Skip to content

Allow CORS requests to JWK Set endpoint #110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dgt-amexio opened this issue Sep 2, 2020 · 5 comments
Closed

Allow CORS requests to JWK Set endpoint #110

dgt-amexio opened this issue Sep 2, 2020 · 5 comments
Assignees
@jgrandja
Labels
type: enhancement A general enhancement
Milestone
0.0.2

Comments

@dgt-amexio
Copy link

Describe the bug
CORS issue with /oauth2/jwks endpoint

To Reproduce
Integrate spring-authorization-server in a SpringBoot Application
(following example provided in repo : https://github.com/spring-projects-experimental/spring-authorization-server/tree/master/samples/boot/oauth2-integration/authorizationserver)

Call the /oauth2/jwks endpoint from a JS application (or through any REST Client)

Expected behavior
The associated endpoint should allow CORS requests, but it doesn't.
Usual Spring mechanisms tested, but I seems that the JwkSetEndpointFilter behaviour could not be overriden to allow CORS requests.

Question : how could the service be configured in order to allow CORS requests on /oauth2/jwks ?

Sample
Use https://github.com/spring-projects-experimental/spring-authorization-server/tree/master/samples/boot/oauth2-integration/authorizationserver
@dgt-amexio dgt-amexio added the type: bug A general bug label Sep 2, 2020
@jgrandja
Copy link
Collaborator

Thanks for the report @dgt-amexio.

I'm able to access http://localhost:9000/oauth2/jwks (from the sample) using a browser or Postman.

Call the /oauth2/jwks endpoint from a JS application (or through any REST Client)

I'm curious why you need to call the endpoint from a JS application? Can you provide more details on your use case/flow?

@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed type: bug A general bug labels Sep 21, 2020
@jgrandja jgrandja self-assigned this Sep 21, 2020
@jgrandja jgrandja removed the status: waiting-for-feedback We need additional information before we can continue label Sep 28, 2020
@jgrandja jgrandja mentioned this issue Sep 28, 2020
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 28, 2020
@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 28, 2020
@dgt-amexio
Copy link
Author

Hello,
Sorry for my late answer, due to holidays.

My use case is to assess whether this library could be used as the backbone of a custom OpenID Connect service.
To achieve this,

  • I created a SpringBoot application using spring-authorization-server as a dependency + adding an extra "./well-known/openid-configuration" endpoint
  • I then tried to reference this SB application in an Angular app relying on angular-oauth2-oidc (which brings OIDC client logic in Angular apps)

When attempting to perform authentication, the following calls are performed from my Angular app to the SB app (let's suppose this SB app is accessible on https://server) :

The question is "how could I configure spring-authorization-server to define the proper Access-Control-Allow-Origin strategy ?

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Sep 30, 2020
@jgrandja jgrandja added type: enhancement A general enhancement and removed status: feedback-provided Feedback has been provided labels Sep 30, 2020
@jgrandja
Copy link
Collaborator

Thanks for the feedback @dgt-amexio.

As a temporary workaround, instead of @Import(OAuth2AuthorizationServerConfiguration.class) you could simply define your own WebSecurityConfigurerAdapter similar to OAuth2AuthorizationServerSecurity and additionally configure CORS using http.cors() or supplying a CorsConfigurationSource @Bean. This should at least get you moving forward.

We'll address this issue soon.

@jgrandja jgrandja added type: bug A general bug and removed type: enhancement A general enhancement labels Sep 30, 2020
@jgrandja jgrandja changed the title Instructions expected on how-to allow CORS requests on jwks Allow CORS requests to JWK Set endpoint Sep 30, 2020
@jgrandja jgrandja added this to the 0.0.2 milestone Sep 30, 2020
@jgrandja jgrandja added type: enhancement A general enhancement and removed type: bug A general bug labels Oct 13, 2020
@jgrandja
Copy link
Collaborator

@dgt-amexio We decided NOT to provide a default configuration for CORS in OAuth2AuthorizationServerSecurity. The primary reason is that it would open up the potential attack surface and we need to maintain a tight security boundary.

However, I added a minor enhancement that will allow you to inherent the default configuration and enhance it with your custom CORS configuration.

Here is a sample of the full configuration:

@Configuration(proxyBeanMethods = false)
public class AuthorizationServerConfig {

	@EnableWebSecurity
	public class AuthorizationServerSecurity extends WebSecurityConfigurerAdapter {

		@Override
		protected void configure(HttpSecurity http) throws Exception {
			OAuth2AuthorizationServerSecurity.applyDefaultConfiguration(http);
			http.cors().configurationSource(corsConfigurationSource());
		}
	}

	@Bean
	public CorsConfigurationSource corsConfigurationSource() {
		CorsConfiguration config = new CorsConfiguration();
		config.addAllowedOrigin("http://localhost:8080");
		config.addAllowedHeader("*");
		config.addAllowedMethod("GET");

		UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
		source.registerCorsConfiguration("/oauth2/**", config);

		return source;
	}

	// @formatter:off
	@Bean
	public RegisteredClientRepository registeredClientRepository() {
		RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
				.clientId("messaging-client")
				.clientSecret("secret")
				.clientAuthenticationMethod(ClientAuthenticationMethod.BASIC)
				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
				.redirectUri("http://localhost:8080/authorized")
				.scope("message.read")
				.scope("message.write")
				.clientSettings(clientSettings -> clientSettings.requireUserConsent(true))
				.build();
		return new InMemoryRegisteredClientRepository(registeredClient);
	}
	// @formatter:on

	@Bean
	public KeyManager keyManager() {
		return new StaticKeyGeneratingKeyManager();
	}

	// @formatter:off
	@Bean
	public UserDetailsService users() {
		UserDetails user = User.withDefaultPasswordEncoder()
				.username("user1")
				.password("password")
				.roles("USER")
				.build();
		return new InMemoryUserDetailsManager(user);
	}
	// @formatter:on
}

Let me know if you have any questions.

@dgt-amexio
Copy link
Author

works like a charm !
Thx

@ccaspanello ccaspanello mentioned this issue Jan 30, 2023
Open
doba16 pushed a commit to doba16/spring-authorization-server that referenced this issue Apr 21, 2023
@jgrandja
Expose default security configuration
74f03a0 
Closes spring-projectsgh-110
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
0.0.2
Development

No branches or pull requests
3 participants
@jgrandja @spring-projects-issues @dgt-amexio