From d06aa74029a56c306b55aa17f0869ceff8d3d049 Mon Sep 17 00:00:00 2001 From: Jan Date: Thu, 30 Oct 2025 18:38:14 +0100 Subject: [PATCH] Fixing the redirect loop in the entra id authentication --- .../de/avatic/lcc/config/SecurityConfig.java | 21 ++++++++++++------- .../lcc/service/apps/JwtTokenService.java | 7 +++++++ 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/src/main/java/de/avatic/lcc/config/SecurityConfig.java b/src/main/java/de/avatic/lcc/config/SecurityConfig.java index 5bf31d0..4485b49 100644 --- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java +++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java @@ -10,6 +10,8 @@ import jakarta.servlet.ServletException; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; import org.jetbrains.annotations.NotNull; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; @@ -56,6 +58,7 @@ import java.util.function.Supplier; @EnableMethodSecurity public class SecurityConfig { + private static final Logger log = LoggerFactory.getLogger(SecurityConfig.class); @Value("${lcc.allowed_cors}") private String allowedCors; @@ -90,16 +93,20 @@ public class SecurityConfig { ) ) .csrf(csrf -> csrf - .ignoringRequestMatchers("/oauth2/token") // CSRF für OAuth deaktivieren + .ignoringRequestMatchers("/oauth2/token") .ignoringRequestMatchers("/login/oauth2/code/**") .requireCsrfProtectionMatcher(request -> { + String requestUri = request.getRequestURI(); + if (requestUri.startsWith("/oauth2/") || requestUri.startsWith("/login/oauth2/")) { + return false; + } String authHeader = request.getHeader("Authorization"); if (authHeader != null && authHeader.startsWith("Bearer ")) { return false; } - return true; + return !"GET".equalsIgnoreCase(request.getMethod()); }) .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .csrfTokenRequestHandler(new LccCsrfTokenRequestHandler()) @@ -301,18 +308,18 @@ public class SecurityConfig { String token = authHeader.substring(7); try { - Claims claims = jwtTokenService.validateToken(token); + Claims claims = jwtTokenService.parseClaimsWithoutValidation(token); String tokenType = claims.get("token_type", String.class); if ("ext_app".equals(tokenType)) { - return null; // SelfIssuedJwtFilter behandelt es + return null; // using the SelfIssuedJwtFilter } } catch (Exception e) { - // Kein selbst ausgestelltes Token, weiter zur OAuth2 Validierung + // carry on ... } - return token; + return token; // some other token } - return null; + return null; // all other requests }; } diff --git a/src/main/java/de/avatic/lcc/service/apps/JwtTokenService.java b/src/main/java/de/avatic/lcc/service/apps/JwtTokenService.java index 8374a3d..5640732 100644 --- a/src/main/java/de/avatic/lcc/service/apps/JwtTokenService.java +++ b/src/main/java/de/avatic/lcc/service/apps/JwtTokenService.java @@ -40,6 +40,13 @@ public class JwtTokenService { .compact(); } + public Claims parseClaimsWithoutValidation(String token) { + return Jwts.parser() + .unsecured() + .build() + .parseUnsecuredClaims(token) + .getPayload(); + } public Claims validateToken(String token) { return Jwts.parser()