Redirection Loop on custom oauth

lucuma · June 6, 2018, 6:39pm

I setup a custom oauth provider outlined in this post. The user is redirected to the site which returns the following:

http://something.com/oauth/authorize/?client_id=tSVnn76eTjlpl0aLEfvyLI8ocafo7CHBvCYSK47D&redirect_uri=https%3A%2F%2Flocalhost%3A44319%2Fauth%2Fsomething&state=yHljYVMW6FSgBvO9RlnPsA&response_type=code

Next I can see a call to the /oath/token endpoint which returns this:

{"access_token":"zuruuz5w8s8hsu2hezuuauguh7yvkiqco8n41koh","expires_in":3600,"token_type":"Bearer","scope":"basic","refresh_token":"qtnb8crztiqr4rprrivfn9ekif2zlbituuz5e8no"}

Next, in the CreateAuthInfo calls the userprofileurl to get the user information. All of this seems to work but then the user is redirected back to the authorize endpoint.

Here is a fiddler screenshot to demonstrate it: https://www.dropbox.com/s/voel611u1gr5n9r/2018-06-06_13-38-40.png?dl=0

I’m not following what needs to happen to close this loop. The user is being registered correctly in the auth tables.

More info. If I override AuthenticateWithAccessToken with the same code to see what is returned the OnAuthenticated method always returns null.

protected override object AuthenticateWithAccessToken(IServiceBase authService, IAuthSession session, IAuthTokens tokens, string accessToken)
        {
            tokens.AccessToken = accessToken;

            var authInfo = this.CreateAuthInfo(accessToken);

            session.IsAuthenticated = true;

            var a= OnAuthenticated(authService, session, tokens, authInfo);
            return a;
        }

lucuma · June 6, 2018, 8:14pm

Turns out you need to post to the /auth/provider url from a form otherwise it just keeps redirecting back if you browse directly to /auth/provider.

mythz · June 6, 2018, 8:27pm

OnAuthenticated() returns null if it was successful or non null to return a custom error response through any of the auth validation filters.

If AuthenticateWithAccessToken() returns null the OAuth2Provider will return the success url filter:

github.com

ServiceStack/ServiceStack/blob/master/src/ServiceStack.Authentication.OAuth2/OAuth2Provider.cs#L145


var accessToken = authState.AccessToken;
if (accessToken != null)
{
    tokens.RefreshToken = authState.RefreshToken;
    tokens.RefreshTokenExpiry = authState.AccessTokenExpirationUtc;
}


if (accessToken != null)
{
    try
    {
        return AuthenticateWithAccessToken(authService, session, tokens, accessToken)
            ?? authService.Redirect(SuccessRedirectUrlFilter(this, session.ReferrerUrl.SetParam("s", "1")));
    }
    catch (WebException we)
    {
        var statusCode = ((HttpWebResponse)we.Response).StatusCode;
        if (statusCode == HttpStatusCode.BadRequest)
        {
            return authService.Redirect(FailedRedirectUrlFilter(this, session.ReferrerUrl.SetParam("f", "AccessTokenFailed")));
        }

It uses the session.ReferrerUrl which is set on the initial request:

github.com

ServiceStack/ServiceStack/blob/master/src/ServiceStack.Authentication.OAuth2/OAuth2Provider.cs#L234




        this.LoadUserOAuthProvider(userSession, tokens);
    }
    catch (Exception ex)
    {
        Log.Error("Could not retrieve Profile info for '{0}'".Fmt(tokens.DisplayName), ex);
    }
}


protected IAuthTokens Init(IServiceBase authService, ref IAuthSession session, Authenticate request)
{
    var requestUri = authService.Request.AbsoluteUri;
    if (this.CallbackUrl.IsNullOrEmpty())
    {
        this.CallbackUrl = requestUri;
    }


    if (session.ReferrerUrl.IsNullOrEmpty())
    {
        session.ReferrerUrl = request?.Continue ?? authService.Request.GetHeader("Referer");
    }

You can change the URL to redirect to on success by setting SuccessRedirectUrlFilter, e.g:

new MyOauth2Proivder {
    SuccessRedirectUrlFilter = url => "https://myurl.com"
}

lucuma · June 6, 2018, 8:28pm

Thanks that will fix my testing headache.