Results 1 to 4 of 4

Thread: Couple of issues in using spring-security-oauth with Google (OAuth2)

  1. Jul 27th, 2011, 06:14 AM #1
    roshandawrani
    roshandawrani is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9

    Default Couple of issues in using spring-security-oauth with Google (OAuth2)

    Hello,

    I am trying to use spring-security-oauth's OAuth2 support to integrate with Google, and I am facing a couple of issues. Can someone please share some inputs?

    1) It seems Google returns access tokens with token type as "Bearer". OAuth2ClientHttpRequestFactory cannot handle it, as it only handles the cases where token type comes as "OAuth2", or doesn't come at all.

    2) It seems that Google uses "authorization" header as "OAuth <access token>". If I use bearerTokenMethod as "header", then the spring-security-oauth library sends the header as "OAuth2 <access token>", which Google does not understand. And if I use the bearerTokenMethod as "query", then the problem is that the library URL encodes the token value - so a token issued by Google as "1/Whxxxxx" becomes "1%252FWhxxxxx", and the authorization still fails.

    Can anyone more experienced throw some light on it please?

    Thanks,
    Roshan
    Reply With Quote Reply With Quote
  2. Jul 27th, 2011, 11:52 AM #2
    roshandawrani
    roshandawrani is offline Junior Member
    Join Date
    Jul 2011
    Posts
    9

    Default

    It seems there is double encoding happening for the oauth_token processed by spring-security-oauth when it makes the protected resource's URL.

    OAuth2ClientHttpRequestFactory#appendQueryParamete r() first does

    String queryFragment = ((resource.getBearerTokenName() == null) ? "oauth_token" : resource.getBearerTokenName()) + "=" + URLEncoder.encode(accessToken.getValue(), "UTF-8");

    and here if the access token is "1/qIxxx", it changes to '1%2FqIxxx'.

    It then forms the protected resource URI as:

    URI uri = new URI(<scheme>, <user info>, <host>, <port>, <path>, 'oauth_token=1%2FqIxxx', <fragment>)

    The URI constructor does the URL encoding again for the query string passed to it, and oauth_tokens gets double encoded and it becomes "1%252FqIxxx", and hence the issue that the token gets rejected and the request is deemed unauthorized.

    Can someone please comment on whether this first round encoding of query string is a bug or not?

    Thanks.
    Reply With Quote Reply With Quote
  3. Aug 3rd, 2011, 12:01 AM #3
    stoicflame
    stoicflame is offline Senior Member
    Join Date
    May 2008
    Location
    Salt Lake City
    Posts
    167

    Default

    Quote Originally Posted by roshandawrani View Post
    It seems there is double encoding happening for the oauth_token processed by spring-security-oauth when it makes the protected resource's URL.
    Tracked here:

    https://jira.springsource.org/browse/SECOAUTH-90
    Reply With Quote Reply With Quote
  4. Aug 3rd, 2011, 12:03 AM #4
    stoicflame
    stoicflame is offline Senior Member
    Join Date
    May 2008
    Location
    Salt Lake City
    Posts
    167

    Default

    Quote Originally Posted by roshandawrani View Post
    It seems Google returns access tokens with token type as "Bearer". OAuth2ClientHttpRequestFactory cannot handle it, as it only handles the cases where token type comes as "OAuth2", or doesn't come at all.
    Tracking here:

    https://jira.springsource.org/browse/SECOAUTH-89
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules