Spring OAuth redirect_uri 不使用 https [英] Spring OAuth redirect_uri not using https

问题描述

我有一个 Spring Boot 1.3.0 应用程序，其中包含作为一种 SSO 集成的 Spring Security OAuth.

I have a Spring Boot 1.3.0 application with Spring Security OAuth included as a sort of SSO integration.

问题是应用程序在非 SSL 环境中运行，负载均衡器 (F5) 后面有一个非标准端口，强制 SSL 和 OAuth 提供程序要求将所有重定向 URL 注册为 https，但 Spring OAuth客户端(使用@EnableOAuthSso 自动配置)将仅重定向到具有以下 URL 的 OAuth 提供程序...

The problem is that the application is running in a non-SSL environment with a non-standard port behind a load balancer (F5) that forces SSL and the OAuth provider requires all redirect URLs be registered as https, but the Spring OAuth client (auto-configured with @EnableOAuthSso) will only redirect to the OAuth provider with the following URL...

https://[provider_host]/oauth/authorize?client_id=[redact]&redirect_uri=http://[application_host]/login&response_type=code&scope=[redact]&state=IpMYTe

https://[provider_host]/oauth/authorize?client_id=[redact]&redirect_uri=http://[application_host]/login&response_type=code&scope=[redact]&state=IpMYTe

请注意，返回的redirect_uri 生成为http.尽管 F5 会在返回的途中强制它使用 https，但我们的 OAuth 提供程序将不允许非 SSL 重定向 URI.我该如何配置?

Note that the return redirect_uri is generated as http. Even though the F5 will force it to https on the way back, our OAuth provider will not allow a non-SSL redirect URI. How can I configure this?

除了我的 Spring Data JPA 控制器之外，这是整个应用程序...

With the exception of my Spring Data JPA controllers, this is the entirety of the app...

@SpringBootApplication(exclude = { HibernateJpaAutoConfiguration.class })
@EnableJpaRepositories
public class AppConfig extends SpringBootServletInitializer {

    public static void main(final String... args) {
        SpringApplication.run(AppConfig.class, args);
    }

    @Autowired
    public DataSource dataSource;

    @Bean(name = "entityManagerFactory")
    public LocalContainerEntityManagerFactoryBean getEntityManagerFactoryInfo() {
        final LocalContainerEntityManagerFactoryBean fac = new LocalContainerEntityManagerFactoryBean();
        fac.setDataSource(dataSource);
        fac.setJpaVendorAdapter(new HibernateJpaVendorAdapter());
        fac.setPackagesToScan("[redact]");

        final Properties props = new Properties();
        props.put("hibernate.dialect", "org.hibernate.dialect.SQLServerDialect");
        props.put("hibernate.show_sql", "true");
        props.put("hibernate.format_sql", "true");
        fac.setJpaProperties(props);

        return fac;
    }

    @Bean(name = "transactionManager")
    public PlatformTransactionManager getTransactionManager() {
        final JpaTransactionManager transactMngr = new JpaTransactionManager();
        transactMngr.setEntityManagerFactory(getEntityManagerFactoryInfo().getObject());
        return transactMngr;
    }

}

SecurityConfig.java

@Configuration
@EnableOAuth2Sso
public class SecurityConfig {

}

application.properties

server.port=9916
server.contextPath=

server.use-forward-headers=true

security.oauth2.client.clientId=[redact]
security.oauth2.client.clientSecret=[redact]
security.oauth2.client.scope=[redact]
security.oauth2.client.accessTokenUri=https://[provider_host]/oauth/token
security.oauth2.client.userAuthorizationUri=https://[provider_host]/oauth/authorize
security.oauth2.resource.userInfoUri=https://[provider_host]/oauth/me
security.oauth2.resource.preferTokenInfo=false

logging.level.org.springframework=TRACE

推荐答案

在手动挖掘配置类后，我能够找到并添加以下内容，这确实成功了...

After digging manually through the configuration classes I was able to find and add the following, which did the trick...

security.oauth2.client.pre-established-redirect-uri=https://[application_host]/login
security.oauth2.client.registered-redirect-uri=https://[application_host]/login
security.oauth2.client.use-current-uri=false

我不相信没有更好的方法来解决强制 HTTPS 重定向 URL 的问题，但此修复程序对我有用.

I'm not convinced there isn't a better way to solve the problem of forcing a HTTPS redirect URL, but this fix worked for me.

这篇关于Spring OAuth redirect_uri 不使用 https的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！