Summary
I have created an oauth2.0 authorization server using spring boot. now I want to use this authorization server to login to another web application. for oauth client I am using spring boot SSO. when the oauth authorization server and the oauth client programs are run on different devices everything works fine. but when they are both run on the same device login fails. the only thing that is changed during this switch is to set the SSO oauth client to point to localhost instead of remote host.
Actual Behavior
for the first scenario I have SSO oauth client on my localhost:8081 and the authorization server on localhost:8080 I used wireshark to track what is happening: 1- navigate to localhost:8081/ and click login 2- I get redirected to authorization server (localhost:8080/login) 3- I enter my credentials 4- I get redirected to localhost:8081/login with authorization code and rest of the attributes 5- the response is redirect to localhost:8081/login (no attributes) 6- the response is redirect to http://localhost:8080/oauth/authorize?client_id=first-client&redirect_uri=http://localhost:8081/login&response_type=code&state=HsdjLH
7-I get redirected to localhost:8080/login. and once again I am on the authorization server asked for credentials.
Expected Behavior
for the second scenario I have SSO oauth client on my localhost and the authorization server on a remote host.
I used wireshark to track what is happening:
1- navigate to localhost:8081/ and click login
2- I get redirected to authorization server
3- I enter my credentials
4- I get redirected to localhost:8081/login with authorization code and rest of the attributes
5- sso client makes request to authorization server to obtain token (/oauth/token)
6- ss0 client makes request to authorization server to obtain userinfo (/user/me)
7-authentication is completed. as implemented on the client I am redirected to a page and shown my username
Version
pom.xml for authorization server
`
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-security -->
<!-- <dependency> -->
<!-- <groupId>org.springframework.boot</groupId> -->
<!-- <artifactId>spring-boot-starter-security</artifactId> -->
<!-- </dependency> -->
<!-- https://mvnrepository.com/artifact/com.nimbusds/nimbus-jose-jwt -->
<!-- https://mvnrepository.com/artifact/org.postgresql/postgresql -->
<!-- https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-war-plugin -->
<dependency>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-war-plugin</artifactId>
<version>3.2.3</version>
</dependency>
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>42.2.12</version>
</dependency>
<!-- <dependency> -->
<!-- <groupId>org.springframework.boot</groupId> -->
<!-- <artifactId>spring-boot-starter-webflux</artifactId> -->
<!-- </dependency> -->
<!-- <dependency> -->
<!-- <groupId>org.projectreactor</groupId> -->
<!-- <artifactId>reactor-spring</artifactId> -->
<!-- <version>1.0.1.RELEASE</version> -->
<!-- </dependency> -->
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>8.11</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-mail</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.9.8</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.tomcat/tomcat-jasper -->
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-jasper</artifactId>
<version>9.0.30</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2 -->
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.2.0.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security.oauth.boot/spring-security-oauth2-autoconfigure -->
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.2.0.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.security/spring-security-jwt -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
<version>1.1.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<!-- <dependency> -->
<!-- <groupId>mysql</groupId> -->
<!-- <artifactId>mysql-connector-java</artifactId> -->
<!-- <scope>runtime</scope> -->
<!-- </dependency> -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
`
pom.xml for SSO oauth client
`
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.6.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>oauth-sso</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>oauth-sso</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.thymeleaf.extras</groupId>
<artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-thymeleaf</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.1.1.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
`
Sample
https://www.baeldung.com/sso-spring-security-oauth2
Comment From: jgrandja
when the oauth authorization server and the oauth client programs are run on different devices everything works fine. but when they are both run on the same device login fails. the only thing that is changed during this switch is to set the SSO oauth client to point to localhost instead of remote host.
@p2rate This is expected behaviour because of how Cookie domains work. Since you have the authorization server and client app running on localhost, the Cookie created by the client application is over-written by the authorization server, since the domain for both Cookie is localhost. The solution for this is to use specific host names for either the authorization server or client app (or for both).
I'm going to close this issue since this is an environment specific configuration that should be performed.
Comment From: rwinch
To add to what @jgrandja said. RFC6265 states that Cookies are specific to scheme host and path but do not use the port. A quote from the Introduction section:
For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a given cookie is intended for "secure" connections, but the Secure attribute does not provide integrity in the presence of an active network attacker. Similarly, cookies for a given host are shared across all the ports on that host, even though the usual "same-origin policy" used by web browsers isolates content retrieved via different ports.
That means to avoid cookies being overridden you need to use a different host (as @jgrandja mentioned) or you can specify different paths for the cookie. For that to happen you need to have different context roots for the applications.