java - Flaw in Spring security OAuth2 samples: same OAuth2ClientContext used for several providers -


i try implement oauth2 spring security , have studied samples provided spring in following github: https://github.com/spring-projects/spring-security-oauth/blob/master/samples/oauth2/tonr/src/main/java/org/springframework/security/oauth/examples/config/webmvcconfig.java

this oauth2 sample divided in 2 projects :

  • tonr: oauth2 client (oauth2client) ,
  • sparklr: oauth2 provider (resourceserver & authorizationserver)

tonr allows show photos sparklr , includes facebook api client list friends of account. seems once got 1 provider, the same token sent oauth2 providers, if token doesn't come called provider.

steps:

  • i log in tonr2 (localhost:8080/tonr2/login.jsp)
  • i go sparklr photos , log in sparklr2 (localhost:8080/tonr2/sparklr/photos & localhost:8080/sparklr2/login.jsp)
  • i approve scope read , see photos: ok
  • then go facebook friends page : localhost:8080/tonr2/facebook/info

the sparklr token sent facebook (visible in debug logs), , facebook returns 400 bad request error.

if now, log out tonr, click directly facebook friends page , log in tonr again, working; token asked facebook , access granted. same oauth2clientcontext , same token kept sparklr facebook.

question: how separate oauth2clientcontext keep token respective resource server?

i tried instanciate different oauth2clientcontext bean facebookresttemplate, oauth2 flow broken with:

@bean(name = "facebookclientcontext") public oauth2clientcontext facebookclientcontext() {     return new defaultoauth2clientcontext(); }  @bean public oauth2resttemplate facebookresttemplate(@qualifier("facebookclientcontext") oauth2clientcontext clientcontext) {     ...

i had same problem. solved same did except should:

  1. inject accesstokenrequest (request-scoped) in constructor of defaultoauth2clientcontext. (@resource injection necessary in verion of spring because accesstokenrequest map).
  2. session-scope facebookclientcontext not share tokens among differents users.

see oauth2clientconfiguration guideline.

modify webmvcconfig$resourceconfiguration:

    @resource(name = "accesstokenrequest")     private accesstokenrequest accesstokenrequest;      @bean     @qualifier("facebookclientcontext")     @scope(value = "session", proxymode = scopedproxymode.interfaces)     public defaultoauth2clientcontext facebookclientcontext() {         return new defaultoauth2clientcontext(accesstokenrequest);     }      @bean     public oauth2resttemplate facebookresttemplate(             @qualifier("facebookclientcontext") oauth2clientcontext clientcontext) {         oauth2resttemplate template = new oauth2resttemplate(facebook(), clientcontext);         mappingjackson2httpmessageconverter converter = new mappingjackson2httpmessageconverter();         converter.setsupportedmediatypes(                 arrays.aslist(mediatype.application_json, mediatype.valueof("text/javascript")));         template.setmessageconverters(arrays.<httpmessageconverter<?>>aslist(converter));         return template;     }      @bean     public oauth2resttemplate sparklrresttemplate(             @qualifier("oauth2clientcontext") oauth2clientcontext clientcontext) {         return new oauth2resttemplate(sparklr(), clientcontext);     }      @bean     public oauth2resttemplate sparklrredirectresttemplate(             @qualifier("oauth2clientcontext") oauth2clientcontext clientcontext) {         return new oauth2resttemplate(sparklrredirect(), clientcontext);     }

Comments

Post a Comment

Popular posts from this blog

javascript - Create a stacked percentage column -

i have collection of data : var data = [ {"p301a":"10","p301b":"7","p301c":"7","p301d":"3","p301e":"8","p301f":"8","p301g":"8","p301h":"8","p301i":"8","p301j":"8","p301k":"8","p301l":"8","p301m":"8","p301n":"8","p301o":"8","age":"31-40 years","profesion":"2","position":"2"}, {"p301a":"5","p301b":"4","p301c":"4","p301d":"4","p301e":"4","p301f":"4","p301g":"4","p301h":"4","p301i":"4","p301j":"4","p301k":"4...
Read more

Optimising Firebase database by automatically overwriting data -

in firebase app have following structure: posts latest all users can write posts > latest . want limit entries 20 posts save space in database. , posts beyond 20 unnecessary never shown on homepage. how can limit posts 20, when user writes posts > latest posts @ end drop off (be deleted) automatically? this sample should you. you need : const max_log_count = 20; exports.removeold = functions.database.ref('/posts/latest/{postid}').oncreate(event => { const parentref = event.data.ref.parent; return parentref.once('value').then(snapshot => { if (snapshot.numchildren() >= max_log_count) { let childcount = 0; const updates = {}; snapshot.foreach(function(child) { if (++childcount <= snapshot.numchildren() - max_log_count) { updates[child.key] = null; } }); // update parent. removes children. ...
Read more

javascript - Angular UI-Grid customTemplate directive causing rows to load slowly/? -

Image
each grid cell can have more 1 customtemplate loaded. have directive holds watcher on model_col_field listen cell updates on scroll when dom rows updated , recompile celltemplate . without watcher , $compile rows repeat on scroll, showing same set of rows. is there more angular way of approaching or way improve performance? relevant controller code: create gridoptions.data & gridoptions.columndefs : var customtemp = '<div ng-repeat="opt in grid.appscope.colvalueoptionsmodel" ng-init="tempstring=model_col_field.clazz+opt.key;"><comparison-directive dbo="model_col_field" attobj="opt" fff="grid.appscope.getattributetemplate(tempstring)" /></div>'; $scope.gridoptions.columndefs = [ { name:'yindex',pinnedleft:true,celltemplate: customtemp, displayname:'index'}, { name:'col1',celltemplate: customtemp}, { name:'col2',celltemplate: c...
Read more