Invalid CSRF Token with new spring-addons-starter-oidc 8.1.0 and Spring Boot 3.4.2, but still working with 7.8.12 and 3.3.6

[sisco70]

Hi,

I'm using spring-addons-starter-oidc along with Spring Cloud Gateway to implement the BFF pattern with a Spring Boot module.

This allows me to manage SSO for a legacy web application based on JSP and JavaScript.
So far, I've had no problems managing CSRF controls on the front-end via JavaScript, retrieving the XSRF token value and placing it as the X-XSRF-TOKEN request header.

My BFF uses Spring Boot 3.3.6 and spring-addons-starter-oidc version 7.8.12.

I'm trying to upgrade to the new version 8.1.0 to take advantage of the new back-channel logout functionality (also upgrading Spring Boot to 3.4.2 and spring-cloud-dependencies to 2024.0.0), but I'm getting the classic Invalid CSRF Token error.

Yet nothing has changed, and my POST calls continue to send the correct x-xsrf-token value in the request headers to the BFF application.

What is changed ?

I tried to figure out from ServletConfigurationSupport.java and in particular the SpaCsrfTokenRequestHandler method, but I could not find a solution..

Thank you very much for the help!

[ch4mpy]

Hi,

It seems that Spring Security's default configuration has evolved and does not work anymore for server-side rendered applications. As I don't personally write such apps, I didn't notice, but I could reproduce your issue with the logout on the resource-server_with_ui tutorial (logout currently fails because of a CORS error).

As one of the aims of spring-addons-starter-oidc is to protect against this kind of variation in the Spring Security framework (provide with "working" default auto-configuration) I open an issue.

If you can't wait for a fix, you may try using the "cookie" CSRF repo (set the com.c4-soft.springaddons.oidc.client.csrf=cookie-accessible-from-js). But this will require adding some Javascript in your templates to read the XSRF-TOKEN cookie and set the X-XSRF-TOKEN header as SPAs do.

You can also expose a ClientSynchronizedHttpSecurityPostProcessor bean to replace CSRF default configuration.

[sisco70]

Thank you,

I will try to write a custom version of the ClientSynchronizedHttpSecurityPostProcessor bean.

Just to point out, my BFF application is already using the csrf: 'cookie-accessible-from-js' option with version 3.3.6 of spring-boot-starter and 7.8.12 of spring-addons-starter-oidc and the javascript on the JSP pages of my legacy application already reads the XSRF-TOKEN cookie and sets the X-XSRF-TOKEN header.

With this configuration, I have no 'CSRF Invalid Token' problems.

The problem arises with spring-boot-starter 3.4.2 (and spring-addons-starter-oidc 8.1.0) , where I am using this configuration:

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
          - iss: ${issuer}
            username-claim: ${username-claim-json-path}
            authorities:
              - path: ${authorities-json-path}
        client:
          client-uri: ${client-uri}
          back-channel-logout:
            enabled: true
            internal-logout-uri: ${client-uri}/logout/connect/back-channel/dt1-bff-client
          security-matchers:
            - /**
          permit-all:
            - /login/**
            - /oauth2/**
            - /actuator/**
          csrf: cookie-accessible-from-js
          oauth2-redirections:
            rp-initiated-logout: ACCEPTED

[ch4mpy]

With a server-side rendered application (like your JSP, but it's the same with JSF, Thymeleaf, etc.), the session repo should be fine and you shouldn't need to expose the CSRF token to Javascript.

But knowing that you are using a mechanism that still works with SPAs is useful. Thank you.

[ch4mpy]

I could finally get a POST to /logout work but with:

• a Thymeleaf application
• the default CSRF handling (session-based CSRF token repo)

For that, I had to change from:

<form method="POST" action="/logout">
  <button type="submit">Logout</button>
</form

to:

<form method="POST" action="@{/logout}">
  <button type="submit">Logout</button>
</form

Apparently, the fact that the action is interpolated is now required for the default CSRF token handler to hook in the form submission handling. Can you think of something similar in the processing of JSPs?

Can you share a reproducer with JSPs, cookie CSRF token repo, and the Javascript to read the cookie and set the header?

[sisco70]

Excuse me,

But what is the difference between using csrf: session or : csrf: cookie-accessible-from-js ?
In my use case, I think I need to be able to access the cookie value in order to return it to the BFF.

