Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/oauth/token does not allow authentication via post parameters #308

Closed
omazhary opened this issue Feb 8, 2016 · 6 comments
Closed

/oauth/token does not allow authentication via post parameters #308

omazhary opened this issue Feb 8, 2016 · 6 comments

Comments

@omazhary
Copy link

omazhary commented Feb 8, 2016

According to docs, /oauth/token should allow either BASIC auth or or client_id and client_secret can be provided as url encoded form parameters.

We tried this in the context of https://github.com/bitly/oauth2_proxy and it turns out it"s currently only possible via BASIC authentication.

here is the error we get although we do set client_id and client_secret form parameters:

[2016-02-03 19:50:13.947] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 1 of 18 in additional filter chain; firing Filter: 'CorsFilter'
[2016-02-03 19:50:13.947] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 2 of 18 in additional filter chain; firing Filter: 'IdentityZoneResolvingFilter'
[2016-02-03 19:50:13.947] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- JdbcTemplate: Executing prepared SQL query
[2016-02-03 19:50:13.947] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- JdbcTemplate: Executing prepared SQL statement [select id,version,created,lastmodified,name,subdomain,description,config from identity_zone where subdomain=?]
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 3 of 18 in additional filter chain; firing Filter: 'DisableIdTokenResponseTypeFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- DisableIdTokenResponseTypeFilter: Processing id_token disable filter
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- DisableIdTokenResponseTypeFilter: pre id_token disable:false pathinfo:null request_uri:/oauth/token response_type:null
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- DisableIdTokenResponseTypeFilter: post id_token disable:false pathinfo:null request_uri:/oauth/token response_type:null
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 4 of 18 in additional filter chain; firing Filter: 'HttpsEnforcementFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Filter chain 'tokenEndpointSecurity' processing request POST /oauth/token
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 5 of 18 in additional filter chain; firing Filter: 'BackwardsCompatibleScopeParsingFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 6 of 18 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 7 of 18 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 8 of 18 in additional filter chain; firing Filter: 'HeaderWriterFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- HstsHeaderWriter: Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@4ed7cf6a
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 9 of 18 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 10 of 18 in additional filter chain; firing Filter: 'BackwardsCompatibleTokenEndpointAuthenticationFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 11 of 18 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 12 of 18 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterChainProxy: /oauth/token at position 13 of 18 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
[2016-02-03 19:50:13.948] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- FilterSecurityInterceptor: Secure object: FilterInvocation: URL: /oauth/token; Attributes: [IS_AUTHENTICATED_FULLY]
[2016-02-03 19:50:13.949] uaa - 1001 [http-bio-8080-exec-3] .... DEBUG --- ExceptionTranslationFilter: Authentication exception occurred; redirecting to authentication entry point
org.springframework.security.authentication.AuthenticationCredentialsNotFoundException: An Authentication object was not found in the SecurityContext
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:378)
        at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:222)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:123)
        at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:168)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.cloudfoundry.identity.uaa.authentication.BackwardsCompatibleTokenEndpointAuthenticationFilter.doFilter(BackwardsCompatibleTokenEndpointAuthenticationFilter.java:166)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:158)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)

It looks like the filter enforces BASIC auth and does not check for form parameters as a fallback before failing.
Unfortunately this makes integration with https://github.com/bitly/oauth2_proxy harder (we will have to introduce UAA-specific workarounds).
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/113274509.

@fhanik
Copy link
Contributor

fhanik commented Feb 8, 2016

@omazhary
What version of the UAA are you using? We recently added support for this?

