Skip to Content
Former Member
Mar 02, 2015 at 01:18 PM

OAuth authorization code flow broken since Hybris 5.4?


For our app we use OAuth through the authorization code flow (aka server side flow) to access the Hybris REST API, see:

We have tested this code on Hybris 5.2 and it worked like a charm. Now that we are testing this on Hybris 5.4 this doesn't work anymore. The resource owner password flow still works, but this doesn't work for us as we do not want to ask the user for any passwords.

Here is our example flow:

Initialize a fresh install of hybris 5.4 with dummy data and "develop" config. Init/update with the "platformwebservices" extension added in localextensions.xml. Go to the frontend at http://localhost:9001/yacceleratorstorefront/electronics/en/?site=electronics . Create a new user on the front-end and stay logged in.

Redirect browser to https://localhost:9002/rest/oauth/authorize?client_id=trusted_client&redirect_uri=http%3A%2F%2Flocalhost%3A9001%2F&response_type=codeā‰»ope=customer&state=111

Now the OAuth login dialog comes up (this is normal in this case, because the jsessionid cookie paths don't match). The login url should be https://localhost:9002/rest/login.jsp . Log in with your just created user. Hybris now redirects to https://localhost:9002/rest/index.jsp , which is totally unexpected, because:

  1. it should have redirected to http://localhost:9001/?code=kuhZGd&state=111 (code is just an example value)

  2. the code and state parameters were missing.

  3. Revisiting the /rest/oauth/authorize url shows login box again, this should have been remembered, indicating that something went wrong with the login.

There were no warnings or errors in the logs. After adding some debug statements, it seems like the configured tokenStore de.hybris.platform.ycommercewebservices.oauth2.token.provider.HybrisOAuthTokenStore and tokenServices de.hybris.platform.ycommercewebservices.oauth2.token.provider.HybrisOAuthTokenServices are never called. After not finding anything through debugging, I restored the config in hybris/bin/ext-template/ycommercewebservices/web/webroot/WEB-INF/config/security-spring.xml as to how it was in Hybris 5.2, to no avail, either.

This works on a clean Hybris 5.2 install, but not on Hybris 5.4 and is currently blocking our release on Hybris 5.4. Are we missing something or is this a bug? The changelog for 5.4 indicates something changed in 5.4 about the OAuth Access Token store, see . This may have introduced the problem that causes the out-of-the-box functionality to fail.