POST calls made in my JSP pages hardly ever start from forms. But they are almost exclusively xhr calls with JQuery similar to this:

         function getCookie(name) {
        	var value = ”; ” + document.cookie;
        	var parts = value.split(“; ‘ + name + ’=”);
                if (parts.length == 2) return parts.pop().split(“;”).shift();
        }
   
        const xsrf = getCookie('XSRF-TOKEN');

	$.ajax({
		url : “/test/getMap”,
		headers : {
			“Content-Type” : “application/json”,
			“Accept” : ‘application/json’,
                        "X-XSRF-TOKEN" : xsrf
		},
		type : “POST”,
		async : false,
		success : function(data) {
			map = data.map;
			....
		},
		error : function(jqXHR, textStatus, errorThrown) {
			......
		}
	});

I don't have much time today, but as soon as I can, I will try to share you a working example on GitHub to test this problem

Thank you for support!

[ch4mpy]

With csrf: session, the CSRF token is stored in the session, making it accessible only to the server.

With csrf: cookie-accessible-from-js, the CSRF token is stored in a cookie (making it accessible to the browser) and flagged with HttpOnly=false (making it accessible to the Javascript code running in that browser).

As you are using JQuery to send XHR requests, you have to use the 2nd option. If you were using forms with POST and an action pointing to a JSP, the 1st option would work (and would make things easier as you would not have to read a cookie and set a header).

[ch4mpy]

I got the resource-server_with_ui tutorial work using a JQuery AJAX request to logout with two modifications:

• in the properties, add:

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        client:
          csrf: cookie-accessible-from-js
          oauth2-redirections:
            rp-initiated-logout: accepted

• replace the greet.html template with:

<!DOCTYPE HTML>
<html xmlns:th="http://www.thymeleaf.org">

<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <meta name="description" content="">
    <meta name="author" content="">
    <title>Greetings!</title>
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-beta/css/bootstrap.min.css" rel="stylesheet"
        integrity="sha384-/Y6pD6FV/Vv2HJnA6t+vslU6fwYXjCFtcEpHbNJ0lyAFsXTsjBbfaDjzALeQsN6M" crossorigin="anonymous">
    <link href="https://getbootstrap.com/docs/4.0/examples/signin/signin.css" rel="stylesheet"
        crossorigin="anonymous" />
</head>

<body>
    <div class="container">
        <h1 class="form-signin-heading">Greetings from the REST API</h1>
        <div th:utext="${greeting}">..!..</div>
        <button type="submit" th:onclick="logout()">Logout with Javascript</button>
    </div>
    <script th:inline="javascript">
        function getCsrfToken() {
            var parts = document.cookie.split("XSRF-TOKEN=");
            if (parts.length == 2) {
                return parts.pop().split(";").shift();
            }
        }

        function logout() {
            $.ajax({
                url: "/logout",
                headers: {
                    "X-XSRF-TOKEN": getCsrfToken()
                },
                type: "POST",
                async: false,
                success: function (data, textStatus, response) {
                    const rpInitiatedLogoutLocation = response.getResponseHeader('location');
                    window.location = rpInitiatedLogoutLocation;
                },
                error: function (jqXHR, textStatus, errorThrown) {
                    console.log(textStatus, errorThrown)
                }
            });
        }
    </script>
    <script src="https://code.jquery.com/jquery-3.7.1.min.js"></script>
</body>

These tests have shown some issues with the invalid session strategy introduced in 8.1.0. This doesn't prevent the logout from working, but it's pretty uncomfortable when working with server-side rendered apps. Will release a fix.

[ch4mpy]

The invalid session strategy is fixed in 8.1.1, and the resource-server_with_ui tutorial is updated with a javascript profile to logout with an ajax request instead of plain navigation initiated by an HTML form action.

The default profile uses the session CSRF repo. The _csrf token is set in the DOM by Spring as a hidden input

The javascript profile uses a cookie repo with HttpOnly=false. The XSRF-TOKEN cookie is retrieved in the Javascript handler and set as X-XSRF-TOKEN header as done just above.

[sisco70]

Hello,

You were really quick! Thank you!
I was still trying to put together an environment with docker-compose to replicate a test environment.. :-)
At this point, as soon as it is available on maven repository I will try it right away.

