Fixing the redirect loop in the entra id authentication

2025-10-30 18:38:14 +01:00 · 2025-10-30 18:38:14 +01:00 · d06aa74029
commit d06aa74029
parent 9bf148a09f
2 changed files with 21 additions and 7 deletions
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@ -10,6 +10,8 @@ import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.jetbrains.annotations.NotNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@ -56,6 +58,7 @@ import java.util.function.Supplier;
@EnableMethodSecurity
 public class SecurityConfig {

+    private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class);
    @Value("${lcc.allowed_cors}")
    private String allowedCors;

@ -90,16 +93,20 @@ public class SecurityConfig {
                        )
                )
                .csrf(csrf -> csrf
-                        .ignoringRequestMatchers("/oauth2/token") // CSRF für OAuth deaktivieren
+                        .ignoringRequestMatchers("/oauth2/token")
                        .ignoringRequestMatchers("/login/oauth2/code/**")
                        .requireCsrfProtectionMatcher(request -> {
+                            String requestUri = request.getRequestURI();
+                            if (requestUri.startsWith("/oauth2/") || requestUri.startsWith("/login/oauth2/")) {
+                                return false;
+                            }

                            String authHeader = request.getHeader("Authorization");
                            if (authHeader != null && authHeader.startsWith("Bearer ")) {
                                return false;
                            }

-                            return true;
+                            return !"GET".equalsIgnoreCase(request.getMethod());
                        })
                        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                        .csrfTokenRequestHandler(new LccCsrfTokenRequestHandler())
@ -301,18 +308,18 @@ public class SecurityConfig {
                String token = authHeader.substring(7);

                try {
-                    Claims claims = jwtTokenService.validateToken(token);
+                    Claims claims = jwtTokenService.parseClaimsWithoutValidation(token);
                    String tokenType = claims.get("token_type", String.class);
                    if ("ext_app".equals(tokenType)) {
-                        return null; // SelfIssuedJwtFilter behandelt es
+                        return null; // using the SelfIssuedJwtFilter
                    }
                } catch (Exception e) {
-                    // Kein selbst ausgestelltes Token, weiter zur OAuth2 Validierung
+                    // carry on ...
                }

-                return token;
+                return token; // some other token
            }
-            return null;
+            return null; // all other requests
        };
    }

--- a/src/main/java/de/avatic/lcc/service/apps/JwtTokenService.java
+++ b/src/main/java/de/avatic/lcc/service/apps/JwtTokenService.java
@ -40,6 +40,13 @@ public class JwtTokenService {
                .compact();
    }

+    public Claims parseClaimsWithoutValidation(String token) {
+        return Jwts.parser()
+                .unsecured()
+                .build()
+                .parseUnsecuredClaims(token)
+                .getPayload();
+    }

    public Claims validateToken(String token) {
        return Jwts.parser()