Question: Set the timeouts used when retrieving Keys for JWT validation

[hildo]

This is a question: I am trying out the v5 oauth changes, eventually hoping to try the open id client support. I'm running the boot oauth2login same in the 5.0.0 M3 release. I have added a new client to connect to an Azure Active Directory account I have. It is working... I can see the token coming back. But it fails when validating the token.

This is the call stack I see in the system.out for the process running the sample

org.springframework.security.jwt.JwtException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: connect timed out
	at org.springframework.security.jwt.nimbus.NimbusJwtDecoderJwkSupport.decode(NimbusJwtDecoderJwkSupport.java:108) ~[spring-security-jwt-jose-5.0.0.M3.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider.authenticate(AuthorizationCodeAuthenticationProvider.java:119) ~[spring-security-oauth2-client-5.0.0.M3.jar!/:na]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.0.0.M3.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProcessingFilter.attemptAuthentication(AuthorizationCodeAuthenticationProcessingFilter.java:154) ~[spring-security-oauth2-client-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.AuthorizationCodeRequestRedirectFilter.doFilterInternal(AuthorizationCodeRequestRedirectFilter.java:100) ~[spring-security-oauth2-client-5.0.0.M3.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) ~[spring-security-web-5.0.0.M3.jar!/:na]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:350) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:265) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:199) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) ~[tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_111]
Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: connect timed out
	at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:141) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	at com.nimbusds.jose.jwk.source.RemoteJWKSet.get(RemoteJWKSet.java:219) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	at com.nimbusds.jose.proc.JWSVerificationKeySelector.selectJWSKeys(JWSVerificationKeySelector.java:129) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:323) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:284) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	at org.springframework.security.jwt.nimbus.NimbusJwtDecoderJwkSupport.decode(NimbusJwtDecoderJwkSupport.java:92) ~[spring-security-jwt-jose-5.0.0.M3.jar!/:na]
	... 59 common frames omitted
Caused by: java.net.SocketTimeoutException: connect timed out
	at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method) ~[na:1.8.0_111]
	at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85) ~[na:1.8.0_111]
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_111]
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_111]
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_111]
	at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[na:1.8.0_111]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_111]
	at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_111]
	at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) ~[na:1.8.0_111]
	at sun.net.NetworkClient.doConnect(NetworkClient.java:175) ~[na:1.8.0_111]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) ~[na:1.8.0_111]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) ~[na:1.8.0_111]
	at com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:97) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:139) ~[nimbus-jose-jwt-4.34.1.jar!/:4.34.1]
	... 64 common frames omitted

From what I have pieced together, the framework is attempting to retrieve the keys from the jwk-set-uri value and not getting the value in time. When I debug this, the default values of 250 ms is used for both the connect and read timeout for the nimbus classes involved.

When I load the same URL using my browser, it completes. To the URL is valid. However, from where I'm running, it usually takes >400 ms to load. I'm happy to says it's caused by my network, but I'm not going to be able to change this.

Is there any chance that those timeouts will be configurable? I feel like if I can just increase those timeouts, this will work just fine.

Thanks for any help.
Ed

[hildo]

Just some more context. Here is the breakdown of my time spent waiting for the content when I load the url in my browser the first time....

That would result with a Connect timeout (which the above log states is the timeout encountered). However, when I shift-F5 in the browser to refresh the page, the time to connect is less, but the time waiting for the response is still > 250

So I'm going to hit a timeout either way.

[hildo]

Actually, I can't even get the Google aspect of the sample to work. I've followed the instructions, created an OAuth2 client in my Google account and updating the application.yaml with my client-id and client-secret. When I run the app and click on the Google link, it goes to my account, and I select my account, then it looks like it's sending an auth code back. But then my browser shows up with an error.

So, I can see the call back from google to localhost:8080/oauth2/authorize/code/google, but that ends up with a 302 error under the covers

Is there anything else to be done to get this basic sample working?

[jgrandja]

@hildo Can you post the stack trace for the error related to the access token request connect time out - Google?

[hildo]

I don't get any exception in the spring-boot process. What I see is

• I open localhost:8080 in my browser
• I click "Google" from the page
• I get redirected to Google, and I select my account to use
• Browser gets redirected, but sits for a long time (about a minute, waiting for the request to complete)
• I finally see the page above with the exception

There are no callstacks in the Java process, and no call stacks in the browser.

[hildo]

If it helps, this is how I have the Client ID defined in my Google API console

And how that transcribed in my application.yml

If I have not done enough, please let me know. I thought I had followed the instructions, but I could have overlooked something?

