Missing clientId with authorization_code flow in thymeleaf project

ferlaymat · July 22, 2024, 8:11am

Hi all, I’m using the following dependency:

com.okta.spring okta-spring-boot-starter 3.0.7

and I try to apply authorization_code flow. I have managed to call the server and got the code which will be used to fetch the token but when the endpoint /oauth2/audience/v1/token is called, it miss the client_id in the body.

I have tried to add it in a custom class(customAuthorizationCodeTokenResponseClient) but it is never called.

Above, my main config. Do you have any ideas? Thanks by advance:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

private final ClientRegistrationRepository clientRegistrationRepository;
private final Environment env;

public SecurityConfig(ClientRegistrationRepository clientRegistrationRepository, Environment env) {
    this.clientRegistrationRepository = clientRegistrationRepository;
    this.env = env;
}

@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
    http.authorizeRequests(authorizeRequests -> authorizeRequests.anyRequest().fullyAuthenticated())
        .oauth2Login(oauth2Login -> {
                oauth2Login.authorizationEndpoint(authorizationEndpoint ->
                    authorizationEndpoint.authorizationRequestResolver(customAuthorizationRequestResolver(clientRegistrationRepository))
                ).tokenEndpoint(tokenEndpoint ->
                    tokenEndpoint.accessTokenResponseClient(customAuthorizationCodeTokenResponseClient())
                );
        })
        .csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())); // Example CSRF token repository

    return http.build();
}

@Bean
public OAuth2AuthorizationRequestResolver customAuthorizationRequestResolver(ClientRegistrationRepository clientRegistrationRepository) {
    return new CustomAuthorizationRequestResolver(clientRegistrationRepository, "/oauth2/authorization");
}

@Bean
public CustomAuthorizationCodeTokenResponseClient customAuthorizationCodeTokenResponseClient() {
    return new CustomAuthorizationCodeTokenResponseClient();
}

}

melvas66 · July 22, 2024, 9:31am

In your Spring Boot application, you’re encountering an issue where the client_id is missing when calling the /oauth2/audience/v1/token endpoint to exchange an authorization code for an access token. This problem might be due to the way your custom OAuth2AccessTokenResponseClient is implemented or configured. Ensure that your custom client correctly includes the client_id in the request body when making the call to the token endpoint. Verify that your application’s application.properties or application.yml file is properly configured with Okta’s details, including the client-id, client-secret, and token endpoint URI. Additionally, check your Okta configuration to make sure the server is correctly set up to handle the token request. Adding detailed logging to capture request and response details can also help diagnose the issue. If these steps do not resolve the issue, consider updating your dependencies or consulting Okta’s support for further assistance.

ferlaymat · July 22, 2024, 11:28am

Hi melvas66,
I assume that in my application.yml, I got this values:
okta:
oauth2:
client-id: ${okta_client_id}
client-secret: ${okta_client_secret}
issuer: https://${namespace}/oauth2/${okta_audience_id}
redirect-uri: /authorization-code/callback
scopes:
- offline_access
- openid

For the log, I got:
2024-07-22 10:46:56,954 DEBUG o.s.s.w.FilterChainProxy [https-jsse-nio-443-exec-2] Securing GET /oauth2/authorization/okta
2024-07-22 10:46:56,956 DEBUG o.s.s.w.DefaultRedirectStrategy [https-jsse-nio-443-exec-2] Redirecting to https://XXXXXXX/oauth2/XXXXXXX/v1/authorize?response_type=code&client_id=0oaf3okk4tyYCGZNq417&scope=offline_access%20openid&state=zvbspaJGAEMxYwYt91Qgs_aTyeSPAHEl53F6mS_zMI8%3D&redirect_uri=https://XXXXXXX/authorization-code/callback&nonce=X3b3qyzSg8rss4hwfMoV8Pw6hoUSrqi9R5nlAHrNBbc&code_challenge=ErgEM8ma3rujMA-u0FNrP5j_kos5pN9hmCe__lIFA6U&code_challenge_method=S256
2024-07-22 10:47:04,293 DEBUG o.s.s.w.FilterChainProxy [https-jsse-nio-443-exec-8] Securing GET /authorization-code/callback?code=eCqNRcSrYvbwwSzWMOPllm3b2mhP28gf5mVNRzNwdhY&state=zvbspaJGAEMxYwYt91Qgs_aTyeSPAHEl53F6mS_zMI8%3D
2024-07-22 10:47:04,309 DEBUG o.s.w.c.RestTemplate [https-jsse-nio-443-exec-8] HTTP POST https://XXXXXXX/oauth2/XXXXXXX/v1/token
2024-07-22 10:47:04,310 DEBUG o.s.w.c.RestTemplate [https-jsse-nio-443-exec-8] Accept=[application/json, application/*+json]
2024-07-22 10:47:04,311 DEBUG o.s.w.c.RestTemplate [https-jsse-nio-443-exec-8] Writing [{grant_type=[authorization_code], code=[eCqNRcSrYvbwwSzWMOPllm3b2mhP28gf5mVNRzNwdhY], redirect_uri=[https://XXXXXXX/authorization-code/callback], code_verifier=[Ikau_J7oC3qzexIBVCAziKOjMhwV8nK6vJBGAwfzHA2iTFf3Eqcxs–AaGht5UZbofCLn8FVyHGIS35PyWgOl0QgB3aMpeHdAha-0Q1sA8LL7cGTxChkdIfbEE9Kzu7S]}] as “application/x-www-form-urlencoded;charset=UTF-8”
2024-07-22 10:47:04,667 DEBUG o.s.w.c.RestTemplate [https-jsse-nio-443-exec-8] Response 401 UNAUTHORIZED

It s the reason why I tried to custom the tokenResponseClient, but as I said in my previous message, this endpoint is never called in my configuration

ferlaymat · July 24, 2024, 12:56pm

Hi @melvas66 , I have almost restart from scratch and still have the same behaviour.

Now I have only this as securitConfig:
@Configuration
class SecurityConfig {

@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    http.authorizeHttpRequests((requests) -> requests
            .requestMatchers("/").permitAll()
            .anyRequest().authenticated()
        )
        .logout().logoutSuccessUrl("/")
        .and()
        .oauth2Client()
        .and()
        .oauth2Login();

    return http.build();
}

}

and that in application.yml:
okta:
oauth2:
client-id: ${okta_client_id}
client-secret: ${okta_client_secret}
issuer: https://${domain-name}/oauth2/${okta_audience_id}
redirect-uri: /authorization-code/callback
scopes:
- openid

And these depedencies in my pom:

org.springframework.boot
spring-boot-starter-web

org.springframework.boot
spring-boot-starter-test
test

    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-actuator</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-thymeleaf</artifactId>
    </dependency>
    <dependency>
        <groupId>com.okta.spring</groupId>
        <artifactId>okta-spring-boot-starter</artifactId>
        <version>3.0.7</version>
    </dependency>
    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity6</artifactId>
        <version>3.1.2.RELEASE</version>
    </dependency>

I have followed the request exchange in my browser console and did not manage to see the token exchange query(cf screenshot), but I can see it in my java log.
test
I have also tried to put some interceptor to catch every queries send from my app but without success.

Do you have any idea how to catch the RestTemplate Post which is used to ask the token?
regards

akash-okta · August 6, 2024, 6:32pm

Hi there,

My name is Akash, from Okta.

May I know if you are seeing any other errors in the browser Console? Also, please confirm what value you are using for the okta_audience_id in the issuer. Is it the Authorization server ID or anything else.

system · September 5, 2024, 6:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.