131 VIEWS

Proxy Support For Authorization Requests With Spring-Security-OAuth2-Client

19.01.2021

Setting up a proxy for spring-security-oauth2-client authorization requests. Or, how to get rid of the OAuth2AuthorizationException with nested UnknownHostException.

 

 

In our project, one of our new interface partners is using OAuth2 to secure their REST API. We’re using spring-security-oauth2-client to access it. Initially, we had some trouble because the newest version of this library is using WebClient instead of RestTemplate but this isn’t part of this blog post. We developed our feature locally and everything worked as expected. The library works like a charm and manages the access token without us bothering about it. Unlike our development environment, the production environment does not have direct internet access. Since our partner’s interface is on the internet we need to use a proxy so that we can access it. Therefore we added proxy support to our service, deployed it, tested it and surprisingly got the following exception: 

 

Caused by: org.springframework.security.oauth2.core.OAuth2AuthorizationException: [invalid_token_response] An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: I/O error on POST request for “https://*****/oauth/token”:  *****; nested exception is java.net.UnknownHostException: ***** 

 

The solution

It took us some time to figure out why this is happening. Before I describe the solution, we should recall how OAuth2 is working. First, it sends a request to an authorization server which will return an access token if the permissions are correct and everything is working. This access token will be used in every future request to the resource server as long as it’s valid. 

As the exception – OAuth2AuthorizationException – implies something went wrong during the authorization request. After digging through the source code of spring-security-oauth2-client we found out that the authorization request is using a different client than the resource requests. This means that at that time the proxy was only configured for the resource requests. So we need to configure the proxy for the authorization request separately. Funny enough this request is still using RestTemplate. At least if you’re using the ClientCredentialsOAuth2AuthorizedClientProvider. Enough of text. This is our solution: 

This is just another example of how valuable open sources are. I hope this blogpost helped you solve your problem. Feel free to ask if you have any open questions. 

Zurück zur Übersicht

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

*Pflichtfelder

*

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.