[jgrandja]

Looks like you have things configured correctly. It really is as simple as setting the client-id and client-secret. The defaults for the rest of the config is in oauth2-clients-defaults.yml.

Can you add this to your application.yml and send me the log output.

logging:
  level:
    org.springframework.security: DEBUG

This should give me more information on the connect timeout issue.

This error is happening during the Access Token Request call in NimbusAuthorizationCodeTokenExchanger on line 93:

tokenResponse = TokenResponse.parse(httpRequest.send());

Although the other issue you're having with the timing out while fetching the JwkSet (because of the 250ms timeout setting), there is no timeout set for connect or read while fetching the access token. So this explains why it hangs for a minute or so.

Just curious, did you make any changes to oauth2-clients-defaults.yml? The uri it's using to fetch the token is:

token-uri: "https://accounts.google.com/o/oauth2/token"

Something is going on here. I haven't had any issues when testing the sample using a client configured in my google account. Seems like your network is having some issues here.

Have you tried configuring the facebook or github client? Maybe try either one of them and see what happens.

The debug log output may help further so please post that when you get a chance.

As far as the JwkSet timeout issue. I will address that so you can update the default connect/read timeout.

[jgrandja]

Related #4477

[jgrandja]

@hildo I just added a new feature that will allow you to provide a custom configuration for the underlying HTTP client. So now you can set the connect timeout and read timeout.

Here is a code sample to enable this:

@Configuration
public class ApplicationConfig {

	@Bean
	public HttpClientConfig httpClientConfig() {
		HttpClientConfig httpClientConfig = new HttpClientConfig();
		httpClientConfig.setConnectTimeout(60000);
		httpClientConfig.setReadTimeout(60000);
		return httpClientConfig;
	}
}

Just a heads up that I won't be available over the next 2 weeks. However, @rwinch will be able to assist you if you have any other issues.

[hildo]

Thanks. The only change I have made to the default yml is, apparently, the scopes...

I'm not sure why I've done that. Up until now, I've been using the ZIP download of M3. However, I've now cloned the repo as there are now changes I'd like to try, wrt to the timeouts. So I'll ensure those values in the default yml are restored to what's originally in the repo.

Thanks for the help, and have a great break!

[hildo]

Hi. Just an update. Instead of using M3 of the sources, I've cloned the repository. I've been able to take advantage of configuring the HttpClientConfig and as a result I have been able to successfully interact with an Azure Active Directory (which is what I was really after) as well as a second Open ID connect endpoint. I am still having the same issue with integrating with Google. I've set up the logging as specified, and this is the output in the console running the sample code

2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : /oauth2/authorization/code/google at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : /oauth2/authorization/code/google at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: null. A new one will be created.
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : /oauth2/authorization/code/google at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@727a9f93
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : /oauth2/authorization/code/google at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : /oauth2/authorization/code/google at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /oauth2/authorization/code/google' doesn't match 'POST /logout
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.security.web.FilterChainProxy        : /oauth2/authorization/code/google at position 6 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeRequestRedirectFilter'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth2/authorization/code/google'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth2/authorization/code/google'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] o.s.s.web.DefaultRedirectStrategy        : Redirecting to 'https://accounts.google.com/o/oauth2/auth?response_type=code&redirect_uri=http://localhost:8080/oauth2/authorize/code/google&client_id=107403879208-ctufv96i3pchbc1ha9hjsv45efvne1ql.apps.googleusercontent.com&scope=openid%20profile%20email%20address%20phone&state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D'
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-07-31 12:17:09.861 DEBUG 6740 --- [nio-8080-exec-5] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6b197970. A new one will be created.
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@727a9f93
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /oauth2/authorize/code/google' doesn't match 'POST /logout
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 6 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeRequestRedirectFilter'
2017-07-31 12:17:27.540 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth2/authorize/code/google'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:17:27.541 DEBUG 6740 --- [nio-8080-exec-6] o.s.security.web.FilterChainProxy        : /oauth2/authorize/code/google?state=XC6E2J2OGbQcSociaI4q9ThQq-FAmfgflVGhVzfiV_w%3D&code=4/vQ9UFim59AqpSTje8IOmPUPT3j0IomqUawJyiH-Ssxk&authuser=0&session_state=58ee91a01a585e108948af5b066b972a3ebfdafa..65e9&prompt=consent at position 7 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeAuthenticationProcessingFilter'
2017-07-31 12:17:27.541 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/oauth2/authorize/code/google'; against '/oauth2/authorize/code/{clientAlias}'
2017-07-31 12:17:27.545 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Request is to process authentication
2017-07-31 12:17:27.545 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager     : Authentication attempt using org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider
2017-07-31 12:18:31.377 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect

org.springframework.security.authentication.AuthenticationServiceException: An error occurred while sending the Access Token Request: Connection timed out: connect
	at org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:106) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:64) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider.authenticate(AuthorizationCodeAuthenticationProvider.java:106) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProcessingFilter.attemptAuthentication(AuthorizationCodeAuthenticationProcessingFilter.java:155) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.oauth2.client.authentication.AuthorizationCodeRequestRedirectFilter.doFilterInternal(AuthorizationCodeRequestRedirectFilter.java:101) [spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:350) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:265) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:105) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:199) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-5.0.0.RC2.jar!/:5.0.0.RC2]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_111]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_111]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-8.5.16.jar!/:8.5.16]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_111]
Caused by: java.net.ConnectException: Connection timed out: connect
	at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method) ~[na:1.8.0_111]
	at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85) ~[na:1.8.0_111]
	at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_111]
	at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_111]
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_111]
	at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172) ~[na:1.8.0_111]
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_111]
	at java.net.Socket.connect(Socket.java:589) ~[na:1.8.0_111]
	at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668) ~[na:1.8.0_111]
	at sun.net.NetworkClient.doConnect(NetworkClient.java:175) ~[na:1.8.0_111]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:432) ~[na:1.8.0_111]
	at sun.net.www.http.HttpClient.openServer(HttpClient.java:527) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:264) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1032) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1316) ~[na:1.8.0_111]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1291) ~[na:1.8.0_111]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) ~[na:1.8.0_111]
	at com.nimbusds.oauth2.sdk.http.HTTPRequest.toHttpURLConnection(HTTPRequest.java:623) ~[oauth2-oidc-sdk-5.21.jar!/:5.21]
	at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:677) ~[oauth2-oidc-sdk-5.21.jar!/:5.21]
	at com.nimbusds.oauth2.sdk.http.HTTPRequest.send(HTTPRequest.java:649) ~[oauth2-oidc-sdk-5.21.jar!/:5.21]
	at org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger.exchange(NimbusAuthorizationCodeTokenExchanger.java:98) ~[spring-security-oauth2-client-5.0.0.BUILD-SNAPSHOT.jar!/:na]
	... 60 common frames omitted

2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Updated SecurityContextHolder to contain null Authentication
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] zationCodeAuthenticationProcessingFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@6c9b2c82
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] .a.SimpleUrlAuthenticationFailureHandler : Redirecting to /login?error
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] o.s.s.web.DefaultRedirectStrategy        : Redirecting to '/login?error'
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-07-31 12:18:31.380 DEBUG 6740 --- [nio-8080-exec-6] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed
2017-07-31 12:18:31.389 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 1 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2017-07-31 12:18:31.389 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : HttpSession returned null object for SPRING_SECURITY_CONTEXT
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@6b197970. A new one will be created.
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 3 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@727a9f93
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 4 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 5 of 14 in additional filter chain; firing Filter: 'LogoutFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher  : Request 'GET /login' doesn't match 'POST /logout
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 6 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeRequestRedirectFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/oauth2/authorization/code/{clientAlias}'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 7 of 14 in additional filter chain; firing Filter: 'AuthorizationCodeAuthenticationProcessingFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.s.w.u.matcher.AntPathRequestMatcher  : Checking match of request : '/login'; against '/oauth2/authorize/code/{clientAlias}'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy        : /login?error at position 8 of 14 in additional filter chain; firing Filter: 'DefaultLoginPageGeneratingFilter'
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] w.c.HttpSessionSecurityContextRepository : SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2017-07-31 12:18:31.390 DEBUG 6740 --- [nio-8080-exec-7] s.s.w.c.SecurityContextPersistenceFilter : SecurityContextHolder now cleared, as request processing completed

That said, I'm happy with the changes that have been made so far. While it would be nice to use Google, I was only attempting that because my first attempt at AAD was failing. That is now succeeding and that is what I am really after.

Thanks for all the help!

[jgrandja]

@hildo I'm glad you got things working with Azure AD. I'm curious though why you're getting a connect time out using the Google client. I'm suspecting there is something going on with your network where https://accounts.google.com/o/oauth2/token is being blocked.

Try doing a curl -v https://accounts.google.com/o/oauth2/token on the same computer where the application is running and producing this error to confirm if it's your network.

Are you running the Google sample on your laptop/desktop or is this happening in a server environment?