Proxy/Netty: io.netty.channel.ConnectTimeoutException: connection timed out

gbornia · July 14, 2020, 9:53pm

I’m having an issue setting up the proxy in the server using Java Spring.

Details:

		<dependency>
			<groupId>com.okta.spring</groupId>
			<artifactId>okta-spring-boot-starter</artifactId>
			<version>1.3.0</version>
		</dependency>

I’m setting up correctly the System Properties (super duper checked): https.proxyHost and https.proxyPort (both http and https by the way).

I’m still getting the following error:

    ERROR  o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler - [b56689f3-47]  500 Server Error for HTTP GET "/login/oauth2/code/okta?code=KBQg4hasKPrhK4XIQ-C_&state=t00sJi7U2v5vYeMRQmYX6Qb9Gn8pGdzhfxHfI1yXVx8%3D"
    io.netty.channel.ConnectTimeoutException: connection timed out: priceline.okta.com/18.209.113.162:443
    	at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$2.run(AbstractEpollChannel.java:575) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final]
    	Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
    Error has been observed at the following site(s):
    	|_ checkpoint ⇢ Request to POST https://priceline.okta.com/oauth2/default/v1/token [DefaultWebClient]
    	|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.authentication.OAuth2LoginAuthenticationWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.oauth2.client.web.server.OAuth2AuthorizationRequestRedirectWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.web.server.context.ReactorContextWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.web.server.header.HttpHeaderWriterWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.config.web.server.ServerHttpSecurity$ServerWebExchangeReactorContextWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.security.web.server.WebFilterChainProxy [DefaultWebFilterChain]
    	|_ checkpoint ⇢ org.springframework.boot.actuate.metrics.web.reactive.server.MetricsWebFilter [DefaultWebFilterChain]
    	|_ checkpoint ⇢ HTTP GET "/login/oauth2/code/okta?code=KBQg4hasKPrhK4XIQ-C_&state=t00sJi7U2v5vYeMRQmYX6Qb9Gn8pGdzhfxHfI1yXVx8%3D" [ExceptionHandlingWebHandler]
    Stack trace:
    		at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$2.run(AbstractEpollChannel.java:575) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.PromiseTask.runTask(PromiseTask.java:98) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.ScheduledFutureTask.run(ScheduledFutureTask.java:170) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:384) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.49.Final.jar!/:4.1.49.Final]
    		at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]

I’m able to reach the end-point via curl using the proxy setting (receive an error message successfully):

    curl -x proxy:8080 -d 'testing connection' https://priceline.okta.com/oauth2/default/v1/token
    {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oae-Ovwyzv5RRORF1AaskoC4Q","errorCauses":[]}[

I would appreciate any help on this. Already spent a considerable amount of time trying different things.

phi1ipp · July 15, 2020, 12:25am

gbornia:

I’m setting up correctly the System Properties (super duper checked): https.proxyHost and https.proxyPort (both http and https by the way).

I’m still getting the following error:

ERROR o.s.b.a.w.r.e.AbstractErrorWebExceptionHandler - [b56689f3-47] 500 Server Error for HTTP GET "/login/oauth2/code/okta?code=KBQg4hasKPrhK4XIQ-C_&state=t00sJi7U2v5vYeMRQmYX6Qb9Gn8pGdzhfxHfI1yXVx8%3D" 
io.netty.channel.ConnectTimeoutException: connection timed out: priceline.okta.com/18.209.113.162:443 
    at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$2.run(AbstractEpollChannel.java:575) ~[netty-transport-native-epoll-4.1.49.Final-linux-x86_64.jar!/:4.1.49.Final] 
    Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
    Error has been observed at...

are you able to see those system properties inside your application? have you tried to dump them into the log? to me it’s netty failing, based on the exception stack trace attached

gbornia · July 15, 2020, 1:31pm

This seems to be a common known problem:

Can OKTA provide an example on how to work around this issue?

bdemers · August 26, 2020, 7:28pm

Sorry for the delay on this one.

It looks like this is a known issue for Spring Security:

I have a couple of suggestions:

Remove the need for a proxy, you could whitelist the domains you need (or specific URLs if needed)
I know this isn’t always possible, especially when someone else manages the network, but it’s easiest option, so I figured I’d suggest it
Override the WebClient where it’s used.

You could BeanPostProcessor it, and tweak the WebClient org.springframework.security.oauth2.client.userinfo.DefaultReactiveOAuth2UserService.setWebClient(...)

same for org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService

If you are also validating JWTs you would need to replace the ReactiveJwtDecoder bean from:

github.com

okta/okta-spring-boot/blob/0fab5771d56b4f653ee4ae980a1dfa63cd58bbf3/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOAuth2ResourceServerAutoConfig.java#L43


@AutoConfigureBefore(ReactiveOAuth2ResourceServerAutoConfiguration.class)
@ConditionalOnOktaResourceServerProperties
@EnableConfigurationProperties({OktaOAuth2Properties.class, OAuth2ResourceServerProperties.class})
@ConditionalOnClass({ EnableWebFluxSecurity.class, BearerTokenAuthenticationToken.class, ReactiveJwtDecoder.class })
@ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
class ReactiveOktaOAuth2ResourceServerAutoConfig {

    @Bean
    ReactiveJwtDecoder jwtDecoder(OAuth2ResourceServerProperties oAuth2ResourceServerProperties, OktaOAuth2Properties oktaOAuth2Properties) {

        NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
        jwtDecoder.setJwtValidator(TokenUtil.jwtValidator(oAuth2ResourceServerProperties.getJwt().getIssuerUri(), oktaOAuth2Properties.getAudience()));
        return jwtDecoder;
    }
}

With something like:

NimbusReactiveJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri())
            .webClient(...)

Where your custom webClient is something like:

HttpClient httpClient = HttpClient.create()
            .tcpConfiguration(tcpClient -> tcpClient
                .proxy(proxy -> proxy
                    .type(ProxyProvider.Proxy.HTTP)
                    .host("ourproxy.com")
                    .port(8080)));

system · April 25, 2022, 5:52pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.