It seems that we're not directly affected by this bug since it's related to response back from Spring Authorization Server and the client. This is not the case here, because we're talking about the response back from the external IdP and the auth server.
I tested the feature request issue, and it works. But it does not solve our problem. As mentioned, we have two security filter chains configured – one for the server config and another for logging directly onto the server for administering Oauth2 clients. The latter is not using LDAP (username/password), but OIDC. So this is the configuration:
@Bean
@Order(2)
public SecurityFilterChain userEndpointsSecurityFilterChain(final HttpSecurity http) throws Exception {
HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
requestCache.setMatchingRequestParameterName(null);
SessionRegistry registry = redisSessionRegistry != null ?
redisSessionRegistry :
sessionRegistry;
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers(WHITELIST).permitAll()
.anyRequest().authenticated())
.requestCache(cache -> cache
.requestCache(requestCache))
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessHandler(oidcLogoutSuccessHandler())
.addLogoutHandler(new HeaderWriterLogoutHandler(new ClearSiteDataHeaderWriter(CACHE, COOKIES)))
.invalidateHttpSession(true))
.headers(headers -> headers
.httpStrictTransportSecurity(
hsts -> hsts
.includeSubDomains(true)
.preload(true)
.maxAgeInSeconds(31536000))
.frameOptions(HeadersConfigurer.FrameOptionsConfig::deny)
.referrerPolicy(referrer -> referrer
.policy(ReferrerPolicy.SAME_ORIGIN))
.permissionsPolicy(permissions -> permissions.policy(
"clipboard-write=(self)")))
.oauth2Login(oauth2Login -> oauth2Login
.loginPage("/")
.authorizationEndpoint(authorizationEndpoint -> authorizationEndpoint
.authorizationRequestResolver(authorizationRequestResolver()))
.userInfoEndpoint(userInfo -> userInfo
.oidcUserService(authorizationOidcUserService.getOidcUserService())))
.sessionManagement(session -> session
.maximumSessions(1)
.sessionRegistry(registry))
.csrf(csrf -> csrf.disable());
return http.build();
}
This is the relevant config in AuthorizationRequestResolver
to enable response_mode=form_post
: additionalParameters.put(RESPONSE_MODE, "form_post");
The strange thing is that it works if I run this on localhost, but not on Openshift. I have tried to disable Redis as well and run the application by using only one pod, but I'm stuck with the error [authorization_request_not_found]
when I'm sent back from the external IdP and to our Spring Authorization Server.