CSRF disable not working - getting error "Could not verify the provided CSRF token because no token was found to compare"

[rajcreddy]

Despite disabling csrf, spring is throwing error "Could not verify the provided CSRF token because no token was found to compare" when APIs are being invoked with the below security filter chain. This is the only filter chain in my application. The csrf error goes away if I remove the oauth2ResourceServer block. I have pasted the stack trace below. The error should not be returned since csrf is being disabled.

@bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
requestCache.setMatchingRequestParameterName(null);

http
  .requestCache(cache -> cache.requestCache(requestCache))
  .csrf(csrf -> csrf.disable())
  .authorizeHttpRequests(requests -> requests
        .requestMatchers(AUTH_WHITELIST).permitAll()
        .requestMatchers("/v1/**")
            .authenticated()
    )
    .oauth2ResourceServer(resourceServer -> resourceServer
        .opaqueToken(token -> token
            .introspectionClientCredentials(clientId,clientSecret)
            .introspectionUri(checkTokenEndpointUrl)
        )
    );
return http.build();

}

Caused by: org.springframework.web.client.HttpClientErrorException$Forbidden: 403 : "{"error":"Could not verify the provided CSRF token because no token was found to compare."}"
at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:109) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:183) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:137) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:942) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:891) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:740) ~[spring-web-6.1.4.jar!/:6.1.4]
at org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector.makeRequest(SpringOpaqueTokenIntrospector.java:146) ~[spring-security-oauth2-resource-server-6.2.2.jar!/:6.2.2]
at org.springframework.security.oauth2.server.resource.introspection.SpringOpaqueTokenIntrospector.introspect(SpringOpaqueTokenIntrospector.java:128) ~[spring-security-oauth2-resource-server-6.2.2.jar!/:6.2.2]
at org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider.getOAuth2AuthenticatedPrincipal(OpaqueTokenAuthenticationProvider.java:124) ~[spring-security-oauth2-resource-server-6.2.2.jar!/:6.2.2]
... 86 more

[phosphataz]

Hello @rajcreddy , can you try this :
.csrf(AbstractHttpConfigurer::disable)

[rajcreddy]

@phosphataz I tried this already and it did not work. I get the same error.

[rajcreddy]

@marcusdacoregio for some reason the opaquetoken call is resulting in csrf error eventhough csrf is disabled. Is this an issue in the opaquetoken REST call that I see in the stack trace. I am using spring boot 3.2.3

[jzheaux]

Based on the stack trace, it appears that the CSRF error is coming from the authorization server receiving the opaque token request. Are you able to still reproduce this when you use a mock backend (for example, using MockWebServer) for the opaque token endpoint?

If so, please provide a minimal sample, and I can take a look.

[rajcreddy]

@jzheaux thank you! there was a typo in the auth server url which was causing the issue. The auth server url did not exist so the error was misleading

[jzheaux]

Awesome, @rajcreddy! Glad you found it. I'll close this issue at this point.