Announcement Announcement Module
Collapse
No announcement yet.
Couple of issues in using spring-security-oauth with Google (OAuth2) Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Couple of issues in using spring-security-oauth with Google (OAuth2)

    Hello,

    I am trying to use spring-security-oauth's OAuth2 support to integrate with Google, and I am facing a couple of issues. Can someone please share some inputs?

    1) It seems Google returns access tokens with token type as "Bearer". OAuth2ClientHttpRequestFactory cannot handle it, as it only handles the cases where token type comes as "OAuth2", or doesn't come at all.

    2) It seems that Google uses "authorization" header as "OAuth <access token>". If I use bearerTokenMethod as "header", then the spring-security-oauth library sends the header as "OAuth2 <access token>", which Google does not understand. And if I use the bearerTokenMethod as "query", then the problem is that the library URL encodes the token value - so a token issued by Google as "1/Whxxxxx" becomes "1%252FWhxxxxx", and the authorization still fails.

    Can anyone more experienced throw some light on it please?

    Thanks,
    Roshan

  • #2
    It seems there is double encoding happening for the oauth_token processed by spring-security-oauth when it makes the protected resource's URL.

    OAuth2ClientHttpRequestFactory#appendQueryParamete r() first does

    String queryFragment = ((resource.getBearerTokenName() == null) ? "oauth_token" : resource.getBearerTokenName()) + "=" + URLEncoder.encode(accessToken.getValue(), "UTF-8");

    and here if the access token is "1/qIxxx", it changes to '1%2FqIxxx'.

    It then forms the protected resource URI as:

    URI uri = new URI(<scheme>, <user info>, <host>, <port>, <path>, 'oauth_token=1%2FqIxxx', <fragment>)

    The URI constructor does the URL encoding again for the query string passed to it, and oauth_tokens gets double encoded and it becomes "1%252FqIxxx", and hence the issue that the token gets rejected and the request is deemed unauthorized.

    Can someone please comment on whether this first round encoding of query string is a bug or not?

    Thanks.

    Comment


    • #3
      Originally posted by roshandawrani View Post
      It seems there is double encoding happening for the oauth_token processed by spring-security-oauth when it makes the protected resource's URL.
      Tracked here:

      https://jira.springsource.org/browse/SECOAUTH-90

      Comment


      • #4
        Originally posted by roshandawrani View Post
        It seems Google returns access tokens with token type as "Bearer". OAuth2ClientHttpRequestFactory cannot handle it, as it only handles the cases where token type comes as "OAuth2", or doesn't come at all.
        Tracking here:

        https://jira.springsource.org/browse/SECOAUTH-89

        Comment

        Working...
        X