spring-securitypkcespring-authorization-server

How to use PKCE without secret using Spring Security Oauth?


I am following this tutorial at https://www.baeldung.com/spring-security-pkce-secret-clients

In this example it is using PKCE with Spring Security OAuth. However, I noticed that it is still setting the client-secret value. I thought PKCE didn't require a secret as it is meant for a public client who don't want to expose that secret in a mobile or a javascript app.

If I comment out the clientSecret value then the login does not work. Here is the main PCKE client configuration on the authorization-server saving using jpa (updated this method to persist using postconstruct annotation):

     @PostConstruct
    private void saveRegisteredClient() {
        final String clientId = "pkce-client";
        clientRepository.deleteAll(); //this is for dev purpose only

        RegisteredClient registeredClient = jpaRegisteredClientRepository.findByClientId(clientId);
        if (registeredClient != null) {
            LOG.info("registered client exists");
        }
        else {
            registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
                    .clientId(clientId)
                    .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                    .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                    .redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce")
                    .redirectUri("http://127.0.0.1:8080/authorized")
                    //.postLogoutRedirectUri("http://127.0.0.1:8080/logged-out")
                    .scope(OidcScopes.OPENID)
                    .scope(OidcScopes.PROFILE)
                    .scope(OidcScopes.EMAIL)
                    .scope("message.read")
                    .scope("message.write")
                    .clientSettings(ClientSettings.builder().requireAuthorizationConsent(false)
                            .requireProofKey(true).build())
                    .build();

            jpaRegisteredClientRepository.save(registeredClient);
            LOG.info("saved registeredClient");
        }
    }

(Update: The following is my pkce-client configuration in application.yaml):

spring:
  security:
    oauth2:
      client:
        provider:
          katlock:
            issuer-uri: http://localhost:8085
        registration: 
          pkce:
            provider: katlock
            client-id: pkce-client
            scope: openid,email

Here is My client trace log after attempting login:


2023-04-29T10:42:38.404-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Request 'GET /login/oauth2/code/pkce' doesn't match 'null /oauth2/authorization/{registrationId}'
2023-04-29T10:42:38.404-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Checking match of request : '/login/oauth2/code/pkce'; against '/login/oauth2/code/{registrationId}'
2023-04-29T10:42:38.733-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.a.AuthenticationWebFilter      : Authentication failed: [invalid_request] 
2023-04-29T10:42:38.733-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.DefaultServerRedirectStrategy  : Redirecting to '/login?error'
2023-04-29T10:42:38.737-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'null /oauth2/authorization/{registrationId}'
2023-04-29T10:42:38.737-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'null /login/oauth2/code/{registrationId}'
2023-04-29T10:42:38.738-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=GET}
2023-04-29T10:42:38.738-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Checking match of request : '/login'; against '/login'
2023-04-29T10:42:38.738-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched

The following is the trace log from the spring-authorization-server:

