Spring OAuth redirect_uri not using https

Question

I have a Spring Boot 1.3.0 application with Spring Security OAuth included as a sort of SSO integration.

The problem is that the application is running in a non-SSL environment with a non-standard port behind a load balancer (F5) that forces SSL and the OAuth provider requires all redirect URLs be registered as https, but the Spring OAuth client (auto-configured with @EnableOAuthSso) will only redirect to the OAuth provider with the following URL...

https://[provider_host]/oauth/authorize?client_id=[redact]&redirect_uri=http://[application_host]/login&response_type=code&scope=[redact]&state=IpMYTe

Note that the return redirect_uri is generated as http. Even though the F5 will force it to https on the way back, our OAuth provider will not allow a non-SSL redirect URI. How can I configure this?

With the exception of my Spring Data JPA controllers, this is the entirety of the app...

AppConfig.java

@SpringBootApplication(exclude = { HibernateJpaAutoConfiguration.class })
@EnableJpaRepositories
public class AppConfig extends SpringBootServletInitializer {

    public static void main(final String... args) {
        SpringApplication.run(AppConfig.class, args);
    }

    @Autowired
    public DataSource dataSource;

    @Bean(name = "entityManagerFactory")
    public LocalContainerEntityManagerFactoryBean getEntityManagerFactoryInfo() {
        final LocalContainerEntityManagerFactoryBean fac = new LocalContainerEntityManagerFactoryBean();
        fac.setDataSource(dataSource);
        fac.setJpaVendorAdapter(new HibernateJpaVendorAdapter());
        fac.setPackagesToScan("[redact]");

        final Properties props = new Properties();
        props.put("hibernate.dialect", "org.hibernate.dialect.SQLServerDialect");
        props.put("hibernate.show_sql", "true");
        props.put("hibernate.format_sql", "true");
        fac.setJpaProperties(props);

        return fac;
    }

    @Bean(name = "transactionManager")
    public PlatformTransactionManager getTransactionManager() {
        final JpaTransactionManager transactMngr = new JpaTransactionManager();
        transactMngr.setEntityManagerFactory(getEntityManagerFactoryInfo().getObject());
        return transactMngr;
    }

}

SecurityConfig.java

@Configuration
@EnableOAuth2Sso
public class SecurityConfig {

}

application.properties

server.port=9916
server.contextPath=

server.use-forward-headers=true

security.oauth2.client.clientId=[redact]
security.oauth2.client.clientSecret=[redact]
security.oauth2.client.scope=[redact]
security.oauth2.client.accessTokenUri=https://[provider_host]/oauth/token
security.oauth2.client.userAuthorizationUri=https://[provider_host]/oauth/authorize
security.oauth2.resource.userInfoUri=https://[provider_host]/oauth/me
security.oauth2.resource.preferTokenInfo=false

logging.level.org.springframework=TRACE

Answer 1

After digging manually through the configuration classes I was able to find and add the following, which did the trick...

security.oauth2.client.pre-established-redirect-uri=https://[application_host]/login
security.oauth2.client.registered-redirect-uri=https://[application_host]/login
security.oauth2.client.use-current-uri=false

I'm not convinced there isn't a better way to solve the problem of forcing a HTTPS redirect URL, but this fix worked for me.

Answer 2

You may need to ensure that your application understands x-forwarded headers from your load balancer.

Putting this in my application.yml fixed my very similar problem with an application behind an AWS ELB:

server:
  tomcat:
    remote-ip-header: x-forwarded-for
    protocol-header: x-forwarded-proto

Edit: This can be simplified with the more generic configuration:

server:
  use-forward-headers: true

For Apache Tomcat use RemoteIpValve in server.xml (above AccessLogValve):

    <Valve className="org.apache.catalina.valves.RemoteIpValve" 
        protocolHeader="X-Forwarded-Proto" />

See also: https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html.

Answer 3

My answer is for people using latest spring version, as the answers suggested above didnt work for me. I am using Spring Boot 2.3.5.RELEASE.

I had a the same issue, I am using Azure AD for oauth2 authentication. My application runs behind the reverse proxy and redirect uri formed was taking http rather than https.

After reading the document https://docs.spring.io/spring-security/site/docs/5.2.x/reference/html/oauth2.html#oauth2Client-auth-code-redirect-uri , I added below line in the application.properties files and it worked for me

spring.security.oauth2.client.registration.azure.redirect-uri=https://{baseHost}{basePort}{basePath}/login/oauth2/code/azure

Answer 4

Since you have mentioned the use of oauth I think this will help someone to understand the flow of operation. This answer only applies if you are using a reverse proxy such as NGINX.

Cause of the problem,  

Your spring boot application is running on the server with a address simlar to http://localhost:8080 . That's what all the spring boot app know about its host. You can inspect this behavior if you check the redirect url in facebook(or other oauth client) error page. It will look something like https://graph.facebook.com/v3.0/me?fields=id,first_name,middle_name,last_name,name,email,verified,is_verified,picture.width(250).height(250),link&redirect_url=http%3A%2F%2Flocalhost%2Flogin%2Ffacebook

See the redirect_url is wrong.

So we need to somehow tell the application that it is hosted under this address.

Quick fix

If you are only looking to fix Facebook OAuth ( Or other oAuth provider), Adding following lines to client will fix.

facebook:
  client:
     preEstablishedRedirectUri: https://yourdomain.com/
     useCurrentUri: false

But, this will only fix the issue at hand ( Also not flexible). But if you need a more concrete solution which is portable, you need to solve this at the reverse proxy.

Open your nginx configuration for the app and change it reflecting as follows.

location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Will add the user's ip to the request, some apps need this
        proxy_set_header X-Forwarded-Proto $scheme; # will forward the protocole i.e. http, https
        proxy_set_header X-Forwarded-Port $server_port; # Will forward the port 
        proxy_set_header Host $host;                    # !Important will forward the host address
        proxy_pass http://localhost:8080/;
}

Okay so now, nginx is sending the information which were previously hidden to the spring boot app. But yet, spring app is not using this information. To tell it to use these information add the following line to the application.yml.

server.use-forward-headers = true

If you have your reverse proxy in a different node of the same network, you may want to configure the ip of the reverse proxy server with the following. ( replace with your IP)

server.tomcat.internal-proxies=192\.65\.210\.55

Answer 5

I had the same problem. I add theses two parameters to force HTTPS in redirect_uri :

preEstablishedRedirectUri: https://...
useCurrentUri: false

It works : "redirect_uri" is now using HTTPS

Answer 6

you may need to use spring.oauth2.client.access-token-uri

configuration parameter changed after 1.3.0.M1

https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-1.3.0-M1-Configuration-Changelog