[ch4mpy]

8.1.1 was available from maven-central 16 hours ago.

You can also git clone https://github.com/ch4mpy/spring-addons.git, edit the application properties to adapt issuer-uri, client-id, and client-secret in the resource-server_with_ui module and try the two mechanisms by switching the javascript profile on/off.

[sisco70]

No..

the problem is still there.
In my case, the “403 Invalid CSFR token” error occurs at the first POST call (xhr) not at logout.

I'm using the “javascript” profile, but if it only served to set csrf: cookie-accessible-from-js, I had already written it..

I am attaching my current configuration. Meanwhile, I will try to pinpoint the section in the code where the check that generates the error occurs.

client-uri: https://dt1.lan

bivdt-uri: http://dt1.wf26.lan:8080
bav-uri: http://dt1.wf26.lan:8080

issuer: https://auth.lan/realms/autostrade
client-id: dt1-bff-client
client-secret: 
username-claim-json-path: $.preferred_username
authorities-json-path: $.realm_access.roles

server:
  port: 7443
  ssl:
    bundle: "web-server"
  http2:
    enabled: true
  compression:
    enabled: true
  servlet:
    session:
      timeout: 10m  

spring:
  profiles:
    active: javascript
  threads:
    virtual:
      enabled: true
  web:
    resources:
      static-locations: 'classpath:/static/'
  ssl:
    bundle:
      pem:
        web-server:
          keystore:
            certificate: 'file:/opt/bff.crt'
            private-key: 'file:/opt/bff.key'

  cloud:
    gateway:
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
      routes:
        - id: bivdt
          uri: ${bivdt-uri}
          predicates:
            - Path=/BIVDT/**
          filters:    
            - StripPrefix=1
        - id: bav
          uri: ${bav-uri}
          predicates:
            - Path=/BAV/**
          filters:
            - StripPrefix=1

  security:
    oauth2:
      client:
        provider:
          keycloak:
            issuer-uri: ${issuer}
            user-name-attribute: preferred_username
        registration:
          dt1-bff-client:
            provider: keycloak
            authorization-grant-type: authorization_code
            client-id: ${client-id}
            client-secret: ${client-secret}
            scope: 
              - openid
              - profile
              - roles 
              #- offline_access
com:
  c4-soft:
    springaddons:
      oidc:
        ops:
          - iss: ${issuer}
            username-claim: ${username-claim-json-path}
            authorities:
              - path: ${authorities-json-path}
        client:
          client-uri: ${client-uri}
          #login-uri: /BIVDT-login
          back-channel-logout:
            enabled: true
            internal-logout-uri: ${client-uri}/logout/connect/back-channel/dt1-bff-client
          security-matchers:
            - /**
          permit-all:
            - /login/**
            - /oauth2/**
            - /actuator/**
          csrf: cookie-accessible-from-js
          oauth2-redirections:
            rp-initiated-logout: accepted
          #post-logout-redirect-path: /BIVDT-login

logging:
  level:
    org:
      springframework: 
        security: DEBUG
        cloud: DEBUG

[ch4mpy]

I'm using the “javascript” profile, but if it only served to set csrf: cookie-accessible-from-js

No, it also changes:

• the status of the logout response
• the template used from greet.html to greet-js.html

I updated the resource-server_with_ui module to add a REST (XHR) request processed with the oauth2Login filter chain. See the modified template and new handler.

The CSRF protection with HttpOnly=false cookie working as expected, I close the issue.

[ch4mpy]

What are the details of your failing request (URI, headers, cookies) and what are the Security TRACE logs in the Spring apps?

[sisco70]

Ok,

My BFF's application.yaml is the one I attached above, and its code is limited to the bare minimum without customizations (SpringBootApplication). The javascript code is almost identical to the the one I attached above..

