How does Spring Oauth2 login redirect work?

spring spring-security spring-security-oauth2 spring-oauth2
Ryan picture Ryan · Mar 13, 2016 · Viewed 12.1k times · Source

I've been thrashing around with the Spring Boot Oauth2 tutorial and I can't seem to get a pretty key element working:

https://spring.io/guides/tutorials/spring-boot-oauth2/

I want to run as an authorization server. I've followed the instructions as closely as I can fathom, but when I go to the /oauth/authorize endpoint, all I ever get is a 403 Forbidden response. This actually makes sense to me given the HttpSecurity configuration that the tutorial sets up:

protected void configure(HttpSecurity http) throws Exception {
    http
      .antMatcher("/**")
      .authorizeRequests()
        .antMatchers("/", "/login**", "/webjars/**")
        .permitAll()
      .anyRequest()
        .authenticated()
        .and().logout().logoutSuccessUrl("/").permitAll()
        .and().csrf().csrfTokenRepository(csrfTokenRepository())
        .and().addFilterAfter(csrfHeaderFilter(), CsrfFilter.class)
        .addFilterBefore(ssoFilter(), BasicAuthenticationFilter.class);
}

The login page for this tutorial is actually the main index and I definitely don't see anything in the tutorial that would instruct the Oauth system to redirect the login flow there.

I can get it kind of working by adding this:

        .and().formLogin().loginPage("/")

...but before moving forward I really wanted to understand if this is a problem with the tutorial or my implementation of it or something else. What is the mechanism by which the Oauth security system decides what a "login" page is?

Answer

Ryan picture Ryan · Mar 22, 2016

The solution was to add the following to the SecurityConfig.configure call:

@Override
protected void configure(HttpSecurity http) throws Exception {
    AuthenticationEntryPoint aep = new AuthenticationEntryPoint() {

        @Override
        public void commence(HttpServletRequest request,
                HttpServletResponse response,
                AuthenticationException authException) throws IOException,
                ServletException {
            response.sendRedirect("/login");
        }
    };

    http.exceptionHandling()
            .authenticationEntryPoint(aep)

Which redirects the authentication flow to a specific URL (in this case I am sending it to "/login", but it also worked with "/" or anything else I chose). I have no idea how the tutorial is supposed to do the redirect without explicitly adding this line.

Related questions

Add custom UserDetailsService to Spring Security OAuth2 app

How do I add the custom UserDetailsService below to this Spring OAuth2 sample? The default user with default password is defined in the application.properties file of the authserver app. However, I would like to add the following custom UserDetailsService …

Read More
Spring OAuth2 disable HTTP Basic Auth for TokenEndpoint

I am starting with Spring OAuth2. So far so good, I have secured my app with the configuration. But I have an issue, my client does not support HTTP Basic Authorization. Is there a way how to disable HTTP Basic …

Read More
Unsupported Media Type in postman

I am implementing spring security with oauth2 and jwt. the below is my login function function doLogin(loginData) { $.ajax({ url : back+"/auth/secret", type : "POST", data : JSON.stringify(loginData), contentType : "application/json; charset=utf-8", dataType : "json", async : false, success : function(…

Read More