Announcement Announcement Module
No announcement yet.
LinkedIn, OAuth2, and the 'state' parameter Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • LinkedIn, OAuth2, and the 'state' parameter

    Just a heads up to any of you using Spring Social with an OAuth2 provider such as Facebook, Google, or (as of now) LinkedIn...

    LinkedIn now supports OAuth 2 in addition to OAuth 1. So, I upgraded Spring Social LinkedIn to work with OAuth 2 instead of OAuth 1.0a. Along the way this meant supporting the state parameter (for protecting against CSRF).

    If you're using Spring Social LinkedIn, I'd appreciate it if you'd try it with the latest snapshots and make sure it all still works as you'd expect.

    Even if you're not using Spring Social LinkedIn, but you are using Spring Social with another OAuth 2 provider, I'd still appreciate it if you'd test with the latest snapshots to make sure that the code I added for supporting the 'state' parameter doesn't break anything. I tested it rather well for Facebook and LinkedIn, but would appreciate more testing regardless of the provider.

    Let me know if you run into any troubles.

  • #2

    I have deployed one of the sample applications "spring-social-showcase-sec-xml". When trying to sign in with linkedin (without signing in the spring social show case application), it results in an infinite redirect loop (url given below)

    Log statements below

    DEBUG: stMatcher - Checking match of request : '/auth/linkedin'; against '/resources/**'
    DEBUG: - /auth/linkedin?error=invalid_request&error_description=Y ou+need+to+pass+the+%22state%22+parameter at position 1 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
    DEBUG: onSecurityContextRepository - No HttpSession currently exists
    DEBUG: onSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
    DEBUG: - /auth/linkedin?error=invalid_request&error_description=Y ou+need+to+pass+the+%22state%22+parameter at position 2 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
    DEBUG: - /auth/linkedin?error=invalid_request&error_description=Y ou+need+to+pass+the+%22state%22+parameter at position 3 of 11 in additional filter chain; firing Filter: 'SocialAuthenticationFilter'
    DEBUG: cationFilter - Request is to process authentication
    DEBUG: cationFilter - Authentication request failed: cationRedirectException:
    DEBUG: cationFilter - Updated SecurityContextHolder to contain null Authentication
    DEBUG: cationFilter - Delegating to authentication failure handler [email protected]
    DEBUG: memberme.TokenBasedRememberMeServices - Interactive login attempt was unsuccessful.
    DEBUG: memberme.TokenBasedRememberMeServices - Cancelling cookie
    DEBUG: onSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
    DEBUG: ontextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
    The "state" parameter seems missing. This does not happen after logging in the spring social show case application and subsequently connecting with linkedin. I have not made any changes to the sample application. Is there a missing configuration ?

    Kind Regards.


    • #3
      Yes, I noticed the same behavior a couple of days ago. It's on my TODO list to sort it out.

      FWIW, it only seems to happen with LinkedIn and only when using SocialAuthenticationFilter. Not with any other provider or when using ProviderSignInController.