I'm wondering if it's possible to configure Spring Security to use an externally hosted login page during the OAuth login process. Nevermind that this is not a good idea and defeats one of the purposes of OAuth (separating login / credentials / auth concerns from clients and resource servers).
I have the following setup:
@EnableAuthorizationServer
) The OAuth flow that I seek is as follows:
I'm able to configure Spring Security to specify an absolute url in order to make the redirect to my SPA's login page happen:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors()
.and()
... config ...
.and()
.formLogin()
.loginPage("http://angular-spa-app/login")
.loginProcessingUrl("/login")
.permitAll();
}
When I go through this flow, I see the first request made to oauth/authorize?state=...&nonce=...&etc...
, then the redirect to http://angular-spa-app/login
. But when I login, Spring is unable to detect that it should redirect to back to the oauth/authorize
url that was saved in the session.
Digging in to this further, I discovered that when the first request to oauth/authorize
is made, the full url with params is saved in the session ( HttpSessionRequestCache.saveRequest(...)
.
When the login form is submitted and authentication is successful, Spring attempts to retrieve the saved request in order to get the redirect url to send as the 302 Location header. But when it does this, the session is null and therefore Spring cannot retrieve any saved request. Why is this? Do I need to modify Spring session settings in order to work around this?
The problem wasn't with Spring Security at all; it was with the Angular SPA. I needed to send the JSESSION_ID cookie when making the cross-domain POST back to /login from the Angular app.
To do this, I created a HttpInterceptor
( as described here ):
@Injectable()
export class AuthInterceptor implements HttpInterceptor {
constructor() {}
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
request = request.clone({
withCredentials: true
});
return next.handle(request);
}
}
The withCredentials: true
bit is the important part; this instructs the browser to send cookies along with the XHR request.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.