spring-securityspring-socialspring-social-facebookspring-social-google

Spring Social Google used as Sign in Provider fails with 403 after successful Oauth2 login


I need to use both Facebook and Google as OpenId Sing in providers. I have integrated them with Spring Security using the SocialAuthenticationFilter, as described in the documentation and having a look at the sample app.

I have sucessfully configured Facebook.

The problem is when I try to authenticate with Google:

In OAuth2AuthenticationService.getAuthToken():

...
AccessGrant accessGrant = getConnectionFactory().getOAuthOperations().exchangeForAccess(code, returnToUrl, null);

At this point I can see that accessGrant contains an accessToken, so it seems to be correct so far. It fails in the following call:

// TODO avoid API call if possible (auth using token would be fine)
Connection<S> connection = getConnectionFactory().createConnection(accessGrant);

createConnection() ends up calling GoogleConnectionFactory.extractProviderUserId(AccessGrant accessGrant):

Google api = ((GoogleServiceProvider)getServiceProvider()).getApi(accessGrant.getAccessToken());
UserProfile userProfile = getApiAdapter().fetchUserProfile(api);
...

and getApiAdapter().fetchUserProfile(Google) -> google.plusOperations().getGoogleProfile(); throws a 403 exception:

org.springframework.web.client.HttpClientErrorException: 403 Forbidden

Why can't it get the GoogleProfile? Apparently the scope I set and what is prompted to the user is correct...

The complete project is available here: https://github.com/codependent/spring-boot-social-signin

Excerpts from the config:

SecurityConfig:

@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/secure*").authenticated()
                .and()
            .formLogin()
                .loginPage("/login").permitAll()
                //.loginProcessingUrl("/secure-home")
                .failureUrl("/login?param.error=bad_credentials")
                .and()
            .logout()
                .logoutUrl("/logout")
                .deleteCookies("JSESSIONID")
                .and()
            /*.rememberMe()
                .and()*/
            .apply(new SpringSocialConfigurer());
    }

    @Bean
    public SocialUserDetailsService socialUserDetailsService(){
        return new SocialUserDetailsService(){
            @Override
            public SocialUserDetails loadUserByUserId(String userId) throws UsernameNotFoundException{
                return new SimpleSocialUserDetails(userId);
            }
        }
    }

}

SocialConfig:

@Configuration
@EnableSocial
class SocialConfig extends SocialConfigurerAdapter{

    @Override
    void addConnectionFactories(ConnectionFactoryConfigurer cfConfig, Environment env) {
        FacebookConnectionFactory fcf = new FacebookConnectionFactory(env.getProperty("facebook.clientId"), env.getProperty("facebook.clientSecret"))
        fcf.setScope("public_profile,email")
        cfConfig.addConnectionFactory(fcf)

        GoogleConnectionFactory gcf = new GoogleConnectionFactory(env.getProperty("google.clientId"), env.getProperty("google.clientSecret"))
        gcf.setScope("openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo#email https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/tasks https://www-opensocial.googleusercontent.com/api/people https://www.googleapis.com/auth/plus.login");
        cfConfig.addConnectionFactory(gcf);
    }

    @Bean
    @Scope(value="request", proxyMode=ScopedProxyMode.INTERFACES)
    Facebook facebook(ConnectionRepository repository) {
        Connection<Facebook> connection = repository.findPrimaryConnection(Facebook.class);
        return connection != null ? connection.getApi() : null;
    }

    @Bean
    @Scope(value="request", proxyMode=ScopedProxyMode.INTERFACES)
    Google google(ConnectionRepository repository) {
        Connection<Google> connection = repository.findPrimaryConnection(Google.class);
        return connection != null ? connection.getApi() : null;
    }

    @Override
    UsersConnectionRepository getUsersConnectionRepository(ConnectionFactoryLocator connectionFactoryLocator) {
        //return new JdbcUsersConnectionRepository(dataSource, connectionFactoryLocator, Encryptors.noOpText());
        InMemoryUsersConnectionRepository rep = new InMemoryUsersConnectionRepository(connectionFactoryLocator)
        rep.setConnectionSignUp(new ConnectionSignUp(){
            public String execute(Connection<?> connection){
                Facebook facebook = (Facebook)connection.getApi();
                String [] fields = [ "id", "email",  "first_name", "last_name", "about" , "gender" ];
                User userProfile = facebook.fetchObject(connection.getKey().getProviderUserId(), User.class, fields);
                return userProfile.getEmail();
            }
        })
        return rep;
    }

    @Override
    UserIdSource getUserIdSource() {
        return new AuthenticationNameUserIdSource()
    }

}

Solution

  • Fixed, I had to enable the Google+ API on the Google Developer console.