Search code examples
javaspring-bootspring-securityoauth-2.0spring-security-oauth2

Spring security oauth2 redirect uri is not using https after springboot upgrade to 2.6.6

I recently upgraded the project to SpringBoot 2.6.6 from 2.1.3.RELEASE (which in turn upgraded spring security from 5.1.4-RELEASE to 5.6.2). In my project, I have authorization-code flow and it uses redirect-uri for both code and token requests from IDM. And I notices that that the redirect-uri used in the token request is different compared to the one initially used for authorization code request. The only difference is it replaced https with http.

The token request was failing with HTTP 400 error because of the mismatch in the redirect URI. It is working fine with old version of spring boot/security.

Also as part of migration to SpringBoot 2.6.6, we are forced to use the property spring.security.oauth2.client.registration.foo.redirect-uri instead of spring.security.oauth2.client.registration.foo.redirect-uri-template since its deprecated.

I've configured the redirect-uri property as below

spring.security.oauth2.client.registration.foo.redirect-uri={baseUrl}/login/oauth2/code/foo

but if I change the value to https://{baseHost}{basePort}{basePath}/login/oauth2/code/foo its able to get the token and no issues in log in process.

Any idea why its changing the scheme to http for the token request in exchange for authorization-code? Is there any way to set it with https other than specifying the baseScheme?

EDIT: Provider configuration

foo.base.url=https://fooauth.acme.com

spring.security.oauth2.client.provider.foo.authorization-uri=${foo.base.url}/v1/oauth/authorize
spring.security.oauth2.client.provider.foo.token-uri=${foo.base.url}/v1/oauth/token
spring.security.oauth2.client.provider.foo.user-info-uri=${foo.base.url}/v1/users/info
spring.security.oauth2.client.provider.foo.user-name-attribute=userName
spring.security.oauth2.client.provider.foo.logout-uri=${foo.base.url}/v1/oauth/logout?post_logout_redirect_uri=
Solution

  • Finally I'm able to resolve this by following this spring security issue. And the same is described here in this answer

    I added the bean as below

    @Bean
FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
    final FilterRegistrationBean<ForwardedHeaderFilter> filterRegistrationBean = new FilterRegistrationBean<ForwardedHeaderFilter>();
    filterRegistrationBean.setFilter(new ForwardedHeaderFilter());
    filterRegistrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE);

    return filterRegistrationBean;
}

    Now I don't even need to split the {baseUrl} into finer variables.