2023-04-29T10:42:38.198-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7c5fbde4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7021bb55, org.springframework.security.web.context.SecurityContextHolderFilter@a3f1f32, org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter@1dc987b, org.springframework.security.web.header.HeaderWriterFilter@10efb806, org.springframework.security.web.csrf.CsrfFilter@7d5176d6, org.springframework.security.web.authentication.logout.LogoutFilter@4e6add8d, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter@4512f5f1, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter@1722ede1, org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter@671561b9, org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter@6bca6c4c, org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter@30a99b85, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@6b6cf3c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@580a5b6e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@14927cd4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6023b54f, org.springframework.security.web.access.ExceptionTranslationFilter@128ebca1, org.springframework.security.web.access.intercept.AuthorizationFilter@e9947af, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter@430dbcb0, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter@c680819, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter@273e622f, org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter@2ac00dc9]] (1/2)
2023-04-29T10:42:38.200-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@5eaa4ed0, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@462deb2b, org.springframework.security.web.context.SecurityContextHolderFilter@3f9ee527, org.springframework.security.web.header.HeaderWriterFilter@104e6540, org.springframework.security.web.csrf.CsrfFilter@3344c1d7, org.springframework.security.web.authentication.logout.LogoutFilter@57330423, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@11f752d1, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3b22bcad, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@381c826c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2a41d17a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@58a5b69c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@13563e64, org.springframework.security.web.access.ExceptionTranslationFilter@73b034ca, org.springframework.security.web.access.intercept.AuthorizationFilter@c3e5e3c]] (2/2)
2023-04-29T10:42:38.202-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Securing POST /login
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (5/14)
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/14)
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy        : Invoking UsernamePasswordAuthenticationFilter (7/14)
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.s.authentication.ProviderManager     : Authenticating request with DaoAuthenticationProvider (1/1)
2023-04-29T10:42:38.362-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.a.dao.DaoAuthenticationProvider    : Authenticated user
2023-04-29T10:42:38.362-06:00 TRACE 65972 --- [nio-8085-exec-6] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/2)
2023-04-29T10:42:38.363-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.w.s.HttpSessionEventPublisher      : Publishing event: org.springframework.security.web.session.HttpSessionIdChangedEvent[source=org.apache.catalina.session.StandardSessionFacade@5a48451d]
2023-04-29T10:42:38.363-06:00 DEBUG 65972 --- [nio-8085-exec-6] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from 8BFE6EA832F8D2184E77CDA4EEA1F88A
2023-04-29T10:42:38.364-06:00 TRACE 65972 --- [nio-8085-exec-6] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2)
2023-04-29T10:42:38.364-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.w.csrf.CsrfAuthenticationStrategy  : Replaced CSRF Token
2023-04-29T10:42:38.364-06:00 DEBUG 65972 --- [nio-8085-exec-6] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=8BFE6EA832F8D2184E77CDA4EEA1F88A], Granted Authorities=[ROLE_USER]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@5a48451d]
2023-04-29T10:42:38.364-06:00 DEBUG 65972 --- [nio-8085-exec-6] w.a.UsernamePasswordAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=8BFE6EA832F8D2184E77CDA4EEA1F88A], Granted Authorities=[ROLE_USER]]
2023-04-29T10:42:38.365-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.web.DefaultRedirectStrategy        : Redirecting to http://localhost:8085/oauth2/authorize?response_type=code&client_id=pkce-client&scope=openid%20email&state=jyGXRa-WQVB6Yn7MIRiD2sQ08dJb1-oQHQaqfN5Vo90%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/pkce&nonce=R7viP02frx6WgoaY8xi9Vvr3yEOzALxEgsUCtc46q3U&code_challenge=4n3E5Km3qT4lDmVkMU9QBMp2YRpXYXT8sx_qA2eTIf0&code_challenge_method=S256&continue
2023-04-29T10:42:38.365-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2023-04-29T10:42:38.367-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7c5fbde4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7021bb55, org.springframework.security.web.context.SecurityContextHolderFilter@a3f1f32, org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter@1dc987b, org.springframework.security.web.header.HeaderWriterFilter@10efb806, org.springframework.security.web.csrf.CsrfFilter@7d5176d6, org.springframework.security.web.authentication.logout.LogoutFilter@4e6add8d, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter@4512f5f1, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter@1722ede1, org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter@671561b9, org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter@6bca6c4c, org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter@30a99b85, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@6b6cf3c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@580a5b6e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@14927cd4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6023b54f, org.springframework.security.web.access.ExceptionTranslationFilter@128ebca1, org.springframework.security.web.access.intercept.AuthorizationFilter@e9947af, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter@430dbcb0, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter@c680819, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter@273e622f, org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter@2ac00dc9]] (1/2)
2023-04-29T10:42:38.368-06:00 DEBUG 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Securing GET /oauth2/authorize?response_type=code&client_id=pkce-client&scope=openid%20email&state=jyGXRa-WQVB6Yn7MIRiD2sQ08dJb1-oQHQaqfN5Vo90%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/pkce&nonce=R7viP02frx6WgoaY8xi9Vvr3yEOzALxEgsUCtc46q3U&code_challenge=4n3E5Km3qT4lDmVkMU9QBMp2YRpXYXT8sx_qA2eTIf0&code_challenge_method=S256&continue
2023-04-29T10:42:38.368-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking AuthorizationServerContextFilter (4/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (5/22)
2023-04-29T10:42:38.372-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (6/22)
2023-04-29T10:42:38.372-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@6cd1ee]]]
2023-04-29T10:42:38.372-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (7/22)
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (8/22)
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationEndpointFilter (9/22)
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=8BFE6EA832F8D2184E77CDA4EEA1F88A], Granted Authorities=[ROLE_USER]]] from SPRING_SECURITY_CONTEXT
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.s.authentication.ProviderManager     : Authenticating request with OAuth2AuthorizationCodeRequestAuthenticationProvider (1/13)
2023-04-29T10:42:38.402-06:00 DEBUG 65972 --- [nio-8085-exec-7] o.s.s.web.DefaultRedirectStrategy        : Redirecting to http://127.0.0.1:8080/login/oauth2/code/pkce?code=NFXzAwY7OBR2fwFfCvY8fkhPwpCutePxi1-H77yRhKUlC8ShX65XeMJxJxX9ovoLeW3Z2ugvDGhNif2unYAnqqZ26qPOZKKrrQrrs7YE-f_aqkXCwdim3FriyKddoOG4&state=jyGXRa-WQVB6Yn7MIRiD2sQ08dJb1-oQHQaqfN5Vo90%3D
2023-04-29T10:42:38.402-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2023-04-29T10:42:38.704-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7c5fbde4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7021bb55, org.springframework.security.web.context.SecurityContextHolderFilter@a3f1f32, org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter@1dc987b, org.springframework.security.web.header.HeaderWriterFilter@10efb806, org.springframework.security.web.csrf.CsrfFilter@7d5176d6, org.springframework.security.web.authentication.logout.LogoutFilter@4e6add8d, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter@4512f5f1, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter@1722ede1, org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter@671561b9, org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter@6bca6c4c, org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter@30a99b85, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@6b6cf3c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@580a5b6e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@14927cd4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6023b54f, org.springframework.security.web.access.ExceptionTranslationFilter@128ebca1, org.springframework.security.web.access.intercept.AuthorizationFilter@e9947af, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter@430dbcb0, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter@c680819, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter@273e622f, org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter@2ac00dc9]] (1/2)
2023-04-29T10:42:38.705-06:00 DEBUG 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Securing POST /oauth2/token
2023-04-29T10:42:38.705-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/22)
2023-04-29T10:42:38.706-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/22)
2023-04-29T10:42:38.707-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/22)
2023-04-29T10:42:38.708-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking AuthorizationServerContextFilter (4/22)
2023-04-29T10:42:38.708-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (5/22)
2023-04-29T10:42:38.708-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (6/22)
2023-04-29T10:42:38.710-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@6cd1ee]]]
2023-04-29T10:42:38.710-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (7/22)
2023-04-29T10:42:38.710-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (8/22)
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationEndpointFilter (9/22)
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking OidcProviderConfigurationEndpointFilter (10/22)
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking NimbusJwkSetEndpointFilter (11/22)
2023-04-29T10:42:38.712-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy        : Invoking OAuth2ClientAuthenticationFilter (12/22)
2023-04-29T10:42:38.713-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]

