Proxy/Netty: io.netty.channel.ConnectTimeoutException: connection timed out

I’m having an issue setting up the proxy in the server using Java Spring.

Details:

		<dependency>
			<groupId>com.okta.spring</groupId>
			<artifactId>okta-spring-boot-starter</artifactId>
			<version>1.3.0</version>
		</dependency>

I’m setting up correctly the System Properties (super duper checked): https.proxyHost and https.proxyPort (both http and https by the way).

I’m still getting the following error:

    ERROR  o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler - [b56689f3-47]  500 Server Error for HTTP GET "/login/oauth2/code/okta?code=KBQg4hasKPrhK4XIQ-C_&state=t00sJi7U2v5vYeMRQmYX6Qb9Gn8pGdzhfxHfI1yXVx8%3D"
    io.netty.channel.ConnectTimeoutException: connection timed out: priceline.okta.com/18.209.113.162:443
    	at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$2.run(AbstractEpollChannel.java:575) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final]
    	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
    Error has been observed at the following site(s):
    	|_ checkpoint ⇢ Request to POST https://priceline.okta.com/oauth2/default/v1/token [DefaultWebClient]
    	|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.boot.actuate.metrics.web.reactive.server.MetricsWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ HTTP GET "/login/oauth2/code/okta?code=KBQg4hasKPrhK4XIQ-C_&state=t00sJi7U2v5vYeMRQmYX6Qb9Gn8pGdzhfxHfI1yXVx8%3D" [ExceptionHandlingWebHandler]
    Stack trace:
    		at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$2.run(AbstractEpollChannel.java:575) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.PromiseTask.runTask(PromiseTask.java:98) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.ScheduledFutureTask.run(ScheduledFutureTask.java:170) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

I’m able to reach the end-point via curl using the proxy setting (receive an error message successfully):

    curl -x proxy:8080 -d 'testing connection' https://priceline.okta.com/oauth2/default/v1/token
    {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oae-Ovwyzv5RRORF1AaskoC4Q","errorCauses":[]}[

I would appreciate any help on this. Already spent a considerable amount of time trying different things.

are you able to see those system properties inside your application? have you tried to dump them into the log? to me it’s netty failing, based on the exception stack trace attached

This seems to be a common known problem:

Can OKTA provide an example on how to work around this issue?

Sorry for the delay on this one.

It looks like this is a known issue for Spring Security:

I have a couple of suggestions:

  1. Remove the need for a proxy, you could whitelist the domains you need (or specific URLs if needed)
    I know this isn’t always possible, especially when someone else manages the network, but it’s easiest option, so I figured I’d suggest it

  2. Override the WebClient where it’s used.

You could BeanPostProcessor it, and tweak the WebClient org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService.setWebClient(...)

same for org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService

If you are also validating JWTs you would need to replace the ReactiveJwtDecoder bean from:

With something like:

NimbusReactiveJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri())
            .webClient(...)

Where your custom webClient is something like:

HttpClient httpClient = HttpClient.create()
            .tcpConfiguration(tcpClient -> tcpClient
                .proxy(proxy -> proxy
                    .type(ProxyProvider.Proxy.HTTP)
                    .host("ourproxy.com")
                    .port(8080)));
1 Like