From a11e61432e83a9f03c66a02889f17687d73a01f7 Mon Sep 17 00:00:00 2001
From: Ivo Smid <ivo.smid@gmail.com>
Date: Thu, 29 Aug 2019 12:00:04 +0200
Subject: [PATCH] Document OAuth2 Client behind proxy and redirect_uri

Fixes gh-7312
---
 .../asciidoc/_includes/reactive/oauth2/login.adoc    |  3 +++
 .../_includes/servlet/appendix/proxy-server.adoc     |  3 +++
 .../_includes/servlet/oauth2/oauth2-client.adoc      |  1 +
 .../_includes/servlet/oauth2/oauth2-login.adoc       |  3 +++
 samples/boot/oauth2login-webflux/README.adoc         | 12 ++++++++++++
 samples/boot/oauth2login/README.adoc                 | 12 ++++++++++++
 6 files changed, 34 insertions(+)

diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc
index dd1f6d4bf5..c0727d8b92 100644
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/oauth2/login.adoc
@@ -42,6 +42,9 @@ TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registra
 The *_registrationId_* is a unique identifier for the <<jc-oauth2login-client-registration,ClientRegistration>>.
 For our example, the `registrationId` is `google`.
 
+IMPORTANT: If the OAuth Client is running behind a proxy server, it is recommended to check <<appendix-proxy-server, Proxy Server Configuration>> to ensure the application is correctly configured.
+Also, see the supported <<oauth2Client-auth-code-redirect-uri, `URI` template variables>> for `redirect-uri`.
+
 [[webflux-oauth2-login-sample-config]]
 === Configure `application.yml`
 
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/proxy-server.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/proxy-server.adoc
index a3f107e570..f95eb1fe17 100644
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/proxy-server.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/proxy-server.adoc
@@ -9,3 +9,6 @@ To fix this you can use https://tools.ietf.org/html/rfc7239[RFC 7239] to specify
 To make the application aware of this, you need to either configure your application server aware of the X-Forwarded headers.
 For example Tomcat uses the https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/catalina/valves/RemoteIpValve.html[RemoteIpValve] and Jetty uses https://download.eclipse.org/jetty/stable-9/apidocs/org/eclipse/jetty/server/ForwardedRequestCustomizer.html[ForwardedRequestCustomizer].
 Alternatively, Spring 4.3+ users can leverage https://github.com/spring-projects/spring-framework/blob/v4.3.3.RELEASE/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java[ForwardedHeaderFilter].
+
+Spring Boot users may use the `server.use-forward-headers` property to configure the application.
+See the https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto-use-tomcat-behind-a-proxy-server[Spring Boot documentation] for further details.
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc
index 7b81ca4f73..752bbac792 100644
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc
@@ -430,6 +430,7 @@ If the client is running in an untrusted environment (eg. native application or
 . `client-secret` is omitted (or empty)
 . `client-authentication-method` is set to "none" (`ClientAuthenticationMethod.NONE`)
 
+[[oauth2Client-auth-code-redirect-uri]]
 The `DefaultOAuth2AuthorizationRequestResolver` also supports `URI` template variables for the `redirect-uri` using `UriComponentsBuilder`.
 
 The following configuration uses all the supported `URI` template variables:
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
index 6a0e39c950..189e65200c 100644
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc
@@ -42,6 +42,9 @@ In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect UR
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
 The *_registrationId_* is a unique identifier for the <<oauth2Client-client-registration,ClientRegistration>>.
 
+IMPORTANT: If the OAuth Client is running behind a proxy server, it is recommended to check <<appendix-proxy-server, Proxy Server Configuration>> to ensure the application is correctly configured.
+Also, see the supported <<oauth2Client-auth-code-redirect-uri, `URI` template variables>> for `redirect-uri`.
+
 
 [[oauth2login-sample-application-config]]
 ==== Configure application.yml
diff --git a/samples/boot/oauth2login-webflux/README.adoc b/samples/boot/oauth2login-webflux/README.adoc
index 3d5080afc4..a96fec395b 100644
--- a/samples/boot/oauth2login-webflux/README.adoc
+++ b/samples/boot/oauth2login-webflux/README.adoc
@@ -46,6 +46,9 @@ In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect UR
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[google-application-config]]
 === Configure application.yml
 
@@ -110,6 +113,9 @@ and have granted access to the OAuth application on the _Authorize application_
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[github-application-config]]
 === Configure application.yml
 
@@ -185,6 +191,9 @@ and have granted access to the application on the _Authorize application_ page.
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[facebook-application-config]]
 === Configure application.yml
 
@@ -258,6 +267,9 @@ and have granted access to the application on the _Authorize application_ page.
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[okta-assign-application-people]]
 === Assign Application to People
 
diff --git a/samples/boot/oauth2login/README.adoc b/samples/boot/oauth2login/README.adoc
index 81d8fd2e90..e949a7f84e 100644
--- a/samples/boot/oauth2login/README.adoc
+++ b/samples/boot/oauth2login/README.adoc
@@ -43,6 +43,9 @@ In the "Set a redirect URI" sub-section, ensure that the *Authorized redirect UR
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[google-application-config]]
 === Configure application.yml
 
@@ -107,6 +110,9 @@ and have granted access to the OAuth application on the _Authorize application_
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[github-application-config]]
 === Configure application.yml
 
@@ -182,6 +188,9 @@ and have granted access to the application on the _Authorize application_ page.
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[facebook-application-config]]
 === Configure application.yml
 
@@ -255,6 +264,9 @@ and have granted access to the application on the _Authorize application_ page.
 TIP: The default redirect URI template is `{baseUrl}/login/oauth2/code/{registrationId}`.
  The *_registrationId_* is a unique identifier for the `ClientRegistration`.
 
+IMPORTANT: If the application is running behind a proxy server, it is recommended to check https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#appendix-proxy-server[Proxy Server Configuration] to ensure the application is correctly configured.
+Also, see the supported https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2Client-auth-code-redirect-uri[`URI` template variables] for `redirect-uri`.
+
 [[okta-assign-application-people]]
 === Assign Application to People