Oauth2 token request does not contain redirect_uri

1
votes

I'm trying to setup an Oauth2 Authoization Code flow with Bitbucket Oauth in micronaut. I've setup both Github and Bitbucket in my Mirconaut config for auth.

Whenever I (try to) login with Bitbucket, I get an redirect_uri does not match error.

{"message":"Internal Server Error: error: invalid_request, errorDescription: redirect_uri does not match, errorUri: null"}

After doing some research and enabling some trace logging I see that redirect_uri is missing in the access token request. 

09:33:53.263 [nioEventLoopGroup-1-5] DEBUG i.m.http.client.DefaultHttpClient - Sending HTTP Request: POST /site/oauth2/access_token
09:33:53.263 [nioEventLoopGroup-1-5] DEBUG i.m.http.client.DefaultHttpClient - Chosen Server: bitbucket.org(-1)
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - Accept: application/json
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - Authorization: Basic xxxxxxx
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - content-type: application/x-www-form-urlencoded
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - host: bitbucket.org
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - connection: close
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - content-length: 53
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - Request Body
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - ----
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - code=PuaUDFGTmQ4Gh9gJPM&grant_type=authorization_code
09:33:53.264 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - ----
09:33:53.762 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - HTTP Client Response Received for Request: POST https://bitbucket.org/site/oauth2/access_token
09:33:53.762 [nioEventLoopGroup-1-5] TRACE i.m.http.client.DefaultHttpClient - Status Code: 400 Bad Request

Whenever I recreate the call with something like curl and add the (default) redirect_uri, I get back a proper access token and am able to use this.

Is there any way to add the redirect_uri to the token request? Is this a bug? As far as I know, the redirect_uri is required in the token request, if it was also present in the previous authorization request (see https://tools.ietf.org/html/rfc6749#section-4.1.3)

Thanks,

Danny

1
oauth-2.0bitbucketmicronaut
This seems like a bug, please file an issueJames Kleeh
Already filed under github.com/micronaut-projects/micronaut-security/issues/93Danny Kruitbosch

1 Answers

0
votes

I had this issue when setting up OAuth2 on Bitbucket using Tornado. I hope it helps you track down this issue specifically in micronaut

As you know, there are two stages to the authentication.

  1. Authorize (https://bitbucket.org/site/oauth2/authorize) which returns a token and
  2. Authorization code grant (https://bitbucket.org/site/oauth2/access_token)

They both take a redirect_uri in the POST body but they have to be identical for both calls. As long as they start with the same uri that is specified in the OAuth consumer settings in Bitbucket (e.g https://f.q.d.n/), they can point to a more specific path (e.g https://f.q.d.n/some/specific/end-point)

Importantly, they must be the same for both calls or you will be the redirect_uri does not match error.