7

I want to work with Spotify Web API, but I'm having trouble with Spring Security Configuration. Here are my security dependencies:

 /* springBootVersion = '2.1.2.RELEASE' */
implementation "org.springframework.security:spring-security-oauth2-client"
implementation 'org.springframework.security:spring-security-oauth2-jose:5.1.6.RELEASE'
implementation "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.1.7.RELEASE"

And here's my security in my application.yml file:

spring:
  security:
    oauth2:
      client:
        registration:
          spotify:
            provider: spotify-provider
            client-id: <client-id>
            client-secret: <client-secret>
            client-authentication-method: basic
            authorization-grant-type: authorization_code
            redirect-uri: http://localhost:8080/
            scope: <comma delimited scopes>
        provider:
          spotify-provider:
            authorization-uri: https://accounts.spotify.com/authorize
            token-uri: https://accounts.spotify.com/api/token
            user-info-uri: https://api.spotify.com/v1/me

My issue is that after I login and get redirected back to my application, it gets stuck on the URL http://localhost:8080/oauth2/authorization/spotify with the error

localhost redirected you too many times.

Here's what my java security configuration looks like:

@Configuration
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
  }
}
Improve this question
2
  • Have you tried without explicitly specifying 'redirect-uri' in the client registration? Commented Sep 2, 2019 at 20:06
  • 2
    Without the redirect-uri I'll get an exception: IllegalArgumentException: redirectUriTemplate cannot be empty Commented Sep 2, 2019 at 20:07

2 Answers 2

Reset to default
12

The Redirect Loop was because the /oauth2/authorization/ endpoint was secured, thus it was triggering going back to the Web API for an access token.

I've updated my configuration to this:

@Configuration
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .antMatchers("/home", "/login**","/callback/", "/webjars/**", "/error**", "/oauth2/authorization/**")
            .permitAll()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
  }
}

The second issue was that the redirect-uri is the URI that the Web API will send the access token to Spring to be used to get the refresh token. I thought it was for a successful login. Spring already has an implementation for handling refresh tokens, but I did not know what endpoint it should use. For some reason, the redirect-uri cannot be blank, there is no default, I would get this error:

IllegalArgumentException: redirectUriTemplate cannot be empty

To use Spring's refresh token implementation I needed to set the redirect-uri to this:

redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'

redirect-uri-template is an alias for redirect-uri (they're the same variable).

I found the redirect-uri in another stackoverflow post:

authorizationGrantType cannot be null in Spring Security 5 OAuth Client and Spring Boot 2.0

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks this is helpful. I would make a slight correction to your answer: redirect-uri is where the identity provider, Spotify in your case, will send the authorization code, which will be exchanged by Spring for an access token.
This answer is only half-true. The /oauth2/authorization/** endpoint should not necessary be permitAll(). Unsecuring this URL is unnecessary. Filter, that processes this URL, triggers earlier anyway, so, authorization rules don't affect it. "The second issue" part is actually what caused this problem. Redirect URL should be set and it should be set to something, that matches OAuth2LoginAuthenticationFilter pattern, that by default is /login/oauth2/code/*. When it was set to http://localhost:8080/ (that is secured), then OAuth2LoginAuthenticationFilter didn't catch the request.
1

Try to add the @EnableOAuth2Sso annotation :

@Configuration
@EnableOAuth2Sso
public class SpotifySecurityConfig extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
  }
}
Improve this answer

3 Comments

I believe @EnableOAuth2Sso is the old way of doing OAuth2. Anyways, I've tried adding it, but then I get redirect loop on http://localhost:8080/login.
Can you share the doc link which marks EnableOAuth2Sso as deprecated. I believe it is the correct approach with Spring Boot 2.2.1.RELEASE and Spring security 5.2.1
@SivaSenthil George is right, I read the same, on Stackoverflow saying @EnableOAuth2Sso is older way doing, there is no such doc as such Donno

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.