Redirect_Uri use http instead of https with Spring social Facebook Login on Heroku
keyuls opened this issue · comments
Summary
When I click on the following link from the spring mvc web application
https://www.website.com/auth/facebook
It redirects to this link
https://www.facebook.com/v2.5/dialog/oauth?client_id=1234567890&response_type=code&redirect_uri=http%3A%2F%2Fwww.website.com%2Fauth%2Ffacebook&scope=email&state=62b42bqd-f8y8-44a3-dbcs-a13ce12bfcce
In this, redirect_uri takes http instead https. How to forced https to redirect_uri?
Actual Behavior
redirect_uri takes http instead https
Expected Behavior
redirect_uri should take https instead http
Configuration
Spring MVC
Spring Security
Spring Social
Hibernate
Jetty
Version
spring social - 1.1.6.RELEASE
spring social facebook - 2.0.3.RELEASE
I think this fix #193 should be backported in the 1.1.x branch.
I think there is a bug in the creation of the redirect_uri. It will always redirect to http if you are not behind a reverseproxy. In my opinion it would be correct to take the scheme and port from httpServerletRequest if it is not provided in the x-forward* headers.
String scheme = StringUtils.isEmpty(schemeHeader) ? request.getScheme(): schemeHeader; String port = StringUtils.isEmpty(portHeader) ? Integer.toString(request.getServerPort()) : portHeader;
This will prevent to use always http in the redirect uri