Redirect_Uri use http instead of https with Spring social Facebook Login on Heroku

Question

Redirect_Uri use http instead of https with Spring social Facebook Login on Heroku

keyuls opened this issue 6 years ago · comments

Summary

When I click on the following link from the spring mvc web application
https://www.website.com/auth/facebook
It redirects to this link
https://www.facebook.com/v2.5/dialog/oauth?client_id=1234567890&response_type=code&redirect_uri=http%3A%2F%2Fwww.website.com%2Fauth%2Ffacebook&scope=email&state=62b42bqd-f8y8-44a3-dbcs-a13ce12bfcce

In this, redirect_uri takes http instead https. How to forced https to redirect_uri?

Actual Behavior

redirect_uri takes http instead https

Expected Behavior

redirect_uri should take https instead http

Configuration

Spring MVC
Spring Security
Spring Social
Hibernate
Jetty

Version

spring social - 1.1.6.RELEASE
spring social facebook - 2.0.3.RELEASE

Damien Arrachequesne · Answer 1 · Thu Jul 19 2018 17:19:21 GMT+0800 (China Standard Time)

I think this fix #193 should be backported in the 1.1.x branch.

tux4ever · Answer 2 · Sun Oct 28 2018 20:35:35 GMT+0800 (China Standard Time)

I think there is a bug in the creation of the redirect_uri. It will always redirect to http if you are not behind a reverseproxy. In my opinion it would be correct to take the scheme and port from httpServerletRequest if it is not provided in the x-forward* headers.
String scheme = StringUtils.isEmpty(schemeHeader) ? request.getScheme(): schemeHeader; String port = StringUtils.isEmpty(portHeader) ? Integer.toString(request.getServerPort()) : portHeader;

This will prevent to use always http in the redirect uri