Despite disabling csrf, spring is throwing error "Could not verify the provided CSRF token because no token was found to compare" when APIs are being invoked with the below security filter chain. This is the only filter chain in my application. The csrf error goes away if I remove the oauth2ResourceServer block. I have pasted the stack trace below. The error should not be returned since csrf is being disabled.
@Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { HttpSessionRequestCache requestCache = new HttpSessionRequestCache(); requestCache.setMatchingRequestParameterName(null);
http
.requestCache(cache -> cache.requestCache(requestCache))
.csrf(csrf -> csrf.disable())
.authorizeHttpRequests(requests -> requests
.requestMatchers(AUTH_WHITELIST).permitAll()
.requestMatchers("/v1/**")
.authenticated()
)
.oauth2ResourceServer(resourceServer -> resourceServer
.opaqueToken(token -> token
.introspectionClientCredentials(clientId,clientSecret)
.introspectionUri(checkTokenEndpointUrl)
)
);
return http.build();
}
Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 : "{"error":"Could not verify the provided CSRF token because no token was found to compare."}" at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:183) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:137) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:942) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:891) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:740) ~[spring-web-6.1.4.jar!/:6.1.4] at org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector.makeRequest(SpringOpaqueTokenIntrospector.java:146) ~[spring-security-oauth2-resource-server-6.2.2.jar!/:6.2.2] at org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector.introspect(SpringOpaqueTokenIntrospector.java:128) ~[spring-security-oauth2-resource-server-6.2.2.jar!/:6.2.2] at org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider.getOAuth2AuthenticatedPrincipal(OpaqueTokenAuthenticationProvider.java:124) ~[spring-security-oauth2-resource-server-6.2.2.jar!/:6.2.2] ... 86 more
Comment From: phosphataz
Hello @rajcreddy , can you try this :
.csrf(AbstractHttpConfigurer::disable)
Comment From: rajcreddy
@phosphataz I tried this already and it did not work. I get the same error.
Comment From: rajcreddy
@marcusdacoregio for some reason the opaquetoken call is resulting in csrf error eventhough csrf is disabled. Is this an issue in the opaquetoken REST call that I see in the stack trace. I am using spring boot 3.2.3
Comment From: jzheaux
Based on the stack trace, it appears that the CSRF error is coming from the authorization server receiving the opaque token request. Are you able to still reproduce this when you use a mock backend (for example, using MockWebServer) for the opaque token endpoint?
If so, please provide a minimal sample, and I can take a look.
Comment From: rajcreddy
@jzheaux thank you! there was a typo in the auth server url which was causing the issue. The auth server url did not exist so the error was misleading
Comment From: jzheaux
Awesome, @rajcreddy! Glad you found it. I'll close this issue at this point.