oauth-2.0spring-socialspring-social-facebook

What could cause the original 'OAuth2' state parameter to be null in org.springframework.social.connect.web.ConnectSupport?


I am trying to use Spring Social on my application and I noticed while debugging that the original 'OAuth2' state parameter is always null on my app.

See Spring Social source code for org.springframework.social.connect.web.ConnectSupport below:

private void verifyStateParameter(NativeWebRequest request) {
    String state = request.getParameter("state");
    String originalState = extractCachedOAuth2State(request);//Always null...
    if (state == null || !state.equals(originalState)) {
        throw new IllegalStateException("The OAuth2 'state' parameter is missing or doesn't match.");
    }
}

private String extractCachedOAuth2State(WebRequest request) {
    String state = (String) sessionStrategy.getAttribute(request, OAUTH2_STATE_ATTRIBUTE);
    sessionStrategy.removeAttribute(request, OAUTH2_STATE_ATTRIBUTE);
    return state;       
}

Can anyone please help?

edit: I do see the state parameter being passed back by facebook:

Request URL:https://www.facebook.com/v2.5/dialog/oauth?client_id=414113641982912&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fconnect%2Ffacebook&scope=public_profile&state=0b7a97b5-b8d1-4f97-9b60-e3242c9c7eb9
Request Method:GET
Status Code:302 
Remote Address:179.60.192.36:443

edit 2: By the way, the exception I get is the following:

Exception while handling OAuth2 callback (The OAuth2 'state' parameter is missing or doesn't match.). Redirecting to facebook connection status page.

Solution

  • It turned out that the issue was caused by the fact that I was relying on headers - as opposed to cookies - to manage the session.

    By commenting out the following spring session configuration bean:

    @Bean
    public HttpSessionStrategy sessionStrategy(){
        return new HeaderHttpSessionStrategy();
    }
    

    The oauth2 state parameter issue was sorted.

    P.S. Now I have got to find a way to get Spring Social to work with my current configuration of Spring Session...

    Edit: I managed to keep the HeaderHttpSessionStrategy (on the spring session side) and get it to work by implementing my own SessionStrategy (on the spring social side) as follows:

    public class CustomSessionStrategy implements SessionStrategy {
    
        public void setAttribute(RequestAttributes request, String name, Object value) {
            request.setAttribute(name, value, RequestAttributes.SCOPE_SESSION);
        }
    
        public Object getAttribute(RequestAttributes request, String name) {
            ServletWebRequest servletWebRequest = (ServletWebRequest) request;
            return servletWebRequest.getParameter(name);
        }
    
        public void removeAttribute(RequestAttributes request, String name) {
            request.removeAttribute(name, RequestAttributes.SCOPE_SESSION);
        }
    }