Please add version and curl command

thanks
Filip

@omazhary
Copy link
Author

omazhary commented Feb 9, 2016

We are using UAA as shipped with CloudFoundry 226. The curl command is:
curl -X POST -iv login.bosh-lite.com/oauth/token -d "client_id=<client_name>&client_secret=<client_secret>&code=<insert_code_here>&grant_type=authorization_code&response_type=token&redirect_uri=http://monitoring.bosh-lite.com/login" -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -s

You will need to create a grafana oauth client too, and a code. We just picked a code from the browser's network log during login.

omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 9, 2016
Adding a provider for CloudFoundry's UAA OAuth
4b9da9b 
* Added a cloudfoundry provider (cloudfoundry.go) to interface with cloudfoundry's UAA [1]
* Provide defaults for local Cloudfoundry installation on BOSH lite [2]
* One workaround for UAA bug [3] in provider_default is necessary, but only applied
  if provider "cloudfoundry" is used

[1] https://github.com/cloudfoundry/uaa
[2] https://github.com/cloudfoundry/bosh-lite
[3] cloudfoundry/uaa#308
@fhanik
Copy link
Contributor

fhanik commented Feb 9, 2016

Already fixed via in a later version via #258

@fhanik fhanik closed this as completed Feb 9, 2016
@jsievers
Copy link

jsievers commented Feb 9, 2016

great. So I understand this is fixed starting from UAA 3.0.0 i.e. CF v229 https://github.com/cloudfoundry/cf-release/releases/tag/v229

omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 10, 2016
Remove workaround for bug cloudfoundry/uaa#308
35228c8 
* UAA 3.0.0 and later (contained in Cloudfoundry 229 and later)
  implements the fix (cloudfoundry/uaa@8cb166e)
  that solves this problem, making our workaround obsolete.
@sreetummidi
Copy link
Contributor

@jsievers That is correct

omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 22, 2016
Adding a provider for CloudFoundry's UAA OAuth
81492dc 
* Added a cloudfoundry provider (cloudfoundry.go) to interface with cloudfoundry's UAA [1]
* Provide defaults for local Cloudfoundry installation on BOSH lite [2]
* One workaround for UAA bug [3] in provider_default is necessary, but only applied
  if provider "cloudfoundry" is used

[1] https://github.com/cloudfoundry/uaa
[2] https://github.com/cloudfoundry/bosh-lite
[3] cloudfoundry/uaa#308
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 22, 2016
Remove workaround for bug cloudfoundry/uaa#308
aadad76 
* UAA 3.0.0 and later (contained in Cloudfoundry 229 and later)
  implements the fix (cloudfoundry/uaa@8cb166e)
  that solves this problem, making our workaround obsolete.
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 29, 2016
Adding a provider for CloudFoundry's UAA OAuth
b1db480 
* Added a cloudfoundry provider (cloudfoundry.go) to interface with cloudfoundry's UAA [1]
* Provide defaults for local Cloudfoundry installation on BOSH lite [2]
* One workaround for UAA bug [3] in provider_default is necessary, but only applied
  if provider "cloudfoundry" is used

[1] https://github.com/cloudfoundry/uaa
[2] https://github.com/cloudfoundry/bosh-lite
[3] cloudfoundry/uaa#308
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Feb 29, 2016
Remove workaround for bug cloudfoundry/uaa#308
825f9bc 
* UAA 3.0.0 and later (contained in Cloudfoundry 229 and later)
  implements the fix (cloudfoundry/uaa@8cb166e)
  that solves this problem, making our workaround obsolete.
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Jul 5, 2016
Adding a provider for CloudFoundry's UAA OAuth
6f5d046 
* Added a cloudfoundry provider (cloudfoundry.go) to interface with cloudfoundry's UAA [1]
* Provide defaults for local Cloudfoundry installation on BOSH lite [2]
* One workaround for UAA bug [3] in provider_default is necessary, but only applied
  if provider "cloudfoundry" is used

[1] https://github.com/cloudfoundry/uaa
[2] https://github.com/cloudfoundry/bosh-lite
[3] cloudfoundry/uaa#308
omazhary pushed a commit to omazhary/oauth2_proxy that referenced this issue Jul 5, 2016
Remove workaround for bug cloudfoundry/uaa#308
e3d5390 
* UAA 3.0.0 and later (contained in Cloudfoundry 229 and later)
  implements the fix (cloudfoundry/uaa@8cb166e)
  that solves this problem, making our workaround obsolete.
strehle added a commit that referenced this issue Dec 11, 2023
@strehle
merge: CF UAA Update (#308)
ee441e5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jsievers @fhanik @cf-gitbot @omazhary @sreetummidi