux application as an OAuth2 Client using an authentication_code grant type and without implementing the OAuth2Login feature, the application redirects to the "/" path after authenticating in the Authentication Server instead of redirecting back to the original request
Actual Behavior
1-Calling an endpoint in an OAuth2 Client application (without using OAuth2 login) using Auth code Grant type
2- Authenticate in the Authorization Server
3- Get redirected to the /authorize/oauth2/code/[myclient] endpoint
4- Get redirected to the root ("/") URL
Expected Behavior
1-Calling an endpoint in an OAuth2 Client application (without using OAuth2 login) using Auth code Grant type
2- Authenticate in the Authorization Server
3- Get redirected to the /authorize/oauth2/code/[myclient] endpoint
4- Get redirected to the endpoint we called in the first place
Configuration
1- Set up an application with the following using the following ServerHttpSecurity configuration:
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange()
.anyExchange()
.permitAll()
.and()
.oauth2Client();
return http.build();
}
2- A client registration:
spring.security.oauth2.client.registration.myclient.client-name=myclient
spring.security.oauth2.client.registration.myclient.client-id=myclient-client-id
spring.security.oauth2.client.registration.myclient.client-secret=myclient-secret
spring.security.oauth2.client.registration.myclient.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.myclient.redirect-uri-template=http://localhost:8080/authorize/oauth2/code/myclient
spring.security.oauth2.client.provider.myclient.token-uri=http://localhost:8085/oauth/token
spring.security.oauth2.client.provider.myclient.authorization-uri=http://localhost:8085/oauth/authorize
Note: In my case, I set up the Client registration using Spring Boot 2.x. The client is registered in a custom Authentication Provider that I configured using Spring Security Oauth, but the issue should be present for well-known providers as well.
3- Configure the WebClient:
@Bean
WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations, ServerOAuth2AuthorizedClientRepository authorizedClients) {
ServerOAuth2AuthorizedClientExchangeFilterFunction oauth = new ServerOAuth2AuthorizedClientExchangeFilterFunction(clientRegistrations, authorizedClients);
oauth.setDefaultClientRegistrationId("myclient");
return WebClient.builder()
.filter(oauth)
.build();
}
4-And the endpoint that I'm using:
@RestController
public class ClientRestController {
private static final String RESOURCE_URI = "http://localhost:8084/retrieve-resource";
@Autowired
WebClient webClient;
@GetMapping("/auth-code-oauth")
Mono<String> useOauthWithAuthCode(@RegisteredOAuth2AuthorizedClient("myclient") OAuth2AuthorizedClient authorizedClient) {
Mono<String> retrievedResource = webClient.get()
.uri(RESOURCE_URI)
.attributes(oauth2AuthorizedClient(authorizedClient))
.retrieve()
.bodyToMono(String.class);
return retrievedResource.map(string -> "We retrieved the following resource using Oauth: " + string);
}
}
5- Now call the /auth-code-oauth endpoint. We get redirected to the Authentication login form, approve the required scopes, and after being redirected to the specified redirect-uri (/authorize/oauth2/code/myclient) the application retrieves the token, and we are redirected to the root ("/") url, instead of the endpoint that I actually called in the first place. If I make the call to the /auth-code-oauth endpoint again afterwards, the retrieved response is the expected, since no authentication process is carried out at this point.
Included a link to the sample by the end of the description
Version
Spring Boot 2.1.1.RELEASE
Spring Security: 5.1.2.RELEASE