Reset password flow doesn't work with OIDC app

I was following sample: https://github.com/okta/samples-java-spring/tree/master/okta-hosted-login. The regular login flow works great, but user self service password reset flow is not working. After user entered the new password in sign in widget, the user get redirect to localhost:8080/login?error.

I enabled DEBUG log for spring security and here’s the gist of stacktrace that might be related:

2020-03-08 12:24:49.441 DEBUG 43764 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : /authorization-code/callback?iss=https%3A%2F%2Fdev-748359.okta.com%2Foauth2%2Fdefault&type_hint=PASSWORD_RECOVERY&session_hint=AUTHENTICATED&login_hint=support%40mydomain.us at position 8 of 18 in additional filter chain; firing Filter: 'OAuth2LoginAuthenticationFilter'
2020-03-08 12:24:49.441 DEBUG 43764 --- [nio-8080-exec-9] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/authorization-code/callback'; against '/authorization-code/callback'
2020-03-08 12:24:49.441 DEBUG 43764 --- [nio-8080-exec-9] .s.o.c.w.OAuth2LoginAuthenticationFilter : Request is to process authentication
2020-03-08 12:24:49.447 DEBUG 43764 --- [nio-8080-exec-9] .s.o.c.w.OAuth2LoginAuthenticationFilter : Authentication request failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_request] 

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_request] 
	at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:158) ~[spring-security-oauth2-client-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) [spring-security-oauth2-client-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) [spring-security-oauth2-client-5.1.5.RELEASE.jar:5.1.5.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.1.7.RELEASE.jar:5.1.7.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.1.5.RELEASE.jar:5.1.5.RELEASE]
2020-03-08 12:24:49.448 DEBUG 43764 --- [nio-8080-exec-9] .s.o.c.w.OAuth2LoginAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
2020-03-08 12:24:49.448 DEBUG 43764 --- [nio-8080-exec-9] .s.o.c.w.OAuth2LoginAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@400dfda5
2020-03-08 12:24:49.448 DEBUG 43764 --- [nio-8080-exec-9] .a.SimpleUrlAuthenticationFailureHandler : Redirecting to /login?error
2020-03-08 12:24:49.449 DEBUG 43764 --- [nio-8080-exec-9] o.s.s.web.DefaultRedirectStrategy        : Redirecting to '/login?error'
2020-03-08 12:24:49.449 DEBUG 43764 --- [nio-8080-exec-9] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@331f3bd5
2020-03-08 12:24:49.449 DEBUG 43764 --- [nio-8080-exec-9] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2020-03-08 12:24:49.449 DEBUG 43764 --- [nio-8080-exec-9] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

The Okta session looks created successfully. And the code looks not happy at this point:

OAuthLoginAuthenticationFilter.java -> attemptAuthentication() {
		if (!OAuth2AuthorizationResponseUtils.isAuthorizationResponse(params)) {
			OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
		}
}

Looks like spring security oauth module is expecting code and state parameter but all it gets is iss, type_hint, session_hint etc.

Any idea what might go wrong? I’d be happy to provide more details.

Hi @caogecym

When doing a password reset or a user registration, Okta will send different attributes, such as the ones you mentioned iss, type_hint and session_hint. In this case, you would need to add a hook to verify the values and, if they match the password reset or user registration, redirect the user to the /authorize endpoint.

This helped, thank you very much!

@dragos Could you please elaborate on how to implement these hooks?
Or if you could point me to some documentation for the same it would be very helpful