The Spring Security Oauth2 Blues - Simplicity

Post image

I personally like the Spring Framework and its security components, because it’s pretty full-featured and easy to use, but when it comes to Spring Security OAuth2, there’s a huge quality breakdown. In this (probably series) of blogposts, I’ll try to sum up the good, the bad, the evil and why I ended up completely dropping Spring Security OAuth2.

A new Project

It all began (as always) with a new project. There were some basic requirements to fulfill regarding the application and security architecture:

  • Angular SPA with a Spring Boot backend
  • Users should be able to log in using GitHub or GitLab
  • Backend should map authenticated users to DB entities
  • Backend communication should not be stateful (no session)
  • OAuth tokens must be persisted b.c. used for server side API calls

Of course the first thought on this was:

Easy peasy, Spring Security Oauth2 with custom success handler, done. – Me

But this was just wrong…

The naive approach

Of course the first approach was just adding dependencies and some configuration and check if it works, like virtually always using spring boot. For the reference, we’re doing Spring Boot 2.2.1.RELEASE with Kotlin 1.3.60 on a JVM 11:

Added dependencies:

implementation("org.springframework.security:spring-security-oauth2-client")
implementation("org.springframework.security:spring-security-oauth2-jose")

The whole OAuth2 config can theoretically be done using application.yml configuration. Btw. if you are looking to use GitLab as OAuth provider with Spring, the following config works at the time of writing this post:

spring:
  security:
    oauth2:
      client:
        registration:
          github:
            provider: github
            clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            clientSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            clientName: GitHub
            scope:
              - user:email
              - read:user
            # Custom attributes only parsed by com.example.shared.config.OauthExtraConfig:
            appId: 99999
            signingKeyPath: key/example-dev.der
          gitlab:
            provider: gitlab
            clientId: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            clientSecret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
            clientName: GitLab
            authorizationGrantType: authorization_code
            redirectUri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
            scope:
              - api
              - read_user
              - openid
              - profile
              - email
        provider:
          github:
            userNameAttribute: login
            # Default to predefined GitHub provider
            # See org.springframework.security.config.oauth2.client.CommonOAuth2Provider
          gitlab:
            authorizationUri: https://gitlab.com/oauth/authorize
            tokenUri: https://gitlab.com/oauth/token
            userInfoUri: https://gitlab.com/oauth/userinfo
            jwkSetUri: https://gitlab.com/oauth/discovery/keys
            userNameAttribute: nickname

As already the last step, we need to add some lines to security config:

override fun configure(http: HttpSecurity) {
  http

    // request auth
    .authorizeRequests()
      .antMatchers(
        "/login/**",
        "/oauth2/**",
      ).permitAll()

      // default
      .anyRequest()
        .authenticated()

    .and()

    // disable form login
    .formLogin()
      .disable()

    // enable oauth2 login
    .oauth2Login()
}

After some GitLab documentation reading and probably less than 30 mins of coding, this “works” out of the box.

Only some small changes are still to do:

  • Make auth flow stateless (default is based on an http session)
  • Map users to the database and store tokens to access GitHub / GitLab
  • Issue own JWT tokens for Angular SPA instead of forwarding GitHub / GitLab tokens

These three little changes took me almost a week and finally forced me to give up Spring Security OAuth and implement stuff by hand.

Things i’d like like to have known before

  • Not all providers use the same standards. E.g. GitHub uses Oauth2 while GitLab uses OIDC.
  • GitHub only sends the public email address within the user-info payload. If a users email is not public, you’ll need to make an authorized API call to get the email addresses.
  • GitHub does not provide long-lived auth-tokens and also now renew-tokens for “GitHub Apps”. You’ll need to re-authenticate the user on a very regular basis, or use the GitHub App JWT (installation) authentication which is experimental by now.
  • The whole spring implementation depends (hardcoded) on the state parameter which is passed along the auth flow, despite it’s not required in specification: https://tools.ietf.org/html/rfc6749#section-4.1.1

Next post will be about how to (try to) make the auth flow stateless.

Frank Neff

Written By

Frank Neff

I see myself as a curious problem solver. On a life-long mission to enable people, improve tools and optimize processes, I build software to make things work. Moreover, I like to talk about technology and sharing know-how in a team to improve my own …

You May Also Like

How a Strong Type System Saves You Documentation, Tests, and Nerves

How a Strong Type System Saves You Documentation, Tests, and Nerves

I was recently inspired to finally write this post. Especially in weakly- or untyped languages, such as the JavaScript or PHP world, the added value of strict type systems is often not recognized. Instead, many discussions and comments revolve around the need for tests or code comments. Contrary to that, in the functional programming world, we leave such checks to the compiler. In this post I would like to give a short overview and explain how to use a strict type system for everyday checks instead of writing type checks, tests and documentation for it.

How to effectively visualize an Application Landscape in Enterprise Architecture

How to effectively visualize an Application Landscape in Enterprise Architecture

In enterprise & solution architecture, connecting boxes with arrows is an often used and overrated visualization from high-level, thru component architecture, down to data and class diagrams. However, to create a holistic view on systems, component diagrams are not enough! When it comes to analysis or transformation of a high-level application- or service-architecture, I prefer to draw an Application Landscape Diagram, which I would like to show and elaborate on in this post.