I am following this tutorial at https://www.baeldung.com/spring-security-pkce-secret-clients
In this example it is using PKCE with Spring Security OAuth. However, I noticed that it is still setting the client-secret value. I thought PKCE didn't require a secret as it is meant for a public client who don't want to expose that secret in a mobile or a javascript app.
If I comment out the clientSecret value then the login does not work. Here is the main PCKE client configuration on the authorization-server saving using jpa (updated this method to persist using postconstruct annotation):
@PostConstruct
private void saveRegisteredClient() {
final String clientId = "pkce-client";
clientRepository.deleteAll(); //this is for dev purpose only
RegisteredClient registeredClient = jpaRegisteredClientRepository.findByClientId(clientId);
if (registeredClient != null) {
LOG.info("registered client exists");
}
else {
registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId(clientId)
.clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("http://127.0.0.1:8080/login/oauth2/code/pkce")
.redirectUri("http://127.0.0.1:8080/authorized")
//.postLogoutRedirectUri("http://127.0.0.1:8080/logged-out")
.scope(OidcScopes.OPENID)
.scope(OidcScopes.PROFILE)
.scope(OidcScopes.EMAIL)
.scope("message.read")
.scope("message.write")
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(false)
.requireProofKey(true).build())
.build();
jpaRegisteredClientRepository.save(registeredClient);
LOG.info("saved registeredClient");
}
}
(Update: The following is my pkce-client configuration in application.yaml):
spring:
security:
oauth2:
client:
provider:
katlock:
issuer-uri: http://localhost:8085
registration:
pkce:
provider: katlock
client-id: pkce-client
scope: openid,email
Here is My client trace log after attempting login:
2023-04-29T10:42:38.404-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Request 'GET /login/oauth2/code/pkce' doesn't match 'null /oauth2/authorization/{registrationId}'
2023-04-29T10:42:38.404-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Checking match of request : '/login/oauth2/code/pkce'; against '/login/oauth2/code/{registrationId}'
2023-04-29T10:42:38.733-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.a.AuthenticationWebFilter : Authentication failed: [invalid_request]
2023-04-29T10:42:38.733-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.DefaultServerRedirectStrategy : Redirecting to '/login?error'
2023-04-29T10:42:38.737-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'null /oauth2/authorization/{registrationId}'
2023-04-29T10:42:38.737-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Request 'GET /login' doesn't match 'null /login/oauth2/code/{registrationId}'
2023-04-29T10:42:38.738-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/login', method=GET}
2023-04-29T10:42:38.738-06:00 DEBUG 66101 --- [ctor-http-nio-2] athPatternParserServerWebExchangeMatcher : Checking match of request : '/login'; against '/login'
2023-04-29T10:42:38.738-06:00 DEBUG 66101 --- [ctor-http-nio-2] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
The following is the trace log from the spring-authorization-server:
2023-04-29T10:42:38.198-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7c5fbde4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7021bb55, org.springframework.security.web.context.SecurityContextHolderFilter@a3f1f32, org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter@1dc987b, org.springframework.security.web.header.HeaderWriterFilter@10efb806, org.springframework.security.web.csrf.CsrfFilter@7d5176d6, org.springframework.security.web.authentication.logout.LogoutFilter@4e6add8d, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter@4512f5f1, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter@1722ede1, org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter@671561b9, org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter@6bca6c4c, org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter@30a99b85, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@6b6cf3c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@580a5b6e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@14927cd4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6023b54f, org.springframework.security.web.access.ExceptionTranslationFilter@128ebca1, org.springframework.security.web.access.intercept.AuthorizationFilter@e9947af, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter@430dbcb0, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter@c680819, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter@273e622f, org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter@2ac00dc9]] (1/2)
2023-04-29T10:42:38.200-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@5eaa4ed0, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@462deb2b, org.springframework.security.web.context.SecurityContextHolderFilter@3f9ee527, org.springframework.security.web.header.HeaderWriterFilter@104e6540, org.springframework.security.web.csrf.CsrfFilter@3344c1d7, org.springframework.security.web.authentication.logout.LogoutFilter@57330423, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@11f752d1, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@3b22bcad, org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter@381c826c, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@2a41d17a, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@58a5b69c, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@13563e64, org.springframework.security.web.access.ExceptionTranslationFilter@73b034ca, org.springframework.security.web.access.intercept.AuthorizationFilter@c3e5e3c]] (2/2)
2023-04-29T10:42:38.202-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Securing POST /login
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/14)
2023-04-29T10:42:38.205-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (5/14)
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (6/14)
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (7/14)
2023-04-29T10:42:38.207-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.s.authentication.ProviderManager : Authenticating request with DaoAuthenticationProvider (1/1)
2023-04-29T10:42:38.362-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.a.dao.DaoAuthenticationProvider : Authenticated user
2023-04-29T10:42:38.362-06:00 TRACE 65972 --- [nio-8085-exec-6] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/2)
2023-04-29T10:42:38.363-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.w.s.HttpSessionEventPublisher : Publishing event: org.springframework.security.web.session.HttpSessionIdChangedEvent[source=org.apache.catalina.session.StandardSessionFacade@5a48451d]
2023-04-29T10:42:38.363-06:00 DEBUG 65972 --- [nio-8085-exec-6] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from 8BFE6EA832F8D2184E77CDA4EEA1F88A
2023-04-29T10:42:38.364-06:00 TRACE 65972 --- [nio-8085-exec-6] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2)
2023-04-29T10:42:38.364-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.w.csrf.CsrfAuthenticationStrategy : Replaced CSRF Token
2023-04-29T10:42:38.364-06:00 DEBUG 65972 --- [nio-8085-exec-6] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=8BFE6EA832F8D2184E77CDA4EEA1F88A], Granted Authorities=[ROLE_USER]]] to HttpSession [org.apache.catalina.session.StandardSessionFacade@5a48451d]
2023-04-29T10:42:38.364-06:00 DEBUG 65972 --- [nio-8085-exec-6] w.a.UsernamePasswordAuthenticationFilter : Set SecurityContextHolder to UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=8BFE6EA832F8D2184E77CDA4EEA1F88A], Granted Authorities=[ROLE_USER]]
2023-04-29T10:42:38.365-06:00 DEBUG 65972 --- [nio-8085-exec-6] o.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8085/oauth2/authorize?response_type=code&client_id=pkce-client&scope=openid%20email&state=jyGXRa-WQVB6Yn7MIRiD2sQ08dJb1-oQHQaqfN5Vo90%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/pkce&nonce=R7viP02frx6WgoaY8xi9Vvr3yEOzALxEgsUCtc46q3U&code_challenge=4n3E5Km3qT4lDmVkMU9QBMp2YRpXYXT8sx_qA2eTIf0&code_challenge_method=S256&continue
2023-04-29T10:42:38.365-06:00 TRACE 65972 --- [nio-8085-exec-6] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-04-29T10:42:38.367-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7c5fbde4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7021bb55, org.springframework.security.web.context.SecurityContextHolderFilter@a3f1f32, org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter@1dc987b, org.springframework.security.web.header.HeaderWriterFilter@10efb806, org.springframework.security.web.csrf.CsrfFilter@7d5176d6, org.springframework.security.web.authentication.logout.LogoutFilter@4e6add8d, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter@4512f5f1, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter@1722ede1, org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter@671561b9, org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter@6bca6c4c, org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter@30a99b85, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@6b6cf3c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@580a5b6e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@14927cd4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6023b54f, org.springframework.security.web.access.ExceptionTranslationFilter@128ebca1, org.springframework.security.web.access.intercept.AuthorizationFilter@e9947af, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter@430dbcb0, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter@c680819, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter@273e622f, org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter@2ac00dc9]] (1/2)
2023-04-29T10:42:38.368-06:00 DEBUG 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Securing GET /oauth2/authorize?response_type=code&client_id=pkce-client&scope=openid%20email&state=jyGXRa-WQVB6Yn7MIRiD2sQ08dJb1-oQHQaqfN5Vo90%3D&redirect_uri=http://127.0.0.1:8080/login/oauth2/code/pkce&nonce=R7viP02frx6WgoaY8xi9Vvr3yEOzALxEgsUCtc46q3U&code_challenge=4n3E5Km3qT4lDmVkMU9QBMp2YRpXYXT8sx_qA2eTIf0&code_challenge_method=S256&continue
2023-04-29T10:42:38.368-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking AuthorizationServerContextFilter (4/22)
2023-04-29T10:42:38.370-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (5/22)
2023-04-29T10:42:38.372-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (6/22)
2023-04-29T10:42:38.372-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@6cd1ee]]]
2023-04-29T10:42:38.372-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/22)
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (8/22)
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationEndpointFilter (9/22)
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user1, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=8BFE6EA832F8D2184E77CDA4EEA1F88A], Granted Authorities=[ROLE_USER]]] from SPRING_SECURITY_CONTEXT
2023-04-29T10:42:38.373-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.s.authentication.ProviderManager : Authenticating request with OAuth2AuthorizationCodeRequestAuthenticationProvider (1/13)
2023-04-29T10:42:38.402-06:00 DEBUG 65972 --- [nio-8085-exec-7] o.s.s.web.DefaultRedirectStrategy : Redirecting to http://127.0.0.1:8080/login/oauth2/code/pkce?code=NFXzAwY7OBR2fwFfCvY8fkhPwpCutePxi1-H77yRhKUlC8ShX65XeMJxJxX9ovoLeW3Z2ugvDGhNif2unYAnqqZ26qPOZKKrrQrrs7YE-f_aqkXCwdim3FriyKddoOG4&state=jyGXRa-WQVB6Yn7MIRiD2sQ08dJb1-oQHQaqfN5Vo90%3D
2023-04-29T10:42:38.402-06:00 TRACE 65972 --- [nio-8085-exec-7] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
2023-04-29T10:42:38.704-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@7c5fbde4, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7021bb55, org.springframework.security.web.context.SecurityContextHolderFilter@a3f1f32, org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.AuthorizationServerContextFilter@1dc987b, org.springframework.security.web.header.HeaderWriterFilter@10efb806, org.springframework.security.web.csrf.CsrfFilter@7d5176d6, org.springframework.security.web.authentication.logout.LogoutFilter@4e6add8d, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationServerMetadataEndpointFilter@4512f5f1, org.springframework.security.oauth2.server.authorization.web.OAuth2AuthorizationEndpointFilter@1722ede1, org.springframework.security.oauth2.server.authorization.oidc.web.OidcProviderConfigurationEndpointFilter@671561b9, org.springframework.security.oauth2.server.authorization.web.NimbusJwkSetEndpointFilter@6bca6c4c, org.springframework.security.oauth2.server.authorization.web.OAuth2ClientAuthenticationFilter@30a99b85, org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter@6b6cf3c1, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@580a5b6e, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@14927cd4, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@6023b54f, org.springframework.security.web.access.ExceptionTranslationFilter@128ebca1, org.springframework.security.web.access.intercept.AuthorizationFilter@e9947af, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter@430dbcb0, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenIntrospectionEndpointFilter@c680819, org.springframework.security.oauth2.server.authorization.web.OAuth2TokenRevocationEndpointFilter@273e622f, org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter@2ac00dc9]] (1/2)
2023-04-29T10:42:38.705-06:00 DEBUG 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Securing POST /oauth2/token
2023-04-29T10:42:38.705-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/22)
2023-04-29T10:42:38.706-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/22)
2023-04-29T10:42:38.707-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderFilter (3/22)
2023-04-29T10:42:38.708-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking AuthorizationServerContextFilter (4/22)
2023-04-29T10:42:38.708-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (5/22)
2023-04-29T10:42:38.708-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking CsrfFilter (6/22)
2023-04-29T10:42:38.710-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.csrf.CsrfFilter : Did not protect against CSRF since request did not match And [CsrfNotRequired [TRACE, HEAD, GET, OPTIONS], Not [Or [org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer$$Lambda$1291/0x0000000801491e70@5c450960, org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer$BearerTokenRequestMatcher@6cd1ee]]]
2023-04-29T10:42:38.710-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking LogoutFilter (7/22)
2023-04-29T10:42:38.710-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.s.w.a.logout.LogoutFilter : Did not match request to Ant [pattern='/logout', POST]
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationServerMetadataEndpointFilter (8/22)
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking OAuth2AuthorizationEndpointFilter (9/22)
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking OidcProviderConfigurationEndpointFilter (10/22)
2023-04-29T10:42:38.711-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking NimbusJwkSetEndpointFilter (11/22)
2023-04-29T10:42:38.712-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.security.web.FilterChainProxy : Invoking OAuth2ClientAuthenticationFilter (12/22)
2023-04-29T10:42:38.713-06:00 TRACE 65972 --- [nio-8085-exec-8] o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
The following @Configuration
demonstrates a public client setup for Spring Authorization Server:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration {
@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
// ...
return http.cors(Customizer.withDefaults()).build();
}
@Bean
@Order(2)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
// ...
return http.cors(Customizer.withDefaults()).build();
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
CorsConfiguration config = new CorsConfiguration();
config.addAllowedHeader("*");
config.addAllowedMethod("*");
config.addAllowedOrigin("http://127.0.0.1:4200");
config.setAllowCredentials(true);
source.registerCorsConfiguration("/**", config);
return source;
}
@Bean
public RegisteredClientRepository registeredClientRepository() {
RegisteredClient publicClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("messaging-client")
.clientAuthenticationMethod(ClientAuthenticationMethod.NONE)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.redirectUri("http://127.0.0.1:4200")
.scope(OidcScopes.OPENID)
.scope(OidcScopes.PROFILE)
.scope("message.read")
.scope("message.write")
.clientSettings(ClientSettings.builder()
.requireAuthorizationConsent(true)
.requireProofKey(true)
.build()
)
.build();
return new InMemoryRegisteredClientRepository(publicClient);
}
// ...
}