Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UnAuthenticatedServerOAuth2AuthorizedClientRepository cannot be used within running request handlers #6888

Closed
jjstreet opened this issue May 18, 2019 · 5 comments
Assignees
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid

Comments

@jjstreet
Copy link

Summary

UnAuthenticatedServerOAuth2AuthorizedClientRepository throws an assertion failure because ServerWebExchange is not null when trying to use a client_credential protected resource during a web request. The associated OAuth2AuthorizedClientResolver ends up grabbing and providing the current ServerWebExchange from the current context.

Actual Behavior

I attempted to use an UnAuthenticatedServerOAuth2AuthorizedClientRepository instance for a oauth2 server exchange filter function to let me use client_credential access tokens during the processing of a users request. This was described by several publications as a viable choice for client_credential type flows. As stated above, this causes UnAuthenticatedServerOAuth2AuthorizedClientRepository to fail an assertion that the ServerWebExchange is null. I was able to trace the ServerWebExchange attribute from the ClientRequest and tracked it to OAuth2AuthorizedClientResolver.currentServerWebExchange().

Expected Behavior

I was expecting no failed assertion.

Workaround/Potential solution

Remove Assertion that current server web exchange is null, if this type of repository should be allowed within a user request.

Configuration

Spring WebFlux with Netty
Spring Boot 2.1.5
Spring Security 5.1.7

Related Question

It seems that according to the java docs for UnAuthenticatedServerOAuth2AuthorizedClientRepository, I am using the class correctly, but it may really only should be used during server to server communication outside of a user request process.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 18, 2019
@rwinch
Copy link
Member

rwinch commented May 20, 2019

Thanks for the report @jjstreet! @jgrandja will look at this soon

@jjstreet
Copy link
Author

I can see a need for client_credential protected resources to be accessible both during and outside of a user request. To keep my complexity low, Id like to reuse WebClient instances, especially if they are wrapped by a business-oriented class. Therefore, I think being able to use this repository in both cases is beneficial. Especially since the other implementations of ServerOAuth2AuthorizedClientRepository aren't usable outside a user request.

@jgrandja
Copy link
Contributor

jgrandja commented Jun 5, 2019

@jjstreet

...trying to use a client_credential protected resource during a web request

UnAuthenticatedServerOAuth2AuthorizedClientRepository is not meant to be used in the context of a web request. The javadoc states:

Provides support for an unauthenticated user. This is useful when running as a process with no
user associated to it
.

UnAuthenticatedServerOAuth2AuthorizedClientRepository is meant to be used outside of a web request only. For example, in a java application that acts as a CLI or a background async process.

For web applications, you should be using AuthenticatedPrincipalServerOAuth2AuthorizedClientRepository in the context of a request.

I'm going to close this issue as works as designed. We can re-open if you are still having issues with your setup.

@jgrandja jgrandja closed this as completed Jun 5, 2019
@jgrandja jgrandja removed their assignment Jun 5, 2019
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 5, 2019
@awilhelmer
Copy link

I have the same problems as the author mentions. I can't understand why this ticket is closed with the reason work as designed, because I think a framework like Spring should be able to distinguish this internally.
Example:
I want to write a (Web)client lib, which is called in different scenarios, but I don't care if the lib is called from an original WebRequest or a CronJob. Here I even want to use the client_credentials grant_type.

In addition, the behavior changes completely if I add the dependency org.springframework.boot:spring-boot-starter-security, because without it it works.
It would only make sense to use the original JWT token if it is delivered with the same grant_type, client_id and the same OAUTH Provider. I don't know what happens if the scenario have different OAUTH providers btw.

My only chance is to write my own Oauth Client flow (not to mention things like #5893 ). That can't be right IMHO.

@jgrandja
Copy link
Contributor

jgrandja commented Oct 16, 2019

@awilhelmer It's not totally clear to me the issue you are having as you mention more than one thing? Also, questions should be posted on StackOverflow. If you have an issue with a specific feature or are looking for a new feature than please log a new issue instead of posting to a closed issue.

Have you read up on the reference documentation to see what features are available? I would recommend starting here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid
Projects
None yet
Development

No branches or pull requests

5 participants