Spring Security OAuth2 Login using External Login Page

Question

I'm wondering if it's possible to configure Spring Security to use an externally hosted login page during the OAuth login process. Nevermind that this is not a good idea and defeats one of the purposes of OAuth (separating login / credentials / auth concerns from clients and resource servers).

I have the following setup:

• A client SPA application, where the login page I want to use resides
• An OAuth Auth server (using Spring Security OAuth / @EnableAuthorizationServer )
• One or more OAuth resource servers

The OAuth flow that I seek is as follows:

• User attempts to access a secured route in the SPA
• Client redirects user to OAuth server's authorize page (with parameters including state, nonce, etc)
• OAuth server detects no token and redirects to SPA's login page
• User logs in; posts to login url (login url lives on the OAuth server; CORS configuration required to allow cross-origin post from SPA to OAuth server)
• Login successful; Spring redirects to the originally requested authorize page with parameters that were originally present
• authorize redirects to token; user gets token; SPA detects that user now has a token and allows access to the secured route

I'm able to configure Spring Security to specify an absolute url in order to make the redirect to my SPA's login page happen:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors()
        .and()
        ... config ...
        .and()
        .formLogin()
        .loginPage("http://angular-spa-app/login") 
        .loginProcessingUrl("/login")
        .permitAll();
}

When I go through this flow, I see the first request made to oauth/authorize?state=...&nonce=...&etc... , then the redirect to http://angular-spa-app/login . But when I login, Spring is unable to detect that it should redirect to back to the oauth/authorize url that was saved in the session.

Digging in to this further, I discovered that when the first request to oauth/authorize is made, the full url with params is saved in the session ( HttpSessionRequestCache.saveRequest(...) .

When the login form is submitted and authentication is successful, Spring attempts to retrieve the saved request in order to get the redirect url to send as the 302 Location header. But when it does this, the session is null and therefore Spring cannot retrieve any saved request. Why is this? Do I need to modify Spring session settings in order to work around this?

Answer 1

The problem wasn't with Spring Security at all; it was with the Angular SPA. I needed to send the JSESSION_ID cookie when making the cross-domain POST back to /login from the Angular app.

To do this, I created a HttpInterceptor ( as described here ):

@Injectable()
export class AuthInterceptor implements HttpInterceptor {
  constructor() {}

  intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
    request = request.clone({
      withCredentials: true
    });
    return next.handle(request);
  }
}

The withCredentials: true bit is the important part; this instructs the browser to send cookies along with the XHR request.