Uploaded image for project: 'Spring Security OAuth'
  1. Spring Security OAuth
  2. SECOAUTH-237

Use of custom custom authorization-endpoint-url can cause infinite redirect

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 1.0.0.M6
    • Fix Version/s: None
    • Component/s: OAuth 2
    • Labels:
      None

      Description

      In certain circumstances, an infinite loop can occur when forwarding the user from the initial Authorization Endpoint authorize method to the user approval page, when using the default user approval page url of "forward:/oauth/approve_access". This url, "/oauth/approve_access", is bound to our own custom controller. We are supplying custom authorization-endpoint-url and token-endpoint-url properties and have configured the required web.xml oauth2EndpointUrlFilter as mentioned in the documentation. This is using the authorization code flow, with the built in authorization and token endpoint classes.

      To replicate the error, one visits the custom AuthorizationEndpoint url. The first time here in a browser session, the user is prompted to log in, and is redirected to the appropriate user approval page. This is handled as expected by the custom controller. The user clicks the approve button and is redirected to the registered redirect url, as expected.

      If the user then revisits the authorization url, generally by pasting it into the address bar on the web browser (in our case, Firefox 11), then the server goes into an infinite internal forwarding loop through the authorize method of the AuthorizationEndpoint. This method does return the appropriate ModelAndView object, with the view name set to "forward:/oauth/approve_access". However, something in the processing of this forward request fails and it ends up being mapped back to the authorize method.

      In some repeatable cases, if the user instead uses the back button, then they are prompted again with the user approval page. Clicking approve on this page does allow it to continue and issue a new authorization code.

      If we change user-approval-page url property to "redirect:/oauth/approve_access", leaving everything else the same, the user can then revisit the authorization url and successfully complete the flow. However, pressing the back button now causes a session binding error.

      If we remove the custom authorization-endpoint-url and token-endpoint-url properties, and remove the oauth2EndpointUrlFilter from web.xml, everything works as expected. The user can both revisit the url directly and go back through the session using the back button.

      Therefore, we believe the error to be somewhere in the EndpointValidationFilter class implementation of doFilter.

        Attachments

          Activity

            People

            • Assignee:
              david_syer Dave Syer
              Reporter:
              aanganes Amanda Anganes
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: