I am integrating OAuth2 authentication using Spring Security and Keycloak in my Spring Boot application. The setup involves a magic link solution where users click a magic link and are redirected back to the client with an authorization code. However in the logs i see this when redirecting back to the client.
<code>Securing GET /login/oauth2/code/my-client?session_state=b8080c20-b622-47cd-b504-c95f482ee124&code=d520e689-2519-489b-8161-79169f99fefa.b8080c20-b622-47cd-b504-c95f482ee124
DEBUG 1 --- [nio-8080-exec-6] o.s.s.web.DefaultRedirectStrategy : Redirecting to /login?error
</code>
<code>Securing GET /login/oauth2/code/my-client?session_state=b8080c20-b622-47cd-b504-c95f482ee124&code=d520e689-2519-489b-8161-79169f99fefa.b8080c20-b622-47cd-b504-c95f482ee124
DEBUG 1 --- [nio-8080-exec-6] o.s.s.web.DefaultRedirectStrategy : Redirecting to /login?error
</code>
Securing GET /login/oauth2/code/my-client?session_state=b8080c20-b622-47cd-b504-c95f482ee124&code=d520e689-2519-489b-8161-79169f99fefa.b8080c20-b622-47cd-b504-c95f482ee124
DEBUG 1 --- [nio-8080-exec-6] o.s.s.web.DefaultRedirectStrategy : Redirecting to /login?error
Here is my Security Config
<code> @Bean
public SecurityFilterChain filterChain(HttpSecurity http, InMemoryClientRegistrationRepository clientRegistrationRepository) throws Exception {
// Configure CSRF
http.csrf(AbstractHttpConfigurer::disable);
http.sessionManagement(sessionManagement -> sessionManagement
.sessionCreationPolicy(IF_REQUIRED)
.sessionFixation(SessionManagementConfigurer.SessionFixationConfigurer::newSession)
.maximumSessions(1)
.expiredUrl("/404")
.maxSessionsPreventsLogin(true));
// Configure OAuth2 login
http.oauth2Login(withDefaults());
http.logout(logout -> logout.logoutSuccessHandler(oidcLogoutSuccessHandler()));
http.oauth2Client(withDefaults());
// Configure authorization rules
http.authorizeHttpRequests(authorizeRequests ->
authorizeRequests
.requestMatchers("/", "/login/**", "/oauth2/**", "/api/generate/**").permitAll()
.requestMatchers("/login?error").permitAll()
.requestMatchers("/login/oauth2/code/**").permitAll() // Explicitly permit OAuth2 code handling endpoint
.requestMatchers("/api/sessions").authenticated()
.requestMatchers("/something").hasAnyRole("admin", "user")
// Add more matchers for your application as required
.anyRequest().permitAll() //todo change to authenticated
);
return http.build();
}
</code>
<code> @Bean
public SecurityFilterChain filterChain(HttpSecurity http, InMemoryClientRegistrationRepository clientRegistrationRepository) throws Exception {
// Configure CSRF
http.csrf(AbstractHttpConfigurer::disable);
http.sessionManagement(sessionManagement -> sessionManagement
.sessionCreationPolicy(IF_REQUIRED)
.sessionFixation(SessionManagementConfigurer.SessionFixationConfigurer::newSession)
.maximumSessions(1)
.expiredUrl("/404")
.maxSessionsPreventsLogin(true));
// Configure OAuth2 login
http.oauth2Login(withDefaults());
http.logout(logout -> logout.logoutSuccessHandler(oidcLogoutSuccessHandler()));
http.oauth2Client(withDefaults());
// Configure authorization rules
http.authorizeHttpRequests(authorizeRequests ->
authorizeRequests
.requestMatchers("/", "/login/**", "/oauth2/**", "/api/generate/**").permitAll()
.requestMatchers("/login?error").permitAll()
.requestMatchers("/login/oauth2/code/**").permitAll() // Explicitly permit OAuth2 code handling endpoint
.requestMatchers("/api/sessions").authenticated()
.requestMatchers("/something").hasAnyRole("admin", "user")
// Add more matchers for your application as required
.anyRequest().permitAll() //todo change to authenticated
);
return http.build();
}
</code>
@Bean
public SecurityFilterChain filterChain(HttpSecurity http, InMemoryClientRegistrationRepository clientRegistrationRepository) throws Exception {
// Configure CSRF
http.csrf(AbstractHttpConfigurer::disable);
http.sessionManagement(sessionManagement -> sessionManagement
.sessionCreationPolicy(IF_REQUIRED)
.sessionFixation(SessionManagementConfigurer.SessionFixationConfigurer::newSession)
.maximumSessions(1)
.expiredUrl("/404")
.maxSessionsPreventsLogin(true));
// Configure OAuth2 login
http.oauth2Login(withDefaults());
http.logout(logout -> logout.logoutSuccessHandler(oidcLogoutSuccessHandler()));
http.oauth2Client(withDefaults());
// Configure authorization rules
http.authorizeHttpRequests(authorizeRequests ->
authorizeRequests
.requestMatchers("/", "/login/**", "/oauth2/**", "/api/generate/**").permitAll()
.requestMatchers("/login?error").permitAll()
.requestMatchers("/login/oauth2/code/**").permitAll() // Explicitly permit OAuth2 code handling endpoint
.requestMatchers("/api/sessions").authenticated()
.requestMatchers("/something").hasAnyRole("admin", "user")
// Add more matchers for your application as required
.anyRequest().permitAll() //todo change to authenticated
);
return http.build();
}
I am expecting to not receive the “Secured GET” log because i am allowing the endpoint with “.permitAll()”
New contributor
Luka0708 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.