Spring-security-oauth: Enable session authentication instead of access_token

Created on 20 Nov 2016  路  6Comments  路  Source: spring-projects/spring-security-oauth

This is more a what is the "right-way" how-to question than a specific bug.

I'm using Spring Boot 1.4.1 w/ Spring Security OAuth in a @EnableResourceServer application.

Authentication works fine for passing an ?access_token=xxxx in the query string and with Bearer token in an Authorization header.

What doesn't work is any kind of stay logged in via the browser provided JSESSIONID cookie.

Expected behavior is that the session cookie, while valid should allow authentication when provided by the browser.

I found the resources.stateless( false ) method in the ResourceServerConfigurerAdapter, but it didn't resolve the issue.

I suspect there is a Filter ordering problem, but I am not sure how to go about debugging that.

This application serves mostly REST api end points, but there is an internal website using Spring MVC and its really cumbersome to pass around an access_token amongst the internal pages.

stackoverflow

Most helpful comment

I was struggling with getting both session and token auth to work today (as I run both a UI portion that connects to the API using sessions, and the same endpoints can be accessed just using oauth tokens), but not entirely sure if my scenario is the same as yours. Either way, if it's any help here's what I found out:

In the Sparkl sample app this little nugget, which lets the resource endpoints create a session if necessary. With both this and stateless=false my API resources worked with both session auth and oauth tokens.

http
    // Since we want the protected resources to be accessible in the UI as well we need 
    // session creation to be allowed (it's disabled by default in 2.0.6)
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()

All 6 comments

Hi @jzampieron
Are you using @EnableAuthorizationServerand @EnableResourceServer in the same application?
Note that your authenticated browser session is with the Authorization Server not the Resource Server. The Resource Server expects a valid access token in order to allow access to the resources.

I don't understand when you say:

Authentication works fine for passing an ?access_token=xxxx in the query string and with Bearer token in an Authorization header.

Why are you passing the access_token in a query parameter? You should not have to do this and it's highly recommended that you don't as you may expose/leak your access token.

Can you provide an example and more details here?

That's clearly the missing piece then. This application is _not_ @EnableAuthorizationServer.

Therefore the session state is clearly not being shared between the Resource Server and the Authorization Server.

Any recommended approach to accomplish that with OAuth2? Spring Session Redis?

Take a look at this sample.

It's a Spring Boot App with Authorization Server and Resource Server. It's fairly bare-bones setup but it's something you can build from. It's not using Spring Session but you can add it after you understand how things are configured.

I was struggling with getting both session and token auth to work today (as I run both a UI portion that connects to the API using sessions, and the same endpoints can be accessed just using oauth tokens), but not entirely sure if my scenario is the same as yours. Either way, if it's any help here's what I found out:

In the Sparkl sample app this little nugget, which lets the resource endpoints create a session if necessary. With both this and stateless=false my API resources worked with both session auth and oauth tokens.

http
    // Since we want the protected resources to be accessible in the UI as well we need 
    // session creation to be allowed (it's disabled by default in 2.0.6)
    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()

Came back to revisit this. Still having the issue. We've since upgraded to Spring Boot 1.5.x.

What I'm really trying to do is use my Authorization server, _also_ as an Authentication server.

It seems that all the examples focus on using github, fb, okta, etc for external authentication and then use the authorization grant flow. I have my own authentication and user management system.

I'd like to support the following work flows:
Flow #1:

  1. User gets access token (via curl, whatever) using password grant.
  2. User loads resource server url: e.g. https://resource/foo.html?access_token=XXXX
  3. User session is created (by resource server?) and user can access any and all other urls from https://resource/** using the authenticated session.

Flow #2:

  1. User loads resource server url: e.g. https://resource/foo.html
  2. 401 error causes redirect to https://authserver/login.html
  3. User logs in
  4. Redirect back to https://resource/foo.html

The flow we us in production today is:

  1. Responsive web app gets token via javascript. (password grant, ReactJS)
  2. Token passed to API calls as needed via 'Bearer' header.

We are trying to expand our system to also support Spring Web MVC based applications for various purposes and sharing the authentication flow has proven to be somewhat difficult.

The API flow (Postman etc) with Bearer tokens works great. Now trying to add the web browser flow for Spring MVC has been a little challenging.

I get a fair number of "Request processing failed; nested exception is org.springframework.security.authentication.InsufficientAuthenticationException: User must be authenticated with Spring Security before authorization can be completed." errors as I adjust various things.

Closing this as questions are better suited on Stack Overflow. We prefer to use GitHub issues for bugs and enhancements.

Was this page helpful?
0 / 5 - 0 ratings