Solution

  • The following @Configuration demonstrates a public client setup for Spring Authorization Server:

    @Configuration
    @EnableWebSecurity
    public class SecurityConfiguration {
    
        @Bean
        @Order(1)
        public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
                throws Exception {
            OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
            // ...
            return http.cors(Customizer.withDefaults()).build();
        }
    
    
        @Bean
        @Order(2)
        public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
                throws Exception {
            // ...
            return http.cors(Customizer.withDefaults()).build();
        }
    
        @Bean
        public CorsConfigurationSource corsConfigurationSource() {
            UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
            CorsConfiguration config = new CorsConfiguration();
            config.addAllowedHeader("*");
            config.addAllowedMethod("*");
            config.addAllowedOrigin("http://127.0.0.1:4200");
            config.setAllowCredentials(true);
            source.registerCorsConfiguration("/**", config);
            return source;
        }
    
        @Bean
        public RegisteredClientRepository registeredClientRepository() {
            RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
                    .clientId("messaging-client")
                    .clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
                    .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                    .redirectUri("http://127.0.0.1:4200")
                    .scope(OidcScopes.OPENID)
                    .scope(OidcScopes.PROFILE)
                    .scope("message.read")
                    .scope("message.write")
                    .clientSettings(ClientSettings.builder()
                            .requireAuthorizationConsent(true)
                            .requireProofKey(true)
                            .build()
                    )
                    .build();
            return new InMemoryRegisteredClientRepository(publicClient);
        }
    
        // ...
    
    }