2

I have two applications

  • authorization-server-app( base on Spring Authorization Server)
  • jwt-app(oauth2 login and resource server)

jwt-app login with OAuth2.1 or OIDC , and protect resources by resource server

http.oauth2Login(oauth2LoginConfigurer -> {
            oauth2LoginConfigurer.loginPage("/oauth2/authorization/toquery");

            oauth2LoginConfigurer.authorizationEndpoint(authorizationEndpointConfig -> {
                authorizationEndpointConfig.authorizationRequestRepository(httpCookieOAuth2AuthorizationRequestRepository);
            });

            oauth2LoginConfigurer.userInfoEndpoint(userInfoEndpointConfig -> {
                userInfoEndpointConfig.userService(appOAuth2UserService);
                userInfoEndpointConfig.oidcUserService(appOidcUserService);
            });

            oauth2LoginConfigurer.successHandler(appOAuth2AuthenticationSuccessHandler);
            oauth2LoginConfigurer.failureHandler(appOAuth2AuthenticationFailureHandler);
        });

        //
        http.oauth2ResourceServer(auth2ResourceServerConfigurer -> {
            // 
            auth2ResourceServerConfigurer.bearerTokenResolver(bearerTokenResolver);
            auth2ResourceServerConfigurer.accessDeniedHandler(accessDeniedHandler);
            // 
            auth2ResourceServerConfigurer.authenticationEntryPoint(appAuthenticationEntryPoint);

            auth2ResourceServerConfigurer.jwt(jwtConfigurer -> {
                jwtConfigurer.jwtAuthenticationConverter(jwtAuthenticationConverter);
            });
        });


spring:
 security:
      resourceserver:
        jwt:
          jwk-set-uri: ${app.oauth2.domain}/oauth2/jwks

After successfully logging in through the address, I found that cookie information will be generated, which is not what I want. I want to get a jwt token after successful login, and can pass resource server。

I try to customize SimpleUrlAuthenticationSuccessHandler and use jwtencode to generate jwt token, but this will bring another problem, the token obtained by password cannot be used

I want to use the jwt token generated by authorization-server (password and authorization_code) to call normally, not the one generated in jwt-app

ToQuery
  • 33
  • 6
  • Reading through your description, it's not 100% clear what your goal is. It's possible there's a misunderstanding of the `oauth2Login()` feature. See [OAuth 2.1 Login](https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html) for details. When using this feature, you are opting to store the access token (JWT) on the server. There is no need to pass a JWT to a frontend app, instead you would use a session (JSESSIONID) to stay authenticated with the server. Typically, a resource server is a separate application in the backend. – Steve Riesenberg Jan 05 '23 at 15:52

1 Answers1

1

If your client (html pages optionally generated by Thymeleaf or other server-side rendering framework) and REST resources are served by the same app, define two distinct security filter chains: one for "client" resources (including OAuth2 login) and a distinct one for resource-server. Details in this other answer: Use Keycloak Spring Adapter with Spring Boot 3

If your client(s) are independent of your resource-server app (pages served from another socket or "rich" clients like Angular, Vue, React, native mobile apps, etc.), then do not use Spring OAuth2 login. Requests should arrive authorized already (have a Bearer access-token in Authorization header). Use certified OIDC client libraries adapted to your clients frameworks to handle OAuth2 flows (login with authorization-code but also tokens refreshing) and requests authorization.

ch4mp
  • 6,622
  • 6
  • 29
  • 49