Announcement Announcement Module
Collapse
No announcement yet.
LinkedIn, OAuth2, and the 'state' parameter Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • LinkedIn, OAuth2, and the 'state' parameter

    Just a heads up to any of you using Spring Social with an OAuth2 provider such as Facebook, Google, or (as of now) LinkedIn...

    LinkedIn now supports OAuth 2 in addition to OAuth 1. So, I upgraded Spring Social LinkedIn to work with OAuth 2 instead of OAuth 1.0a. Along the way this meant supporting the state parameter (for protecting against CSRF).

    If you're using Spring Social LinkedIn, I'd appreciate it if you'd try it with the latest snapshots and make sure it all still works as you'd expect.

    Even if you're not using Spring Social LinkedIn, but you are using Spring Social with another OAuth 2 provider, I'd still appreciate it if you'd test with the latest snapshots to make sure that the code I added for supporting the 'state' parameter doesn't break anything. I tested it rather well for Facebook and LinkedIn, but would appreciate more testing regardless of the provider.

    Let me know if you run into any troubles.

  • #2
    Hello,

    I have deployed one of the sample applications "spring-social-showcase-sec-xml". When trying to sign in with linkedin (without signing in the spring social show case application), it results in an infinite redirect loop (url given below)

    Log statements below

    DEBUG: org.springframework.security.web.util.AntPathReque stMatcher - Checking match of request : '/auth/linkedin'; against '/resources/**'
    DEBUG: org.springframework.security.web.FilterChainProxy - /auth/linkedin?error=invalid_request&error_description=Y ou+need+to+pass+the+%22state%22+parameter at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - No HttpSession currently exists
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
    DEBUG: org.springframework.security.web.FilterChainProxy - /auth/linkedin?error=invalid_request&error_description=Y ou+need+to+pass+the+%22state%22+parameter at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
    DEBUG: org.springframework.security.web.FilterChainProxy - /auth/linkedin?error=invalid_request&error_description=Y ou+need+to+pass+the+%22state%22+parameter at position 3 of 11 in additional filter chain; firing Filter: 'SocialAuthenticationFilter'
    DEBUG: org.springframework.social.security.SocialAuthenti cationFilter - Request is to process authentication
    DEBUG: org.springframework.social.security.SocialAuthenti cationFilter - Authentication request failed: org.springframework.social.security.SocialAuthenti cationRedirectException:
    DEBUG: org.springframework.social.security.SocialAuthenti cationFilter - Updated SecurityContextHolder to contain null Authentication
    DEBUG: org.springframework.social.security.SocialAuthenti cationFilter - Delegating to authentication failure handler org.springframework.social.security.SocialAuthenti cationFailureHandler@1703457
    DEBUG: org.springframework.security.web.authentication.re memberme.TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
    DEBUG: org.springframework.security.web.authentication.re memberme.TokenBasedRememberMeServices - Cancelling cookie
    DEBUG: org.springframework.security.web.context.HttpSessi onSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    DEBUG: org.springframework.security.web.context.SecurityC ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    The "state" parameter seems missing. This does not happen after logging in the spring social show case application and subsequently connecting with linkedin. I have not made any changes to the sample application. Is there a missing configuration ?

    Kind Regards.
    Hasnain.

    Comment


    • #3
      Yes, I noticed the same behavior a couple of days ago. It's on my TODO list to sort it out.

      FWIW, it only seems to happen with LinkedIn and only when using SocialAuthenticationFilter. Not with any other provider or when using ProviderSignInController.

      Comment

      Working...
      X