Skip to content

Documentation request: Oauth2 Resource Server servicing both REST and MVC endpoints #99

New issue
New issue
Open
Open
Documentation request: Oauth2 Resource Server servicing both REST and MVC endpoints#99
@jackdpeterson

Description

@jackdpeterson
jackdpeterson
opened on Oct 29, 2022

Overview: the current examples seem to work well when configuring EITHER a REST service OR a WebMVC endpoint using the Client flow. Most applications start as a full-stack flow; then quickly evolve to need to support iOS, Android, or external parties. Given this type of default behavior, I'd love to see some documentation on building a resource server (that can also do client activities) w/ the few additional steps necessary in terms of configuring the Security Filter Chain.

  • Configure two authorization providers (e.g., Google and Github)
  • Support rendering a public facing index "/" w/ a @controller.
  • Support rendering a private "/authenticated" @controller
  • Support APIs that authenticate using Bearer tokens (e.g., native app, or JS-based).

Starting points

server:
  port: 8009
  servlet:
    session:
      persistent: false
  error:
    whitelabel:
      enabled: true
logging:
  level:
    org.springframework.security: TRACE
    org.springframework.security.oauth2: TRACE
    org.springframework.web: TRACE
    org.springframework.web.reactive: TRACE
spring:
  security:
    oauth2:
      client:
        registration:
          google:
            clientId: SOME_VALUE.apps.googleusercontent.com
            clientSecret: SOME_SECRET
            redirectUri: "{baseUrl}/login/oauth2/code/{registrationId}"
            scope:
              - openid
              - email
              - profile
      provider:
        google:
          authorizationUri: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent
          tokenUri: https://oauth2.googleapis.com/token
          userInfoUri: https://www.googleapis.com/oauth2/v3/userinfo
      resource-server:
        jwt:
          issuer-uri: https://accounts.google.com/.well-known/openid-configuration
@Bean
    SecurityFilterChain defaultSecurityFilterChain(final HttpSecurity http) throws Exception {
        return http
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/","/login**", "/webjars**","/assets**").permitAll();
                    auth.anyRequest().authenticated();
                })
                .httpBasic(Customizer.withDefaults())
                .oauth2Login(oauth2 -> oauth2.loginPage(LOGIN_PAGE))
                .formLogin().loginPage(LOGIN_PAGE).and()
                .build();

    }

Merging in something like this?

public SecurityFilterChain resourceServerOauthFilterChain(final HttpSecurity http) throws Exception {
        http
                .requestMatcher(request -> {
                    final String headerValue = request.getHeader("Authorization");
                    return headerValue != null && headerValue.startsWith("Bearer");
                })
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .oauth2ResourceServer().jwt(Customizer.withDefaults());
        return http.build();
    }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions