Description
Describe the bug
With Spring Boot 3.0.5, I have the following Security Configuration and CSRF works as expected.
package com.okta.developer.jugtours.config;
import com.okta.developer.jugtours.web.CookieCsrfFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
@Configuration
public class SecurityConfiguration {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests((authz) -> authz
.requestMatchers("/", "/api/user").permitAll()
.anyRequest().authenticated()
);
http.oauth2Login();
http.oauth2ResourceServer().jwt();
http.csrf()
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
http.addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class);
return http.build();
}
}
If I upgrade to 3.1.0-RC1, it seems that CSRF causes issues, and I'm unable to login and see any endpoints (e.g. /api/groups
) that are secured. It results in an endless redirect that eventually results in rate-limiting errors (from Auth0, in my case).
To Reproduce
Here's a repo that you can reproduce the problem with: https://github.com/oktadev/auth0-spring-boot-angular-crud-example
Instructions to reproduce:
-
Clone the repo above.
git clone https://github.com/oktadev/auth0-spring-boot-angular-crud-example
-
Install the Auth0 CLI and run
auth0 login
in a terminal. Then, runauth0 apps create
:auth0 apps create \ --name "Spring Boot 3.1" \ --description "So Bootiful" \ --type regular \ --callbacks http://localhost:8080/login/oauth2/code/okta \ --logout-urls http://localhost:8080 \ --reveal-secrets
-
Copy the results from the CLI into an okta.env file:
export OKTA_OAUTH2_ISSUER=https://<your-auth0-domain>/ export OKTA_OAUTH2_CLIENT_ID=<your-client-id> export OKTA_OAUTH2_CLIENT_SECRET=<your-client-secret> export OKTA_OAUTH2_AUDIENCE=https://<your-auth0-domain>/api/v2/
-
Start the app and log in:
source okta.env mvn spring-boot:run
You'll get an infinite redirect when you try to hit http://localhost:8080/api/groups
. If you disable CSRF, it will work. Also, if you modify pom.xml
to use Spring Boot version 3.0.5, everything will work without disabling CSRF.
Expected behavior
Everything should work just fine with Spring Boot 3.1, as it does with Spring Boot 3.0.5.
Sample
https://github.com/oktadev/auth0-spring-boot-angular-crud-example