Skip to content

OAuth2Error when logged user tries to loggin again without logout #7884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
belomx opened this issue Jan 31, 2020 · 2 comments
Closed

OAuth2Error when logged user tries to loggin again without logout #7884

belomx opened this issue Jan 31, 2020 · 2 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid

Comments

@belomx
Copy link

belomx commented Jan 31, 2020

Summary

When loggin into my web application using oath2 (in this summary I will use google provider as example), it will reach the home page (fine) and then user press back in the browser, the page will be at the google's select user page to login, if the user select an user to "loggin again" and return to home page spring security will return an error.

Actual Behavior

Spring security is returning an error during the second loggin. Error at OAuth2LoginAuthenticationFilter:

OAuth2Error oauth2Error = new
OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());

Expected Behavior

If the user selected in the second attempt is the same from the previous. And the session remains valid and not expired. The user could log into the system properly.

Configuration

http
// permit access to any resource, access restrictions are handled at the level of Vaadin views
.authorizeRequests()
.antMatchers("/Login","/","/login/**").permitAll().and()

	// disable CSRF (Cross-Site Request Forgery) since Vaadin implements its own mechanism for this
	.csrf().disable()
	.oauth2Login()
	.loginPage("/login")
	.authorizationEndpoint()
	.baseUri("/oauth2/authorize-client")
	.authorizationRequestRepository(authorizationRequestRepository())
	.and()
	.tokenEndpoint()
	.accessTokenResponseClient(accessTokenResponseClient())
	.and()
	.defaultSuccessUrl("/home")
	.failureUrl("/error")
	.and().sessionManagement().sessionFixation().newSession()
	;

Version

5.2.1.RELEASE
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 31, 2020
@jgrandja
Copy link
Contributor

jgrandja commented Feb 3, 2020

@belomx

it will reach the home page (fine) and then user press back in the browser, the page will be at the google's select user page to login, if the user select an user to "loggin again" and return to home page spring security will return an error

This flow is invalid and the reported error is expected. When you press the back button after a successful authentication, and attempt to re-login from Google's authentication form, the subsequent request (Authorization Response) to the client application will receive the same code parameter that was used in the previous authentication flow. The code (authorization_code) is a temporary credential that can be used one-time only, hence, the AUTHORIZATION_REQUEST_NOT_FOUND error.

I'm going to close this issue since the behaviour is expected.

@jgrandja jgrandja closed this as completed Feb 3, 2020
@jgrandja jgrandja self-assigned this Feb 3, 2020
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 3, 2020
@iilkevych
Copy link

iilkevych commented May 26, 2020
edited
Loading

@jgrandja

The code (authorization_code) is a temporary credential that can be used one-time only, hence, the AUTHORIZATION_REQUEST_NOT_FOUND error.

The problem is not in authorization_code. AuthenticationWebFilter has authenticationFailureHandler to handle invalid authentication(authorization_code). OidcAuthorizationCodeReactiveAuthenticationManager throws OAuth2AuthenticationException which is AuthenticationException and browser is redirected to /login?error

The problem is in

  1. ServerOAuth2AuthorizationCodeAuthenticationTokenConverter it throws OAuth2AuthorizationException and
  2. AuthenticationWebFilter doesn't handle any errors from ServerAuthenticationConverter

Only one ServerAuthenticationConverter implementation will redirect browser to login page
ServerHttpBasicAuthenticationConverter cause it return Mono.empty() in case of any authentication problem

@wjlc wjlc mentioned this issue May 29, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jgrandja @belomx @spring-projects-issues @iilkevych