OAuth change the default authorize token and token end point URLs

[Dave Syer]

That looks normal. What's the problem?

[saamy]

Is that normal? because in the DEBUG it complains of insufficient authentication. And I get the following error recursively which enventually leads to StackOverflow and I never see the screen after sparklr login. May be asking for too much but is it possible for you to email me your sparklr app?

Code:

[DEBUG] InternalResourceView - Forwarding to resource [/oauth/confirm_access] in InternalResourceView 'null'
[DEBUG] DispatcherServlet - DispatcherServlet with name 'spring' processing GET request for [/sparklr2/oauth/authorize]
[DEBUG] RequestMappingHandlerMapping - Looking up handler method for path /oauth/authorize
[DEBUG] RequestMappingHandlerMapping - Returning handler method [public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.lang.String,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)]
[DEBUG] DispatcherServlet - Last-Modified value for [/sparklr2/oauth/authorize] is: -1
[DEBUG] TokenServicesUserApprovalHandler - Looking up existing token for client_id=tonr, scope=[read]and username=marissa
[DEBUG] TokenServicesUserApprovalHandler - Existing access token=null
[DEBUG] TokenServicesUserApprovalHandler - Checking explicit approval
[DEBUG] AuthorizationEndpoint - Loading user approval page: forward:/oauth/confirm_access
[DEBUG] DispatcherServlet - Rendering view [org.springframework.web.servlet.view.InternalResourceView: unnamed; URL [/oauth/confirm_access]] in DispatcherServlet with name 'spring'
[DEBUG] InternalResourceView - Added model object 'org.springframework.validation.BindingResult.authorizationRequest' of type [org.springframework.validation.BeanPropertyBindingResult] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'scope' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'response_type' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'redirect_uri' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'state' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'client_id' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'authorizationRequest' of type [org.springframework.security.oauth2.provider.AuthorizationRequest] to request in view with name 'null'

[Dave Syer]

Insufficient authentication is normal - you haven't logged in yet when you first hit the approval page. The infinite loop is not normal, but someone else already reported a problem (https://jira.springsource.org/browse/SECOAUTH-237). I can't reproduce it yet, so if you can provide a test case that would be great.

The only change I made to sparklr2 was web.xml:

Code:

<web-app>

	<filter>
		<filter-name>clientCredentialsTokenEndpointFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
		<init-param>
			<param-name>contextAttribute</param-name>
			<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
		<init-param>
			<param-name>contextAttribute</param-name>
			<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
		</init-param>
	</filter>

	<filter>
		<filter-name>oauth2EndpointUrlFilter</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
		<init-param>
			<param-name>contextAttribute</param-name>
			<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.spring</param-value>
		</init-param>
	</filter>

	<filter-mapping>
		<filter-name>oauth2EndpointUrlFilter</filter-name>
		<url-pattern>/authorize</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>oauth2EndpointUrlFilter</filter-name>
		<url-pattern>/token</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>clientCredentialsTokenEndpointFilter</filter-name>
		<url-pattern>/token</url-pattern>
	</filter-mapping>

	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

	<servlet>
		<servlet-name>spring</servlet-name>
		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
		<load-on-startup>1</load-on-startup>
	</servlet>

	<servlet-mapping>
		<servlet-name>spring</servlet-name>
		<url-pattern>/</url-pattern>
	</servlet-mapping>

</web-app>

and, of course

Code:

<oauth:authorization-server ... token-endpoint-url="/token" authorization-endpoint-url="/authorize">

[saamy]

Even tried narrowing down the filter mapping to following with no luck

Code:

<filter-mapping>
		<filter-name>oauth2EndpointUrlFilter</filter-name>
		<url-pattern>/authorize</url-pattern>
	</filter-mapping>
	
	<filter-mapping>
		<filter-name>oauth2EndpointUrlFilter</filter-name>
		<url-pattern>/token</url-pattern>
	</filter-mapping>

Also, the http are mapped to pattern like "/oauth/token", now since I have remover 'oauth' from url, should these not be changed? But the same setting works for you.

Thanks,
Sam

[saamy]

I think I found the cause. It has to do with the order in which the filters are executed.
oauth2EndpointUrlFilter must be executed before springSecurityFilterChain
Would need you help to find a proper explanation for it. I think when springSecurityFilterChain executed before oauth2EndpointUrlFilter, it is trying to authenticate before even mapping the request to correct url (which is /oauth/authorization for OAuth app).

So tonr is actually making request for '<hostname>/authorize' but oauth2EndpointUrlFilter converts this request to '<hostname>/oauth/authorize' for its internal usage. And since all the http mapping,etc are done on '/oauth' this conversion should be done before security filter. Do you think that has any sense? Can you please let me know the java file corresponding to oauth2EndpointUrlFilter?

Thanks!

[Dave Syer]

It makes sense that the order of the filters matters. Did your problem go away then?

