nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

Oauth callback into several service instances

living-jordi

We're using 3 service instances under a load balencer.

In order to create an oauth session, we're using two endpoints:

The first one is named `/start`. We are using this code:

DbxAppInfo appInfo = new DbxAppInfo("---", "---");
DbxRequestConfig config = new DbxRequestConfig("---");
DbxWebAuth webAuth = new DbxWebAuth(config, appInfo);

HttpSession session = request.getSession(true);
String sessionKey = "dropbox-auth-csrf-token";
DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey);

String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish";
DbxWebAuth.Request authRequest = DbxWebAuth.newRequestBuilder()
        .withRedirectUri(redirectUri, csrfTokenStore).build();

String authorizeUrl = webAuth.authorize(authRequest);
//redirect to just created 'authorizeUrl'

Shortly, we're creating a new url with our redirectURI.

The last one is named `/finish`. We are using this code:

DbxAppInfo appInfo = new DbxAppInfo("---", "---");
DbxRequestConfig config = new DbxRequestConfig("---");
DbxWebAuth webAuth = new DbxWebAuth(config, appInfo);

HttpSession session = request.getSession(true);
String sessionKey = "dropbox-auth-csrf-token";
DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey);

String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish";
DbxAuthFinish authFinish;

authFinish = webAuth.finishFromRedirect(redirectUri, csrfTokenStore, request.getParameterMap());

String accessToken = authFinish.getAccessToken();

We don't know how this code will behave when a first request to `/start` is handled by one server instance and the callback to `/finish` is handle by another server instance.

How would it behave?

Find more posts tagged with

API

Abuse

Comments

Greg-DB

The code looks fine at a glance. Are you running in to any issues with this? As long as all instances have access to the same session data, I would expect this to work.

Specifically, as a security measure, what's happening is that the web auth flow needs to check that the "state" value passed back with the redirect URI (in the finish step) matches the original "state" value that was created for this app authorization flow originally and stored in the user's session (in the start step).

The SDK is open source so you can see what finishFromRedirect is doing, for example, if you want.

living-jordi

There's no issue by now. It's just a thought we've figured out coding this code.

You've written down:

As long as all instances have access to the same session data, I would expect this to work.

As far I've been able to figure out, http sessions are per-instances linked. So, an instance is only allowd to have their owned sessions, isn't it?

Greg-DB

I'm not familiar enough with Java's HttpSession, and this may also depend on your particular setup, so I'm afraid I can't offer much insight on that side of things.