These are chat archives for spring-cloud/spring-cloud

15th
May 2015
Leon Radley
@leon
May 15 2015 05:58

@dsyer Suddenly I’m getting "Authentication Failed: Could not obtain access token”, which is caused by the underlying "Possible CSRF detected - state parameter was present but no state could be found”
I know this must have something to do with "@SessionAttributes("authorizationRequest”)”. It’s started to happen since I added the @EnableOAuthResource i think.

Do you have any suggestions on how to fix it?

Dave Syer
@dsyer
May 15 2015 06:14
Get rid of your custom /confirm_access and the @SessionAttributes? And then add them back slowly?
Leon Radley
@leon
May 15 2015 06:15
I haven’t got a custom confirm_access
Dave Syer
@dsyer
May 15 2015 06:16
Why do you have @SessionAttributes then?
Leon Radley
@leon
May 15 2015 06:16
because it was in the spring-cloud-samples, thought it was needed
Dave Syer
@dsyer
May 15 2015 06:17
It was only there because of the /confirm😄
It was only there because of the /confirm_access
Leon Radley
@leon
May 15 2015 06:18
it seems the sso app is no longer saving it’s state variable before redirecting to the auth server, so when it get’s redirected back the state is gone, and the csrf kicks in
Dave Syer
@dsyer
May 15 2015 06:19
Did you switch off sessions?
Leon Radley
@leon
May 15 2015 06:19
no, even have security.sessions: ALWAYS
Dave Syer
@dsyer
May 15 2015 06:20
The exception is in the client app?
Leon Radley
@leon
May 15 2015 06:21
yes, in OAuth2ClientAuthenticationProcessingFilter L:96
I’ve added a custom ResourceServerConfigurerAdapter if that could be causing it?

@Configuration
@EnableOAuth2Resource
@Order(ManagementServerProperties.ACCESS_OVERRIDE_ORDER - 1)
public class ResourceServerAdapter extends ResourceServerConfigurerAdapter {

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.resourceId("accounts");
}

@Override
public void configure(final HttpSecurity http) throws Exception {
    http.requestMatchers().antMatchers("/api/**").and()
        .authorizeRequests()
            .antMatchers("/api/account", "/api/customer").hasRole("ACCOUNT")
            .anyRequest().authenticated();
}

}

I’m a bit unsure if this should have a specified @Order
Dave Syer
@dsyer
May 15 2015 06:36
If there's only one it can't have any effect (the order).
Leon Radley
@leon
May 15 2015 06:38
So the order is only in affect if you have multiple ResourceServerConfigurerAdapter or multiple WebMvcConfigurerAdapter.. good to know :)
Dave Syer
@dsyer
May 15 2015 06:38
There are some complicated rules about how the OAuth2ClientContext gets configured depending on your spring.oauth2.* properties
It needs to be session scoped to remember the state
Maybe you fell foul of that. Hard to say without a sample project.
Leon Radley
@leon
May 15 2015 06:40

could this be causing the problem

@Bean
@ConfigurationProperties("spring.oauth2.shop-service")
public ClientCredentialsResourceDetails oauth2ClientCredentialsResourceDetails() {
return new ClientCredentialsResourceDetails();
}

@Bean
public OAuth2RestTemplate clientCredentialsRestTemplate(OAuth2ClientContext oauth2ClientContext, ClientCredentialsResourceDetails details) {
    return new OAuth2RestTemplate(details, oauth2ClientContext);
}
I needed to be able to send stuff both as the user and as the app
via client_credentials
Dave Syer
@dsyer
May 15 2015 06:41
Client credentials is the wrong resource type for SSO right?
Maybe you injected the wrong rest template into the filter?
Leon Radley
@leon
May 15 2015 06:41
yes, but I need the app to be able to call out to other apps
Dave Syer
@dsyer
May 15 2015 06:42
I don't see why that would be a problem
Leon Radley
@leon
May 15 2015 06:42
How would I obtain a client_credentials token within the sso app?
Dave Syer
@dsyer
May 15 2015 06:42
But you obviously have to be careful to distinguish between the rest template you use to do that and the one that is used to get the SSO token
Leon Radley
@leon
May 15 2015 06:44
exactly
but I haven’t what I know of overridden the default OAuth2ClientContext
Dave Syer
@dsyer
May 15 2015 06:49
I need to see the app
I'm really just guessing
Leon Radley
@leon
May 15 2015 06:50
I understand, we can do a team viewer session if your okey with that
Dave Syer
@dsyer
May 15 2015 06:51
Later
What's "team viewer"?
Leon Radley
@leon
May 15 2015 06:52
It’s a remote viewing app, it’s works a bit better than skypes screen sharing
Otherwise skype is fine if you have that?
Dave Syer
@dsyer
May 15 2015 06:53
Does it work on Linux?
sorry swedish link
I’m off to the morning meeting, but I’ll be back in a bit.
Leon Radley
@leon
May 15 2015 07:25
I’m back. I’m ready whenever you are @dsyer
Dave Syer
@dsyer
May 15 2015 07:31
Still breakfast time here
Dave Syer
@dsyer
May 15 2015 08:02
I see you already asked about his here: spring-cloud/spring-cloud-security#54
Leon Radley
@leon
May 15 2015 08:04
Yes thats right. I think it’s quite common wanting to do app to app communications. so a default client credentails rest template would be great
but I’m not shure using the spring.oauth.client as the base for the client_credentials is right, since usually you want the app to have other permissions in form of scopes
I’ve separated the app credentials out into their own clients, though this might not be a best practice, what do you think?
Dave Syer
@dsyer
May 15 2015 08:08
You definitely want it to be a different resource than the one you use for SSO
What's the use case?
Why do you need app-to-app with no user credentials?
(I'm not sure it's all that common in a user-facing app)
Leon Radley
@leon
May 15 2015 08:12
I’ve got a couple of spring batch jobs, importing data from microsoft-crm which is running as it’s own .net micro service. it’s secured with JWT and a specific scope crm-read
it’s the app that is importing the data not the user
Dave Syer
@dsyer
May 15 2015 08:18
That's fine I guess. Anyway it should be possible. Might just be some beans you have to add yourself though, as opposed to things being "magical".
I'm downloading that screenshare app BTW
Leon Radley
@leon
May 15 2015 08:18
great
Dave Syer
@dsyer
May 15 2015 08:20
It won't install
Trying a different package
Got it
I need your ID?
Leon Radley
@leon
May 15 2015 08:24
Have you got skype, I’d rather not expose the password to gitter
Dave Syer
@dsyer
May 15 2015 08:24
david_syer
I started a "meeting"
It's caning my CPU
Running in WINE
Windoze
Maybe it's better if I just create a sample app for you that has a client_credentials template and SSO and works.
Leon Radley
@leon
May 15 2015 09:17

@dsyer Worked like a charm.
Sometimes you stare so long at something that you miss the simplest of problems…

Thanks for the help :)