The Java filter class is org.springframework.security.oauth2.provider.endpo int.EndpointValidationFilter (not really an accurate name,. but it used to do more than it does now).

[saamy]

It resolved the exception I was getting but am not sure what exactly its purpose is.

My problem statement was that I wanted the authorization url to be http://localhost:8080/sparklr2/authorize?client_id=tonr&redirect_uri=http%3A%2F%2 Flocalhost%3A8080%2Ftonr2%2Fsparklr%2Fphotos&respo nse_type=code&scope=read&state=Ww495B but I get this error recursively forever with above url:

Code:

[DEBUG] InternalResourceView - Forwarding to resource [/oauth/confirm_access] in InternalResourceView 'null'
[DEBUG] DispatcherServlet - DispatcherServlet with name 'spring' processing GET request for [/sparklr2/oauth/authorize]
[DEBUG] RequestMappingHandlerMapping - Looking up handler method for path /oauth/authorize
[DEBUG] RequestMappingHandlerMapping - Returning handler method [public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.lang.String,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)]
[DEBUG] DispatcherServlet - Last-Modified value for [/sparklr2/oauth/authorize] is: -1
[DEBUG] TokenServicesUserApprovalHandler - Looking up existing token for client_id=tonr, scope=[read]and username=marissa
[DEBUG] TokenServicesUserApprovalHandler - Existing access token=null
[DEBUG] TokenServicesUserApprovalHandler - Checking explicit approval
[DEBUG] AuthorizationEndpoint - Loading user approval page: forward:/oauth/confirm_access
[DEBUG] DispatcherServlet - Rendering view [org.springframework.web.servlet.view.InternalResourceView: unnamed; URL [/oauth/confirm_access]] in DispatcherServlet with name 'spring'
[DEBUG] InternalResourceView - Added model object 'org.springframework.validation.BindingResult.authorizationRequest' of type [org.springframework.validation.BeanPropertyBindingResult] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'scope' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'response_type' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'redirect_uri' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'state' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'client_id' of type [java.lang.String] to request in view with name 'null'
[DEBUG] InternalResourceView - Added model object 'authorizationRequest' of type [org.springframework.security.oauth2.provider.AuthorizationRequest] to request in view with name 'null'

But with same request made from Tonr, things are different. Whats happening here is with Spring OAuth based Client(tonr) I make request to 'sparklr/authorize' but it is mapped to 'sparklr/oauth/authorize'. I am not sure if a non Spring-OAuth client makes request to 'sparklr/authorize' whether it will work or not based on following observation:


I added some debug code here and observed the request uri is '/sparklr/oauth/authorize' when request comes from tonr while in sparklr.properties set userAuthorizationUri=http://localhost:8080/sparklr2/authorize. Does that mean OAuth-Spring Client is actually making request to '/sparklr/oauth/authorize'?

Code:

protected boolean matches(HttpServletRequest request, String urlToMatch) {
		String uri = extractUri(request);
		System.out.println("&&uri:"+uri);
		String contextPath = prependContextPath(request, urlToMatch);
		System.out.println("&&prepended Path:"+contextPath);
		return matcher.match(contextPath, uri);
	}

When request comes via Tonr app:

Code:

&&uri:/sparklr2/oauth/authorize
&&prepended Path:/sparklr2/authorize

When I directly hit http://localhost:8080/sparklr2/autho...r&redirect_uri..

Code:

&&uri:/sparklr2/authorize
&&prepended Path:/sparklr2/authorize

[saamy]

Sorry if am unable to explain it in simple words. In short my question is why http://localhost:8080/sparklr2/autho...r&redirect_uri.. url is not working directly? Why is it working only with Tonr app? Even with tonr the allow/deny page's url is actually 'sparklr2/oauth/authorize'. Considering this, do you think it would work with a non-spring-oauth based client app?

[saamy]

I just went through the other post you mentioned. I think the does work with spring-oauth based client making request if you provide the correct filter ordering. But when you paste the url directly on browser, it doesn't work (infinite loop). From this I believe that it would give the same problem with non-spring-oauth client because it would do nothing more that calling this url directly.

To replicate it:
Once you reach approval screen, see the url, its the default one '/sparklr/oauth/authorize..'. Copy it to your browser and remove 'oauth' from url, '/sparklr/authorize..' (as configured), you will see the infinite loop

[Dave Syer]

I'm not really following this. Tonr *is* a Spring OAuth client app, but it doesn't do anything special with the requests. The filter chain ensures that the client (any client) can send a request to /authorize and the AuthorizationEndpoint can handle it (when it is mapped to /ouath/authorize). Nothing fancy there and nothing to do with the client.

The approval screen in my sparklr2 app is /oauth/confirm_access, so that's what you should see when the user is approving the access by tonr, so your last paragraph is not making any sense to me. Did you configure the user-approval-page to be the same as the authorization-endpoint (I can see why that might lead to an infinite loop, but it's a config error)?