Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to config login page with separation of front-end and backend? #474

Closed
littlefisher666 opened this issue Nov 2, 2021 · 9 comments
Closed

How to config login page with separation of front-end and backend? #474

littlefisher666 opened this issue Nov 2, 2021 · 9 comments
Assignees
@jgrandja
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@littlefisher666
Copy link

There is a sample to config the consent page, but I want to know how to config the consent page with separation of front-end and backend.

spring-authorization-server/samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/main/java/sample/config/AuthorizationServerConfig.java

Lines 56 to 74 in c7f01f0

public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer<HttpSecurity> authorizationServerConfigurer =
new OAuth2AuthorizationServerConfigurer<>();
authorizationServerConfigurer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint.consentPage(CUSTOM_CONSENT_PAGE_URI));
RequestMatcher endpointsMatcher = authorizationServerConfigurer
.getEndpointsMatcher();
http
.requestMatcher(endpointsMatcher)
.authorizeRequests(authorizeRequests ->
authorizeRequests.anyRequest().authenticated()
)
.csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
.apply(authorizationServerConfigurer);
return http.formLogin(Customizer.withDefaults()).build();
}

@littlefisher666 littlefisher666 added the type: bug A general bug label Nov 2, 2021
@xialugui
Copy link

xialugui commented Nov 2, 2021

just replace the CUSTOM_CONSENT_PAGE_URI with absolute address which like https://www.baidu.com

 authorizationServerConfigurer
                .authorizationEndpoint(authorizationEndpoint ->
                        authorizationEndpoint.consentPage("https://www.baidu.com"));

also see my project:

https://github.com/xialugui/implementing-domain-driven-design/blob/7460518817aea330b97c08ceeb99cf0df7dfe34c/identity-access/src/main/java/cn/xialugui/identityaccess/infrastructure/oauth2/AuthorizationServerConfig.java#L49-L68

NOTE:

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.java

Lines 225 to 235 in c7f01f0

if (hasConsentUri()) {
String redirectUri = UriComponentsBuilder.fromUriString(resolveConsentUri(request))
.queryParam(OAuth2ParameterNames.SCOPE, String.join(" ", requestedScopes))
.queryParam(OAuth2ParameterNames.CLIENT_ID, clientId)
.queryParam(OAuth2ParameterNames.STATE, state)
.toUriString();
this.redirectStrategy.sendRedirect(request, response, redirectUri);
} else {
DefaultConsentPage.displayConsent(request, response, clientId, principal, requestedScopes, authorizedScopes, state);
}
}

@littlefisher666
Copy link
Author

Oh my god. I'm sorry. I need config login page, not consent page.

@xialugui
Copy link

xialugui commented Nov 3, 2021
edited

@littlefisher666 there is a same way:

@Bean
    SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        http.headers().frameOptions().sameOrigin()
                .and()
                .cors().disable()
                .csrf().disable()
                .authorizeRequests(authorizeRequestsCustomizer ->
                        authorizeRequestsCustomizer
                                .antMatchers(EXCLUDE_URLS).permitAll()
                                .antMatchers(HttpMethod.POST, "/users").permitAll()
                                .anyRequest()
                                .authenticated()
                )
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
                .formLogin(new Customizer<FormLoginConfigurer<HttpSecurity>>() {
                    @Override
                    public void customize(FormLoginConfigurer<HttpSecurity> httpSecurityFormLoginConfigurer) {
                        httpSecurityFormLoginConfigurer.loginPage("https://www.baidu.com");
                    }
                })
        ;

MOST IMPORTANT:

httpSecurityFormLoginConfigurer.loginPage("https://www.baidu.com");

the loginPage's argument is string.
also see: https://docs.spring.io/spring-security/site/docs/current/reference/html5/#servlet-authentication-form

NOTE:
https://github.com/spring-projects/spring-security/blob/869e379099d0f60330005a0fba022d04c85cf7e7/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java#L78-L183

@littlefisher666
Copy link
Author

littlefisher666 commented Nov 3, 2021
edited

@xialugui I have another question. Why create two bean with SecurityFilterChain. One in AuthorizationServerConfig and another in DefaultSecurityConfig

@xialugui
Copy link

xialugui commented Nov 3, 2021

@littlefisher666 there is no need to create two SecurityFilterChain, I'll fix it in my project.

@littlefisher666
Copy link
Author

Thank you. I'm waiting for you.

@xialugui
Copy link

xialugui commented Nov 3, 2021

@littlefisher666 done,see this folder and the code

@littlefisher666
Copy link
Author

@xialugui perfect. I will have a look.

@jgrandja
Copy link
Collaborator

jgrandja commented Nov 3, 2021

@xialugui Thanks for all your comments!

Thanks for getting in touch @littlefisher666, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

@jgrandja jgrandja closed this as completed Nov 3, 2021
@jgrandja jgrandja self-assigned this Nov 3, 2021
@jgrandja jgrandja added for: stackoverflow A question that's better suited to stackoverflow.com and removed type: bug A general bug labels Nov 3, 2021
@littlefisher666 littlefisher666 changed the title How to config consent page with separation of front-end and backend? How to config login page with separation of front-end and backend? Nov 4, 2021
@MrShao233 MrShao233 mentioned this issue Apr 28, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgrandja @xialugui @littlefisher666