Forum Discussion

living-jordi's avatar
living-jordi
Explorer | Level 4
8 years ago

Oauth callback into several service instances

We're using 3 service instances under a load balencer.

 

In order to create an oauth session, we're using two endpoints:

 

The first one is named `/start`. We are using this code:

 

   

DbxAppInfo appInfo = new DbxAppInfo("---", "---");
DbxRequestConfig config = new DbxRequestConfig("---");
DbxWebAuth webAuth = new DbxWebAuth(config, appInfo);
        
HttpSession session = request.getSession(true);
String sessionKey = "dropbox-auth-csrf-token";
DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey);
        
String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish";
DbxWebAuth.Request authRequest = DbxWebAuth.newRequestBuilder()
        .withRedirectUri(redirectUri, csrfTokenStore).build();
        
String authorizeUrl = webAuth.authorize(authRequest);
//redirect to just created 'authorizeUrl'

 

Shortly, we're creating a new url with our redirectURI.

 

The last one is named `/finish`. We are using this code:

 

   

DbxAppInfo appInfo = new DbxAppInfo("---", "---");
DbxRequestConfig config = new DbxRequestConfig("---");
DbxWebAuth webAuth = new DbxWebAuth(config, appInfo);
        
HttpSession session = request.getSession(true);
String sessionKey = "dropbox-auth-csrf-token";
DbxSessionStore csrfTokenStore = new DbxStandardSessionStore(session, sessionKey);
        
String redirectUri = "http://localhost:8080/dropbox/cmng/dropbox/finish";
DbxAuthFinish authFinish;
      
authFinish = webAuth.finishFromRedirect(redirectUri, csrfTokenStore, request.getParameterMap());
        
String accessToken = authFinish.getAccessToken();

 

We don't know how this code will behave when a first request to `/start` is handled by one server instance and the callback to `/finish` is handle by another server instance.

 

How would it behave?

  • Greg-DB's avatar
    Greg-DB
    Icon for Dropbox Staff rankDropbox Staff

    The code looks fine at a glance. Are you running in to any issues with this? As long as all instances have access to the same session data, I would expect this to work.

     

    Specifically, as a security measure, what's happening is that the web auth flow needs to check that the "state" value passed back with the redirect URI (in the finish step) matches the original "state" value that was created for this app authorization flow originally and stored in the user's session (in the start step).

     

    The SDK is open source so you can see what finishFromRedirect is doing, for example, if you want.

    • living-jordi's avatar
      living-jordi
      Explorer | Level 4

      There's no issue by now. It's just a thought we've figured out coding this code.

       

      You've written down:


      As long as all instances have access to the same session data, I would expect this to work.

      As far I've been able to figure out, http sessions are per-instances linked. So, an instance is only allowd to have their owned sessions, isn't it?

      • Greg-DB's avatar
        Greg-DB
        Icon for Dropbox Staff rankDropbox Staff
        I'm not familiar enough with Java's HttpSession, and this may also depend on your particular setup, so I'm afraid I can't offer much insight on that side of things.