Spring Security OAuth 2.0 Client baseUrl schema wrong with TLS termination

SEE: SPRING-BOOT #12593

Summary

TLS termination seems to cause baseUrl to use http instead of https

Actual Behavior

TLS termination causes baseUrl to not use TLS schema (http instead of https)

Expected Behavior

{baseUrl} should use TLS schema when the application is served with TLS (e.x. {baseUrl}/login/oauth2/code/{registrationId})

Configuration

USING SPING BOOT AUTO CONFIGURATION

application.yml

spring:
  security:
    oauth2:
      client:
        registration:
          COMPANY:
            client-id: ${random.value}
            client-secret: ${random.value}
            client-authentication-method: basic
            authorization-grant-type: authorization_code
            redirect-uri-template: '{baseUrl}/login/oauth2/code/{registrationId}'
            scope: openid profile email
            client-name: COMPANY
        provider:
          COMPANY:
            authorization-uri: ${random.value}
            token-uri: ${random.value}
            user-info-uri: ${random.value}
            user-name-attribute: sub
            jwk-set-uri: ${random.value}

WebSecurityConfiguration.java

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Inject
  private OAuth2ClientProperties oAuth2ClientProperties;

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf()
        .disable();

    http
        .cors();

    http
        .authorizeRequests()
        .antMatchers(HttpMethod.GET, SecurityImageConstants.REQUEST_PREFIX + "/identities/*").permitAll()
        .antMatchers(SecurityImageConstants.REQUEST_PREFIX, SecurityImageConstants.REQUEST_PREFIX + "/**").authenticated()
        .anyRequest().permitAll()
        .and()
        .oauth2Login()
        .loginPage("/oauth2/authorization/" + getRegistrationId())
        .userInfoEndpoint()
          .customUserType(DisneyIdentity.class, getRegistrationId());
  }

  @Bean
  CorsConfigurationSource corsConfigurationSource() {
    CorsConfiguration configuration = new CorsConfiguration();
    configuration.setAllowCredentials(false);
    configuration.setAllowedOrigins(Arrays.asList("*.disney.com"));
    configuration.setAllowedMethods(Arrays.asList("GET", "POST", "PUT"));
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    source.registerCorsConfiguration("/**", configuration);
    return source;
  }

  /**
   * Get the name of the first registration defined in {@link OAuth2ClientProperties}.
   *
   * NOTE: There should only ever be one registration for this application.
   *
   * @return The name of the first registration
   */
  private String getRegistrationId() {
    return oAuth2ClientProperties.getRegistration().keySet().iterator().next();
  }
}

Version

Spring Boot: 2.0.0.RELEASE Spring Security: 5.0.3.RELEASE

Comment From: adenix

More specifically:

Im WebSecurityConfiguration.java I've set the login page to .loginPage("/oauth2/authorization/" + getRegistrationId()) to make the system then throw me straight to my authorization application instead of stopping me at spring securities choice page. This redirect is to /oauth2/authorization/COMPANY is happening with http and I need to tell spring to use https.

I cannot set up forwarding my my ECS cluster.

Comment From: rwinch

Thanks for the report! It sounds like you do not have your application setup to work behind a Proxy Server. Have you tried the instructions in Running Behind a Front-end Proxy Server or Proxy Server Configuration ?

Comment From: adenix

This was the solution that I needed. Thanks!