Skip to content
This repository has been archived by the owner on May 31, 2022. It is now read-only.

How to authenticate user every time ? #1504

Open
steventong opened this issue Oct 15, 2018 · 1 comment
Open

How to authenticate user every time ? #1504

steventong opened this issue Oct 15, 2018 · 1 comment
Labels
status: waiting-for-triage

Comments

@steventong
Copy link

Summary

How to authenticate user every time? I want user open /oauth/authorize then show login page every time instead of use last session to auto login.

I am set the client's auto approval to true, I am not have a approval page right now.

Actual Behavior

I want to build a stateless user authentication server, require user authorize every time, that is to say, I am going to show login page every time when user call /oauth/authorize?xxxxxxx.

I realize that when user open '/oauth/authorize' at first, spring-security's FilterChainProxy will invoke FilterSecurityInterceptor to open login page, after successfully authentication, SavedRequestAwareAuthenticationSuccessHandler will redirect to /oauth/authorize again, what is different from last time is, now SecurityContextPersistenceFilter can get the current login user context. Finally, AuthorizationEndpoint can be invoked,and redirect to the right redirect_url.

Expected Behavior

I wonder that why after user authentication success, AuthenticationSuccess will redirect request to 'oath/authorize' again instead of invoke AuthorizationEndpoint by an another way? When I set session mamgerment to stateless I will lost the right redirect_url, or set FilterSecurityInterceptor's alwaysReauthenticate to true, I am require to visit login page every time even if when i submit my right username and password.

The problem is, there are two times to call 'oauth/authorize', the first time is to open login page and the second time is generate authorize_code and redirect to right redirect_url. But they are invoked by the same filter chain and do same things. If i trun off session, the second call will failed, and i cannot find a way to stop first call to show login page every time because the second call will do the same thing.

So, In order to do realize my requirement, I had to overwrite the AuthorizationEndpoint and add some code to clear user context afetr the authorize_code generate success like below.

            // Validation is all done, so we can check for auto approval...
            if (authorizationRequest.isApproved()) {
                if (responseTypes.contains("token")) {
                    ModelAndView modelAndView = getImplicitGrantResponse(authorizationRequest);
                    
                    clearSessionAfterApprovalSuccess();
                    
                    return modelAndView;
                }
                if (responseTypes.contains("code")) {
                    View codeView = getAuthorizationCodeResponse(authorizationRequest,
                            (Authentication) principal);
                    
                    clearSessionAfterApprovalSuccess();
                    
                    return new ModelAndView(codeView);
                }
            }

I know this way is not a good idea, but is there a better way to do that?

Configuration

auth-service marked with @EnableAuthorizationServer

Version

spring-seciruty-starter & spring-boot 2.0.5
@rachitbshephertz
Copy link

Did you manage to achieve this? and also can you explain your way a bit more or do you have a git url where I can look at?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status: waiting-for-triage
Milestone
No milestone
Development

No branches or pull requests
3 participants
@steventong @spring-projects-issues @rachitbshephertz