当应用程序位于 SSL 终止代理后面时,如何配置 Spring Boot 以使用 OIDC [英] How to configure Spring Boot to use OIDC while app is behind an SSL termination proxy
问题描述
我正在尝试配置 Spring Boot 应用程序以使用 OIDC.服务器位于 SSL 终止代理之后.
I am trying to configure a Spring Boot app to use OIDC. The server is behind an SSL termination proxy.
以下是我使用的属性:
spring:
security:
oauth2:
client:
provider:
oidc:
authorization-uri: https://example.org/oidc/oauth2/authorize
token-uri: https://example.org/oidc/oauth2/access_token
user-info-uri: https://example.org/oidc/oauth2/userinfo
jwk-set-uri: https://example.org/oidc/oauth2/connect/jwk_uri
custom-params: param_name1,param_value1,param_name2,param_value2,nonce,123456789
registration:
oidc:
client-id: myclientid
client-secret: myclientsecret
authorization-grant-type: authorization_code
scope:
- openid
- email
- profile
redirect-uri: https://mydomain/myapp/login/oauth2/code/oidc
这是哪里出错了:
1.OIDC 服务器需要在请求 URL 中添加 nonce 参数
我通过使用自定义 OAuth2AuthorizationRequest 解决了这个问题,该请求读取 custom-params 属性并将这些值附加到请求 URL
I have solved this by using a custom OAuth2AuthorizationRequest that reads the custom-params property and appends those values to the request URL
2.OidcAuthorizationCodeAuthenticationProvider 抛出一个由 invalid_redirect_uri_parameter 引起的异常
我尝试了很多方法来解决这个问题.
I have tried many approaches to fix this.
我尝试创建一个过滤器,将 X-Forwarded-Proto 添加到请求中(因为代理不处理).
I have tried creating a filter that adds the X-Forwarded-Proto to the request (because the proxy doesn't handle that).
添加了标题,我还添加了以下属性:
The headers are added, I have also added the following properties:
server:
forward-headers-strategy: native
tomcat.protocol-header: x-forwarded-proto
但它似乎不起作用.
OidcAuthorizationCodeAuthenticationProvider 仍然抛出异常,因为这个条件为假:
OidcAuthorizationCodeAuthenticationProvider still throws an exception because this condition is false:
!authorizationResponse.getRedirectUri().equals(authorizationRequest.getRedirectUri())
我已经调试了代码,唯一的区别是一个是 http,另一个是 https.
I have debugged the code and the only difference is one being http and the other https.
我发现了一个我根本不喜欢的非常笨拙的解决方案,它是另一种过滤器,它只针对该特定 URL 修改 URL.
我更喜欢更优雅的解决方案.
I would prefer a more elegant solution.
3.使用自定义 nonce 参数时,OidcAuthorizationCodeAuthenticationProvider 会抛出一个由 invalid_nonce 引发的异常
现在我卡住了.我考虑过编写自己的身份验证提供程序,但我不能保证我的会在 Spring 提供的 OIDC 之前被使用.
Now I am stuck. I considered writing my own Authentication Provider, but I have no guarantee that mine will be picked up before the OIDC one provided by Spring.
使用随机数,这是一个捕获 22:
And with the nonce, it's a catch 22:
如果我不使用自定义参数,我就找不到让 Spring 将随机数添加到请求中的方法
if I don't use the custom param, I couldn't find a way to make Spring add the nonce to the request
如果我使用那个,当它是 JWT 的一部分时,Spring 无法识别它并吓坏了
if I use that one, Spring doesn't recognize it when it's part of the JWT and freaks out
任何帮助将不胜感激,因为这已经让我发疯了好几天甚至几周.
谢谢.
编辑
情况 2 中比较的 2 个网址来自:
The 2 urls that are compared in case 2 come from:
- OAuth2AuthorizationRequest
- OAuth2AuthorizationResponse
OAuth2AuthorizationRequest 内置于OAuth2AuthorizationRequestRedirectFilter 在以下行:
OAuth2AuthorizationRequest is built in the OAuth2AuthorizationRequestRedirectFilter at the following line:
OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestResolver.resolve(request);
重定向uri内置于调用
The redirect uri is built in DefaultOAuth2AuthorizationRequestResolver.expandRedirectUri() which calls
UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
OAuth2AuthorizationResponse 内置于 OAuth2LoginAuthenticationFilter.attemptAuthentication() 中,它也调用
OAuth2AuthorizationResponse is built in the OAuth2LoginAuthenticationFilter.attemptAuthentication() which also calls
UriComponentsBuilder.fromHttpUrl(UrlUtils.buildFullRequestUrl(request))
然后
OAuth2AuthorizationResponseUtils.convert(params, redirectUri)
我会仔细检查,但我不记得在构建这些 URL 时调用了 UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders headers).
I will double check, but I don't remember UriComponentsBuilder.adaptFromForwardedHeaders(HttpHeaders headers) being called when building these URLs.
即使有效,那仍然会留下随机数问题:(
And even if that works, that still leaves the nonce issue :(
推荐答案
我们偶然发现了同样的问题,这个问题主要是因为我们的服务器是在一个反向代理之后,而且代理似乎以某种方式改变了 url 导致这个检查失败
We stumbled upon the same problem , the problem was mainly because our server was behind a reverse proxy, and it seems the proxy changed the url somehow causing this check to fail
!authorizationResponse.getRedirectUri().equals(authorizationRequest.getRedirectUri())
此行在更高版本的 spring security 中被删除,提交时
this line was removed in later versions of spring security , at commit
24500fa3ca23aa23ede86dfcfe02113671d5b8bc
24500fa3ca23aa23ede86dfcfe02113671d5b8bc
于 2019 年 12 月 6 日推出,春季安全版本 5.1.13
which was introduced on Dec 6, 2019 and was in spring security release 5.1.13
因此,对于 spring boot 2.1.X 系列版本,解决方案是将 spring boot 升级到至少 2.1.17.
so the solution was to upgrade spring boot to at least 2.1.17 for spring boot 2.1.X line of versions.
虽然 OP 说他无法升级他的库,但我希望这可以帮助那些可以升级的人.
while the OP said he can't upgrade his libraries, I hope this can help those who can.
我们也做了 Kavithakaran Kanapathippilla 上面提到的解决方案,并配置了我们的反向代理以添加 X-forwarded-proto http 标头,我相信我们也配置了 spring boot application.properties 来检查它们
We also did the solution mentioned above by Kavithakaran Kanapathippilla and configured our reverse proxy to add X-forwarded-proto http headers , also i believed we configured spring boot application.properties to check for them
这篇关于当应用程序位于 SSL 终止代理后面时,如何配置 Spring Boot 以使用 OIDC的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
