Open
Description
In OAuth2AuthenticationSuccessHandler ,
protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
Optional<String> redirectUri = CookieUtils.getCookie(request, REDIRECT_URI_PARAM_COOKIE_NAME)
.map(Cookie::getValue);
if(redirectUri.isPresent() && !isAuthorizedRedirectUri(redirectUri.get())) {
throw new BadRequestException("Sorry! We've got an Unauthorized Redirect URI and can't proceed with the authentication");
}
String targetUrl = redirectUri.orElse(getDefaultTargetUrl());
String token = tokenProvider.createToken(authentication);
return UriComponentsBuilder.fromUriString(targetUrl)
.queryParam("token", token)
.build().toUriString();
}This means that, for example, if we redirect to
https://foobar.com?token={jwt_token}
the JWT is exposed in the browser’s address bar and recorded in its history. To prevent this, we normally move the third-party OAuth2 flow to the client side: in the client side, we redirect to the 3rd party url, get authenticated, and finally retrieve the token and then send it to our server, which validates it with the same provider. Note, however, that this approach exposes the OAuth2 client ID on client codes.
Metadata
Metadata
Assignees
Labels
No labels