SSL / Proxy Issue using Spring Cloud OAuth2
It looks to be failing where the SSO app tries to swap the auth code for a token.All the steps prior to this were browser redirects, this is code on the SSO server trying to call the auth server.What are you using for SSL certificates on the auth server? Are they signed by a trusted party with a CA in the Java trust store?If not, that is probably why it's failing as the BadCredentialsException is the end result of the underlying HTTP request failing.
The other option is that there is no route directly from the SSO server to the Auth server address.
I believe it's ultimately the Apache Commons HttpClient code that will be handling the request, so you should try upping the debug for those classes (org.apache.http) and see what it reported.
It may be a little late but I ran into the exact same thing.
My Setup is a NGINX doing SSL proxying through to a running Spring Boot Application using Spring oAuth2.
To solve this in nginx config
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; And this in your spring application.yml
server.tomcat.remote_ip_header: X-Forwarded-For server.tomcat.protocol_header: X-Forwarded-Proto security.require_ssl: trueSource:http://docs.spring.io/spring-boot/docs/current/reference/html/howto-security.html#howto-enable-https
And now Spring detects the right URL and also request.getRequestURL returns the right URL now including https://
@Controller public class HomeController { @RequestMapping("/") @ResponseBody public String rootLandingPage(HttpServletRequest request) throws Exception { return "url: " + request.getRequestURL(); } }
It may be worth taking a closer look at why the BadCredentialsException is bubbling up, and by this I mean stepping through the Spring Security OAuth2 code with your debugger.
The reason why I say this is because in my experience the BadCredentialsException may be due to an underlying InvalidRequestException with the following being the offending line:
throw new InvalidRequestException( "Possible CSRF detected - state parameter was required but no state could be found"); I have raised a separate question related to the above here:
So, in terms of your situation, with the newly introduced nginx proxy, I'm just wondering whether you might not be seeing a misleading exception. That is, misleading to the untrained in terms of oauth2 and spring security oauth 2 with CSRF as an additional complexity to deal with.