Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client secret not provided in request #5

Open
LBoraz opened this issue Aug 21, 2020 · 1 comment
Open

Client secret not provided in request #5

LBoraz opened this issue Aug 21, 2020 · 1 comment

Comments

@LBoraz
Copy link

LBoraz commented Aug 21, 2020
edited
Loading

Precondition: add @bean to the WebFilter tenant(ReactiveClientRegistrationRepository clients)

Navigate to one:8080

Log in as rob/password

Authentication Exception is thrown - apparently the client secret is not sent (it seems configured correctly on the spring-boot side)

2020-08-21 09:41:07.705 ERROR 19269 --- [or-http-epoll-3] a.w.r.e.AbstractErrorWebExceptionHandler : [4f97f008] 500 Server Error for HTTP GET "/login/oauth2/code/one?state=CB34ZN1n6giMItB7fb7W9QSfRx2lHnCJ1W5TyxCnxDI%3D&session_state=83f6116a-1232-4a1a-a427-d9451c5f35c8&code=3c40369c-5b01-41b7-b2ea-5baf030b007a.83f6116a-1232-4a1a-a427-d9451c5f35c8.2615235d-e834-4a7c-a472-76d822ac6048"

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [unauthorized_client] Client secret not provided in request
	at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager.lambda$null$2(OidcAuthorizationCodeReactiveAuthenticationManager.java:139) ~[spring-security-oauth2-client-5.2.0.RC1.jar:5.2.0.RC1]
	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Error has been observed at the following site(s):
	|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter [DefaultWebFilterChain]
	|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
	|_ checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
	|_ checkpoint ⇢ org.springframework.security.web.server.csrf.CsrfWebFilter [DefaultWebFilterChain]
	|_ checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
	|_ checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
	|_ checkpoint ⇢ io.jzheaux.springone2019.inbox.tenant.TenantFilterChain [DefaultWebFilterChain]
	|_ checkpoint ⇢ HTTP GET "/login/oauth2/code/one?state=CB34ZN1n6giMItB7fb7W9QSfRx2lHnCJ1W5TyxCnxDI%3D&session_state=83f6116a-1232-4a1a-a427-d9451c5f35c8&code=3c40369c-5b01-41b7-b2ea-5baf030b007a.83f6116a-1232-4a1a-a427-d9451c5f35c8.2615235d-e834-4a7c-a472-76d822ac6048" [ExceptionHandlingWebHandler]
Stack trace:
		at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeReactiveAuthenticationManager.lambda$null$2(OidcAuthorizationCodeReactiveAuthenticationManager.java:139) ~[spring-security-oauth2-client-5.2.0.RC1.jar:5.2.0.RC1]
		at reactor.core.publisher.Mono.lambda$onErrorMap$29(Mono.java:3238) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.Mono.lambda$onErrorResume$31(Mono.java:3328) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:88) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.MonoFlatMap$FlatMapMain.onError(MonoFlatMap.java:165) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onError(FluxMapFuseable.java:134) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.MonoFlatMap$FlatMapMain.secondError(MonoFlatMap.java:185) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.MonoFlatMap$FlatMapInner.onError(MonoFlatMap.java:251) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onError(FluxMapFuseable.java:134) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.MonoFlatMap$FlatMapMain.onNext(MonoFlatMap.java:135) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onNext(FluxMapFuseable.java:121) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMapFuseable$MapFuseableSubscriber.onNext(FluxMapFuseable.java:121) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxContextStart$ContextStartSubscriber.onNext(FluxContextStart.java:103) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMapFuseable$MapFuseableConditionalSubscriber.onNext(FluxMapFuseable.java:287) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxFilterFuseable$FilterFuseableConditionalSubscriber.onNext(FluxFilterFuseable.java:330) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.Operators$MonoSubscriber.complete(Operators.java:1582) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.MonoCollectList$MonoCollectListSubscriber.onComplete(MonoCollectList.java:121) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMap$MapSubscriber.onComplete(FluxMap.java:136) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxPeek$PeekSubscriber.onComplete(FluxPeek.java:252) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxPeek$PeekSubscriber.onComplete(FluxPeek.java:252) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.core.publisher.FluxMap$MapSubscriber.onComplete(FluxMap.java:136) ~[reactor-core-3.3.0.RC1.jar:3.3.0.RC1]
		at reactor.netty.channel.FluxReceive.terminateReceiver(FluxReceive.java:397) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at reactor.netty.channel.FluxReceive.drainReceiver(FluxReceive.java:197) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at reactor.netty.channel.FluxReceive.onInboundComplete(FluxReceive.java:345) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at reactor.netty.channel.ChannelOperations.onInboundComplete(ChannelOperations.java:363) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at reactor.netty.channel.ChannelOperations.terminate(ChannelOperations.java:412) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at reactor.netty.http.client.HttpClientOperations.onInboundNext(HttpClientOperations.java:556) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at reactor.netty.channel.ChannelOperationsHandler.channelRead(ChannelOperationsHandler.java:91) ~[reactor-netty-0.9.0.RC1.jar:0.9.0.RC1]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:102) ~[netty-codec-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:438) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:328) ~[netty-codec-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:302) ~[netty-codec-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:253) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:352) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1421) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:374) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:360) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:930) ~[netty-transport-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:794) ~[netty-transport-native-epoll-4.1.39.Final-linux-x86_64.jar:4.1.39.Final]
		at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:424) ~[netty-transport-native-epoll-4.1.39.Final-linux-x86_64.jar:4.1.39.Final]
		at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:326) ~[netty-transport-native-epoll-4.1.39.Final-linux-x86_64.jar:4.1.39.Final]
		at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918) ~[netty-common-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.39.Final.jar:4.1.39.Final]
		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.39.Final.jar:4.1.39.Final]
		at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
@LBoraz
Copy link
Author

LBoraz commented Aug 21, 2020
edited
Loading

It seems that SignedJwtExchangeFilterFunction must be updated to include the client_secret in the body:

return Mono.subscriberContext()
				.filter(c -> c.hasKey(ClientRegistration.class))
				.map(c -> c.get(ClientRegistration.class))
				.filter(clientRegistration -> "jwt".equals(clientRegistration.getClientAuthenticationMethod().getValue()))
				.map(this.jwtService::encode)
				.map(assertion -> ClientRequest.from(request)
						.body(body.with("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"))
						.body(body.with("client_assertion", assertion))
                                                /* is this really necessary??? */
						.body(body.with("client_secret", "bfbd9f62-02ce-4638-a370-80d45514bd0a"))
						.build())
				.defaultIfEmpty(request)
				.flatMap(next::exchange);

`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LBoraz