oauth2 with ForwardedHeaderFilter bean does not respect Forwarded, nor X-Forwarded-Prefix headers

[luvarqpp]

Affects: Spring Boot 2.1.8.RELEASE (Spring Framework 5.1.9)

I am using spring-security-oauth2-client for "log in" using github. My application is being deployed behind reverse proxy (nginx). Generated logi npage from oauth artefact does not have correct links (if I have more than one provider, login page lists them all and given links have missing prefix from http header X-Forwarded-Prefix).

Another problem is that redirect sent to github authorization url is wrong and it does not respect Forwarded header.

See also my similar report for simple login for spring-security here: spring-projects/spring-security#7081

My codebase now contains just https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2login sample project "converted" to maven, with added single bean ForwardedHeaderFilter.

More info for second described problem: My nginx is sending proxied requests like this one:

2019-09-17 13:30:28.962 DEBUG 1 --- [nio-8080-exec-2] o.a.coyote.http11.Http11InputBuffer      : Received [GET / HTTP/1.0
Forwarded: for=81.92.1.1;host=qpp.qpp.sk:443;proto=https
X-Forwarded-Prefix: /oauth2login-test
Host: internal.qpp.sk:18080
Connection: close
user-agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-language: en-US,en;q=0.5
accept-encoding: gzip, deflate, br
dnt: 1
upgrade-insecure-requests: 1
cookie: JSESSIONID=BFA1XAFB12D5842E470208C980AC8E

]

Redirect url is than generated (copied log message here):

2019-09-17 13:30:29.090 DEBUG 1 --- [nio-8080-exec-3] o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'https://github.com/#/oauth/authorize?response_type=code&client_id=8d9244444444444&scope=read:user&state=ebCgdemkfeWEFDWw43m-vSQhRREDb_1ee44rRorRkRNjs%3D&redirect_uri=http://internal.qpp.sk:18080/#/oauth2/code/github'

As you see redirect_uri parameter is set to internal address, where my spring application actually runs, instead of nginx proxy, which is available from Internet (qpp.qpp.sk).

[rstoyanchev]

The ForwardedHeaderFilter does support the "Forwarded" and the "X-Forwarded-Prefix" headers, so you'll need to provide sample to demonstrate the issue.

For the redirect_uri query parameter, the ForwardedHeaderFilter will only work for anything after it in the filter chain, so if the parameter is set from a filter, check their order.

[luvarqpp]

I have forked spring-security and in branch created my demonstration (sample project oauth2webclient).
See single commit, where all changes resides:
luvarqpp/spring-security@19156ea

PS: In given branch, is also "solution" to my problem, which uses very crude way how to alter returned redirect_uri. It is based on some advice to use CustomAuthorizationRequestResolver.

[rstoyanchev]

@luvarqpp as I pointed out previously in #23260 (comment) and here is that you need to A) make sure the ForwardedHeaderFilter is configured, and B) it is ordered before other filters that need to use the correct path.

You branch has the ForwardedHeaderFilter bean commented out, and server.forward-headers-strategy: framework but this property is supported in Boot 2.2 spring-projects/spring-boot#5677 while you're using 2.1.x. In effect ForwardedHeaderFilter is not at all present and therefore cannot do what it's supposed to do.

Adding the following declaration:

@Bean
public FilterRegistrationBean<ForwardedHeaderFilter> forwardedHeaderFilter() {
	ForwardedHeaderFilter filter = new ForwardedHeaderFilter();
	FilterRegistrationBean<ForwardedHeaderFilter> registration = new FilterRegistrationBean<>(filter);
	registration.setDispatcherTypes(DispatcherType.REQUEST, DispatcherType.ASYNC, DispatcherType.ERROR);
	registration.setOrder(Ordered.HIGHEST_PRECEDENCE);
	return registration;
}

And you get:

redirect_uri=https://example.com/myDevelApp/#/oauth2/code/client-id

[luvarqpp]

Seems working. Thanks for answer. I have also searched once again documentation and also "google" and I have found nearly same problem as I had on stackoverflow with same solution :/

My apologize for spam.