A redirect is required to get the users approval

I’m following the blog post https://developer.okta.com/blog/2017/03/21/spring-boot-oauth to get familiar with Okta. I’ve set up a new OpenID Connect app and configured the application.yml file:

security:
  oauth2:
    client:
      clientId:xxx
      clientSecret:xxx
      accessTokenUri:https://dev-xxx.oktapreview.com/oauth2/default/v1/token
      userAuthorizationUri:https://dev-xxx.oktapreview.com/oauth2/default/v1/authorize
      clientAuthenticationScheme:form
    resource:
      userInfoUri:https://dev-xxx.oktapreview.com/oauth2/default/v1/userinfo

Running spring.bat run ../helloOAuth.groovy gives:

org.springframework.security.oauth2.client.resource.UserRedirectRequiredException:
**A redirect is required to get the users approval**
at org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider.getRedirectForAuthorizatiookenProvider.java:359) ~[spring-security-oauth2-2.0.14.RELEASE.jar:na]

I’m behind a corporate firewall so have set proxy values using JAVA_OPTS environment variable

set JAVA_OPTS="-Dhttp.proxyHost=xxx -Dhttp.proxyPort=xxx -Dhttp.proxyUser=xxx -Dhttp.proxyPassword=xxx"

Any help much appreciated.

Does it work if you try it outside your company’s firewall? Sorry, I haven’t seen this isssue before.

Hi Matt, thanks for getting back so quick.

I tried off the company network and still get the same issue. I’ve been through the code and blog post again line by line and can’t spot any issues.

If you clone my sample project on GitHub and change the settings in application.yml to match yours, does it work?

I get further… though I can’t see what the difference is in the code, other than yours references the principal:

@GetMapping('/')
String home(java.security.Principal user) {
  'Hello ' + user.name
}

and mine was from the earlier step that just returned Hello World.

I get redirected off to the login page. But, after login the redirect is to http://localhost:8080/login?state=Qfdm3A&error=invalid_scope&error_description=The+authorization+server+resource+does+not+have+any+configured+default+scopes%2C+%27scope%27+must+be+provided.

I’ve tried setting a default scope, but can’t edit any of the existing settings.

I messed up when updating this article recently and removed the scopes property. See:

The whitelabel error page doesn’t tell you anything, but your browser’s address window does: no scopes were requested. Modify application.yml to have a scope property at the same level as clientAuthenticationScheme. These are some standard OIDC scopes.

      clientAuthenticationScheme: form		
      scope: openid profile email		

Ah, that helps!

Back on the corporate network (no choice this morning) and I get all the way through the login process, but return to localhost with:

http://localhost:8080/login?code=7T4ZHrIGa5GYwFJYWP4B&state=5xM8Bn

Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Fri Oct 20 08:53:44 BST 2017
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token

Digging in to the logs this is due to a failed POST

I/O error on POST request for "https://dev-122772.oktapreview.com/oauth2/default/v1/token": Socket is not connected

I’ll try again when I can get off-network and see if that helps.

Thanks

I’ve seen this before when cookies are leftover in my browser. I’d try again with your browser in Incognito mode.

Turns out that adding the missing scope, and getting off the corporate network did the trick.

Many thanks for your help Matt.

1 Like