This is an example of a call that generates the error:

TRACE (logging.level.org.springframework: TRACE)

2025-01-30 09:44:25 2025-01-30T09:44:25.316+01:00 TRACE 1 --- [r-http-epoll-12] o.s.w.s.adapter.HttpWebHandlerAdapter    : [164893a4-11] HTTP POST "/BIVDT/BIV_apri_ws/getAuthMap", headers={masked}
2025-01-30 09:44:25 2025-01-30T09:44:25.317+01:00 DEBUG 1 --- [r-http-epoll-12] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/**', method=null}
2025-01-30 09:44:25 2025-01-30T09:44:25.317+01:00 DEBUG 1 --- [r-http-epoll-12] athPatternParserServerWebExchangeMatcher : Checking match of request : '/BIVDT/BIV_apri_ws/getAuthMap'; against '/**'
2025-01-30 09:44:25 2025-01-30T09:44:25.317+01:00 DEBUG 1 --- [r-http-epoll-12] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
2025-01-30 09:44:25 2025-01-30T09:44:25.317+01:00 DEBUG 1 --- [r-http-epoll-12] athPatternParserServerWebExchangeMatcher : Request 'POST /BIVDT/BIV_apri_ws/getAuthMap' doesn't match 'POST /logout/connect/back-channel/{registrationId}'
2025-01-30 09:44:25 2025-01-30T09:44:25.328+01:00 TRACE 1 --- [r-http-epoll-12] o.s.w.s.adapter.HttpWebHandlerAdapter    : [164893a4-11] Completed 403 FORBIDDEN, headers={masked}
2025-01-30 09:44:25 2025-01-30T09:44:25.328+01:00 TRACE 1 --- [r-http-epoll-12] o.s.h.s.r.ReactorHttpHandlerAdapter      : [164893a4-1, L:/192.168.90.10:7443 ! R:/192.168.90.4:54124] Handling completed

Request URL:  https://dt1.lan/BIVDT/BIV_apri_ws/getAuthMap
Request Method:  POST
Status Code:   403 Forbidden
Remote Address:   127.10.10.2:443
Referrer Policy:   no-referrer

REQUEST

POST /BIVDT/BIV_apri_ws/getAuthMap HTTP/1.1
Accept: application/json
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 0
Content-Type: application/json
Cookie: XSRF-TOKEN=149530f4-0976-45f3-9a0e-012d3ae45c63; SESSION=05d3d2c8-f2f4-4e9c-b66f-1a40b0a893fe
Host: dt1.lan
Origin: https://dt1.lan
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
X-Requested-With: XMLHttpRequest
X-XSRF-TOKEN: 149530f4-0976-45f3-9a0e-012d3ae45c63
sec-ch-ua: "Not A(Brand";v="8", "Chromium";v="132", "Google Chrome";v="132"
sec-ch-ua-mobile: ?0

RESPONSE

HTTP/1.1 403 Forbidden
Server: nginx/1.26.2
Date: Thu, 30 Jan 2025 07:39:44 GMT
Content-Type: text/plain
Content-Length: 18
Connection: keep-alive
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
X-XSS-Protection: 0
Referrer-Policy: no-referrer

COOKIES

Name            Value                                Domain        Path           Expires       Size   HttpOnly  Secure  Samesite  Partition Key site Cross Site   Priority
XSRF-TOKEN | 149530f4-0976-45f3-9a0e-012d3ae45c63 |    dt1.lan   |      /    |   Session    |    46   |       |   ✓    |         |               |             | Medium    
SESSION    | 8b8044f8-c4a8-449e-8271-4cfdacead8ed |    dt1.lan   |      /    |    Session   |    43   |     ✓ |    ✓   |   Lax   |               |             | Medium   

192.168.90.x internal subnet docker compose (expose NGINX with port 843)
dt1.lan is 127.10.10.2:443 (mapped with netsh to localhost:843)

[ch4mpy]

I'm not sure about your architecture. Where are the JSPs hosted? On a dedicated server or on the Gateway itself?

Also, could you try the servlet version of the Gateway (spring-cloud-starter-gateway-mvc instead of spring-cloud-starter-gateway)? For that, you'll have to introduce a mvc layer in properties:

  cloud:
    gateway:
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
      mvc:
        routes:
        - id: bivdt
          uri: ${bivdt-uri}
          predicates:
            - Path=/BIVDT/**
          filters:    
            - StripPrefix=1
        - id: bav
          uri: ${bav-uri}
          predicates:
            - Path=/BAV/**
          filters:
            - StripPrefix=1

[sisco70]

The JSPs are inside multiple wars deployed in a Wildfly 26
I immediately try the servlet version (which I had never used until now)

[sisco70]

it works! thank you

But this version is not reactive.. what are the differences ?

[sisco70]

I'm trying to figure out what's going on. I am using remote debugging.. Maybe it can help you.

Inside CsrfWebFilter class the method containsValidCsrfToken returns false.

private Mono<Boolean> containsValidCsrfToken(ServerWebExchange exchange, CsrfToken expected) {
		return this.requestHandler.resolveCsrfTokenValue(exchange, expected)
			.map((actual) -> equalsConstantTime(actual, expected.getToken()));
	}

because inside interface ServerCsrfTokenRequestHandler the method resolveCsrfTokenValue seem to return nothing (empty Mono.)

  default Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
		Assert.notNull(exchange, "exchange cannot be null");
		Assert.notNull(csrfToken, "csrfToken cannot be null");
		return exchange.getFormData()
			.flatMap((data) -> Mono.justOrEmpty(data.getFirst(csrfToken.getParameterName())))
			.switchIfEmpty(Mono.justOrEmpty(exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName())));
	}

[ch4mpy]

In the meantime, I was trying with a Reactive Gateway hosting a Thymeleaf template with some XHR and could reproduce your error.

The spring-addons auto-configuration for CSRF protection with HttpOnly=false has been broken in reactive applications since version 8.1.0. The problem is that I blindly trusted the Spring Security docs for that and removed the custom ServerCsrfTokenRequestAttributeHandler. As I used only servlet Gateways, I didn't notice that the doc is wrong for reactive apps :/

I just published 8.1.2 with a fix. I also added two BFF samples which contain Thymeleaf templates with XHR requests:

• oauth2-bff-reactive. This one will help at detecting regressions for WebFlux apps.
• oauth2-bff-servlet

The webmvc-jwt-default sample can be used as a "downstream resource server".

But this version is not reactive.. what are the differences ?

Because of their non-blocking model, WebFlux applications were supposed to save resources in massively multi-threaded applications. This is why Spring Cloud initially designed its Gateway around it. However, with Java 21 and virtual threads, this benefit vanished. As synchronized applications (like servlets) are much easier to debug, I now only use spring-cloud-starter-gateway-mvc.

because inside interface ServerCsrfTokenRequestHandler the method resolveCsrfTokenValue seem to return nothing (empty Mono.)

The component I restored and auto-configure with HttpOnly=true cookie CSRF protection is a custom ServerCsrfTokenRequestAttributeHandler which searches for the CSRF token in headers (not in form data) and includes XOR protection.

If debugging with 8.1.2, you should see that the requestHandler instance has changed and that it now returns the CSRF token value.

If keeping 8.1.1, you can fix the HttpOnly=true cookie CSRF configuration of a reactive filter-chain with oauth2Login with the following ClientReactiveHttpSecurityPostProcessor:

@Configuration
public class SecurityConfig {

  @Bean
  ClientReactiveHttpSecurityPostProcessor clientReactiveHttpSecurityPostProcessor() {
    return (ServerHttpSecurity serverHttpSecurity) -> {
      return serverHttpSecurity.csrf(csrf -> {
        csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
              .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
      });
    };
  }

  static final class SpaCsrfTokenRequestHandler extends ServerCsrfTokenRequestAttributeHandler {
    private final ServerCsrfTokenRequestAttributeHandler delegate =
        new XorServerCsrfTokenRequestAttributeHandler();

    @Override
    public void handle(ServerWebExchange exchange, Mono<CsrfToken> csrfToken) {
      this.delegate.handle(exchange, csrfToken);
    }

    @Override
    public Mono<String> resolveCsrfTokenValue(ServerWebExchange exchange, CsrfToken csrfToken) {
      return Mono
          .justOrEmpty(exchange.getRequest().getHeaders().getFirst(csrfToken.getHeaderName()))
          .switchIfEmpty(this.delegate.resolveCsrfTokenValue(exchange, csrfToken));
    }
  }
}

Be really careful with the CsrfToken class you import: it must be org.springframework.security.web.server.csrf.CsrfToken (not org.springframework.security.web.csrf.CsrfToken)

[ch4mpy]

Closing as this actually is a bug report that has no value being listed in Q&A (not a problem that another user could face later on)

[ch4mpy]

Closing as this actually is a bug report that has no value being listed in Q&A (not a problem that another user could face later on)