Discord auth issues

hi all, has anyone managed to get discord working as a sso in vaadin or sb3 in general?

followed the following resource:
https://vaadin.com/blog/oauth-2-and-google-sign-in-for-a-vaadin-application

and adjusted accordingly (Ref: https://stackoverflow.com/questions/75340860/spring-boot-3-0-discord-oauth2/)

after being redirected by discord auth im getting OAuth2AuthenticationException

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_request] Missing "code_verifier"

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.oauth2Login().loginPage("/login").permitAll();
    }
}
spring.security.oauth2.client.registration.discord.provider=discord
spring.security.oauth2.client.registration.discord.client-id=${DISCORD_CLIENT_ID}
spring.security.oauth2.client.registration.discord.client-secret=${DISCORD_CLIENT_SECRET}
spring.security.oauth2.client.registration.discord.client-authentication-method=post
spring.security.oauth2.client.registration.discord.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.discord.scope[0]=identify
spring.security.oauth2.client.registration.discord.redirect-uri=http://localhost:8080/login/oauth2/code/discord

spring.security.oauth2.client.provider.discord.authorization-uri=https://discordapp.com/api/oauth2/authorize
spring.security.oauth2.client.provider.discord.token-uri=https://discordapp.com/api/oauth2/token
spring.security.oauth2.client.provider.discord.user-info-uri=https://discordapp.com/api/users/@me
spring.security.oauth2.client.provider.discord.user-name-attribute=username

Enable debug logging to debug the problem. https://www.baeldung.com/spring-security-enable-logging

hi there, thanks for replying. I did try this but couldn’t manage to get anything more specific than

2023-05-12T12:06:26.269+01:00 DEBUG 4780 --- [nio-8080-exec-8] o.s.s.web.DefaultRedirectStrategy        : Redirecting to https://discordapp.com/api/oauth2/authorize...
2023-05-12T12:06:28.829+01:00 DEBUG 4780 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : Securing GET /login/oauth2/code/discord....
2023-05-12T12:06:29.169+01:00 DEBUG 4780 --- [nio-8080-exec-5] .s.a.DefaultAuthenticationEventPublisher : No event was found for the exception org.springframework.security.oauth2.core.OAuth2AuthenticationException

Like described in the message, you probably have to register an event publisher that gets notified about the Oauth2 exception and take a look at the error message of the exception to find the route cause. Without this, it’s close to impossible to find the cause

just had a go at publishing Authentication events via AuthenticationEventPublisher, and added AbstractAuthenticationFailureEvent (not sure if this wraps all impl) listener and im still getting no event was found. can you recommend somewhere to better learn how to get a publisher working? apologies

You need a component that implements AuthenticationFailureHandler - in there you have access to the exception

(and add it to the oauth2 config) as failureHandler

perfect thankyou, giving the following

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_request] Missing "code_verifier"

Perfect, with this it should be possible to get to the root of it :slightly_smiling_face:

thanks for your help, i’ll leave this open encase anyone might have any ideas

Google leads to this https://www.baeldung.com/spring-security-pkce-secret-clients

had a poke, cant seem to autowire ServerHttpSecurity

I don’t think you need webflux here

is obviously a lack of understanding on my part (have read up on pkce though) but that article seems to call for webflux

The important parts are in Chapter 4, e.g. auth.authorizationRequestResolver(resolver) and the resolver created below in the other code snippet

Both Servlet and Webflux’s http security should have the same methods available for authentication setup

Right, I followed ch4 and ServerHttpSecurity and ReactiveClientRegistrationRepository no beans of type found

There should be a Servlet alternative available, but I’m not at my computer to look at this in more detail. I’m kinda surprised that this hasn’t hit more people already in the spring ecosystem, as discord just follows Oauth 2.1 spec instead of 2.0 and enforces this optional param and spring security isn’t correctly resolving at automatically tho

https://github.com/spring-projects/spring-security/blob/97a42ba190bcba00059f7cb389e6d5bc45dd1fc6/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolverTests.java#L409 is linked by the creator of spring security regarding “implementation/enabling of pkce is simple”

And it’s only mandatory because of the authorization_code strategy in use, not sure if it’s required for your use cases.