Form Login not possible when a single OAuth2 Provider is configured

[netmikey]

Summary

When using a Form Login, a single OAuth2 provider and the auto-generated login page, the auto-configured AuthenticationEntryPoint will redirect to the provider immediately, bypassing the login page and effectively preventing form login.

Actual Behavior

When trying to access a protected resource, spring security will immediately redirect to the OAuth2 provider's authentication page instead of the local login page.

Expected Behavior

When Form Login is configured, the login page should never be skipped.

Configuration

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .formLogin().permitAll();
    }

spring.security.oauth2.client.registration.facebook.client-id=some-id
spring.security.oauth2.client.registration.facebook.client-secret=some-secret

Version

5.1.4-RELEASE, not sure as of which version this happens.

Sample

I don't have a sample, but I found the exact location of the bug:

spring-security/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java

Lines 444 to 453 in 2c136f7

	if (loginUrlToClientName.size() == 1) {
	// Setup auto-redirect to provider login page
	// when only 1 client is configured
	this.updateAuthenticationDefaults();
	this.updateAccessDefaults(http);
	String providerLoginPage = loginUrlToClientName.keySet().iterator().next();
	this.registerAuthenticationEntryPoint(http, this.getLoginEntryPoint(http, providerLoginPage));
	} else {
	super.init(http);
	}

The condition should check whether Form Login is enabled and don't apply the shortcut if it is.

[jgrandja]

Thanks for the report @netmikey. Would you be interested in submitting a PR for this fix?

[rhamedy]

I could work on this if @netmikey didn't want to 👍

[jgrandja]

Thanks @rhamedy for the offer. Let's provide @netmikey a chance to respond. If it's not picked up by end of next week than feel free to take it on. Thanks!

[netmikey]

Thanks, @jgrandja. Since I'm pretty busy those days, please go ahead @rhamedy 👍

[rhamedy]

Thanks both 🙂

@jgrandja anything I should know or keep in mind when working towards a fix in addition to the pointers that @netmikey included in the PR description?

[jgrandja]

@rhamedy Nothing that comes to mind at the moment. But feel free to ask any questions along the way. Thanks for taking this on.

[rhamedy]

Hi @jgrandja

I wanted to run these changes and questions by you before creating a pull request. For the actual issue pointed out in the description of the ticket, I did the following

if (loginUrlToClientName.size() == 1)

to following and verified it with a test 👍

if (loginUrlToClientName.size() == 1 
          && http.getConfigurer(FormLoginConfigurer.class) == null)

I could not find an alternative method to check if formLogin is configured 🤔

Secondly, I noticed that the same issue is there in the reactive side as well.
These might be the related issues 5339 & 5347.

Assuming that the Reactive side need fixing as well, I updated the

if (urlToText.size() == 1) {

to

if (urlToText.size() == 1 && formLogin == null) {

however I am not sure if formLogin == null is the right approach? 🤔 I added a test but, the test fails and complains that authenticationManager cannot be null when I have clearly set it as shown below

@Test
	public void defaultLoginPageWhenLoginFormEnabledAndSingleClientRegistrationThenShowDefault() {
		this.spring.register(OAuth2LoginWithSingleClientRegistrations.class,
				OAuth2LoginMockAuthenticationManagerConfigWithFormLoginEnabled.class).autowire();

		WebTestClient webTestClient = WebTestClientBuilder
				.bindToWebFilters(new GitHubWebFilter(), this.springSecurity)
				.build();

		WebDriver driver = WebTestClientHtmlUnitDriverBuilder
				.webTestClientSetup(webTestClient)
				.build();

		driver.get("http://localhost/");

		assertThat(driver.getCurrentUrl()).startsWith("http://localhost/login");
	}

	@Configuration
	static class OAuth2LoginMockAuthenticationManagerConfigWithFormLoginEnabled {
		ReactiveAuthenticationManager manager = mock(ReactiveAuthenticationManager.class);

		@Bean
		public SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) {
			http
				.authorizeExchange()
					.anyExchange().authenticated()
					.and()
				.oauth2Login()
					.and()
				.formLogin()
					.authenticationManager(manager); // is still null in FormLoginSpec.configure line 2378
			return http.build();
		}
	}

The error snippet is as follow

Caused by: java.lang.IllegalArgumentException: authenticationManager cannot be null
	at org.springframework.util.Assert.notNull(Assert.java:198)
	at org.springframework.security.web.server.authentication.AuthenticationWebFilter.<init>(AuthenticationWebFilter.java:82)

I am new to Reactive so I feel like I am not configuring the mock correctly. Anyway, the test issue is not relevant unless we to update the Reactive side. If we have to update the Reactive side then could you please help with root cause of test failure?

[jgrandja]

@rhamedy I would like to avoid the http.getConfigurer(FormLoginConfigurer.class) conditional check, as I don't feel OAuth2LoginConfigurer should be aware of (or have reference) to FormLoginConfigurer. I'll investigate on my end and you continue as well and we'll figure out an alternative approach.

I would leave the reactive changes out for now. Let's figure out the apprach for the fix on servlet side first and go from there.

[rhamedy]

Sounds good @jgrandja, I will look into other options 👍

[jgrandja]

@rhamedy If you look at the logic in OAuth2LoginConfigurer.initDefaultLoginFilter(), it obtains a reference to DefaultLoginPageGeneratingFilter which FormLoginConfigurer does the same. Maybe you can check DefaultLoginPageGeneratingFilter.isEnabled() which will return true if formLogin() is enabled. I think this should work. But I'm also wondering if there might be an ordering issue between FormLoginConfigurer and OAuth2LoginConfigurer when they get init(). Anyway, give this a try and see how it goes.