SpringAddonsServerOAuth2AuthorizationRequestResolver and POST_AUTHENTICATION_SUCCESS_URI_SESSION_ATTRIBUTE

[rgambelli]

Hi, I'm using spring-addons 7.6.12 and I would like some help.

Currently in my application, after login, I end always in / even if I enter a different url, for example https://my-app/detail/123

In method savePostLoginUrisInSession of SpringAddonsServerOAuth2AuthorizationRequestResolver I see this:

Optional.ofNullable(
	Optional.ofNullable(headers.getFirst(SpringAddonsOidcClientProperties.POST_AUTHENTICATION_SUCCESS_URI_HEADER))
			.orElse(Optional.ofNullable(params.getFirst(SpringAddonsOidcClientProperties.POST_AUTHENTICATION_SUCCESS_URI_PARAM)).orElse(null)))
	.filter(StringUtils::hasText).map(URI::create).ifPresent(postLoginSuccessUri -> {
		session.getAttributes().put(SpringAddonsOidcClientProperties.POST_AUTHENTICATION_SUCCESS_URI_SESSION_ATTRIBUTE, postLoginSuccessUri);
	});

and for what I understand I should pass the query parameter post_login_success_uri, now I tried to do it but it doesn't work, I am always redirected to /.

Debugging your code I see that no parameters at all are present in request.

Regardless of this, why should I pass a specific parameter? If I type https://my-app/detail/123, why am I redirected to the home page?

Some clearification about my architecture:

• nginx
• a single page application which is my front-end
• keycloak-server
• springboot 3.3.x acting as bff-server, it depends on spring-addons 7.6.12, on spring-boot-starter-oauth2-client, on spring-boot-starter-oauth2-resource-server and on spring-cloud-starter-gateway. This springboot uses spring-addons to implement openid protocol and authentication via keycloak-server
• much other springboot representing other microservices

Another request for info

In method postProcess of SpringAddonsServerOAuth2AuthorizationRequestResolver:

private OAuth2AuthorizationRequest postProcess(OAuth2AuthorizationRequest request) {
	final var modified = OAuth2AuthorizationRequest.from(request);
	final var original = URI.create(request.getRedirectUri());
	final var redirectUri =		UriComponentsBuilder.fromUri(clientUri).path(original.getPath()).query(original.getQuery()).fragment(original.getFragment()).build().toString();
	modified.redirectUri(redirectUri);
	log.debug("Changed OAuth2AuthorizationRequest redirectUri from {} to {}", original, redirectUri);
	return modified.build();
}

the redirectUri is missing schema:host:port so for keycloak is an invalid redirect_uri, so I set com.c4-soft.springaddons.oidc.client.client-uri and it worked but here another problem arises for me because my application is multitenant and I have different host name for each tenant, for example:

• https://my-app-tenantA
• https://my-app-tenantB
• etc...

but client-uri property is unique, Is there a way to specify a dynamic client-uri?

Thanks

[ch4mpy]

post log in/out request parameters & headers were introduced in 7.3.0. So, it should work with your version, even if you'd better bump Boot and addons versions to 3.5.5 and 8.1.23. If you observe empty values for post-login-redirect-host, post-login-redirect-path, post-logout-redirect-host, and post-logout-redirect-path when debugging the BFF, you should double-check that your frontend sends them. The issue is probably there.

As per its Javadoc, the client-uri property is intended to hold the public URI for the OAuth2 client: the BFF, not the frontend(s).

During an authorization code flow, the user-agent is redirected:

1. To the BFF to initialise the flow
2. To the authorization server for login
3. To the OAuth2 client to exchange the code for tokens.
4. Back to the frontend

The URI used to redirect the user-agent to the BFF at steps 1. and 3. is specific to each BFF instance and must be publicly available. Also, due to the implementation of session cookies' security, the BFF and frontend assets must satisfy the SameSite policy (LAX by default, which is a reasonable value). In the Baeldung article, I use a reverse proxy in front of the BFF and all front-ends for that purpose. The client-uri property is super useful in this situation, as you can set it with a URI through the reverse proxy. The OAuth2 redirections URIs to the BFF for steps 1. and 3. will point to the reverse proxy (instead of the BFF internal URI).

If the post-login-redirect-host, post-login-redirect-path, post-logout-redirect-host, and post-logout-redirect-path request parameters are passed by the frontend at step 1., the BFF saves this in session, and redirects there after it exchanges the code for tokens (step 4.)

Before 7.3.0, the frontend had to save its current route somewhere (localstorage?) before step 1., and restore it after step 4., when it starts again. This could not satisfy use cases like yours, where the BFF is a single Backend For several Frontends: we had to create a BFF instance for each frontend URL.

[rgambelli]

Really thanks @ch4mpy for your clearification, unfortunately in my scenario can't work, try to explain the reason:

in my previous comment I stated we have multiple host representing each one a different tenant, the reality is a bit more complicated:
we have 4 single-page-application, each one with a different host and each host differentiated for tenant, so for example:

• tenantA-appA.myorg.com
• tenantA-appB.myorg.com
• tenantB-appA.myorg.com
• tenantB-appB.myorg.com

And only one bff-server, at least we would like to have just one, and so far it has worked splendidly.

Our problems are arising after replaced DefaultServerOAuth2AuthorizationRequestResolver with spring-addons SpringAddonsServerOAuth2AuthorizationRequestResolver which requires client-uri as you have already said.
We replaced it to use your post-login-uri feature, but while doing so, we discovered that the client-uri is mandatory property, without which redirection doesn't work

Having no public host for bff, because we like having it "back spa hosts", we don't know what set in client-uri, I can't set for example tenantA-appA.myorg.com, may I ask why client-uri is necessary? I mean, Spring's default resolver does not use it, and we have never had any problems.

Finally I'm not able to understand if migrating to spring-addons greater than 7.6.12 to use post-login-redirect-host could help in my scenario.

Thanks again

[ch4mpy]

You'd better design your URLs like:

• https://myorg.com/api for the shared BFF
• https://myorg.com/tenant-x/app-y/ for the frontends

The client-uri would be set with https://myorg.com/api, and the post-login request parameters would point to https://myorg.com/tenant-x/app-y/what/ever, which might be taken by the frontends from window.location

If the session and CSRF cookies are set with / as path, this should work.

[ch4mpy]

@rgambelli, I moved parts of my 2nd comment to the 1st to make it more complete. Please mark it as an answer if you have enough elements.