Spring-security: LoginPage for OAuth2

Created on 24 Sep 2017  路  3Comments  路  Source: spring-projects/spring-security

Summary

When using OAuth2 Login, how can I customize the Login Page to present all Identity Providers login button in a custom way?

Actual Behavior

I am configuring OAuth2 Login as follows:

http
     .authorizeRequests()
     .antMatchers("/callback").permitAll()
     .anyRequest().authenticated().and()
     .oauth2Login().and();

OAuth2LoginConfigurer does not expose AuthorizationCodeAuthenticationFilterConfigurer and does not provide a loginPage method to allow login page configuration.

Expected Behavior

Am I doing something wrong?
If by using OAuth2Login configurer, a login page is generated I think it would be nice to make it customizable.

Version

5.0.0.M4

oauth2
Source
picture adolfoweloy

Most helpful comment

@adolfoweloy @MattSmiglarski You can now configure a custom login page for oauth2.

Example security configuration:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/custom-login").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login()
                .loginPage("/custom-login");

    }

You would also need to define your Controller that provides your custom login page:

    @RequestMapping("/custom-login")
    public String login() {
        return "login";
    }
picture jgrandja on 11 Oct 2017
👍2

All 3 comments

@adolfoweloy Thanks for the report.

Agreed, the user should be able to configure a custom login page via http.oauth2Login().loginPage("/custom-login")

This will get in before 5.0 is released.

jgrandja picture jgrandja on 25 Sep 2017
👍1

If you can stomach it, this workaround works for me:

                        Field field = OAuth2LoginConfigurer.class.getDeclaredField("authorizationCodeAuthenticationFilterConfigurer");
                        field.setAccessible(true);
                        Object targetObject = field.get(http.oauth2Login());

                        // Ensure the security builder is set, to avoid the framework complaining.
                        ((AbstractAuthenticationFilterConfigurer) targetObject).setBuilder(http);

                        Method loginPageMethod = AbstractAuthenticationFilterConfigurer.class.getDeclaredMethod("loginPage", String.class);
                        loginPageMethod.setAccessible(true);
                        loginPageMethod.invoke(targetObject, "/");
                        log.warn("Reflection hack performed - please simplify this code when the Spring API allows for it.");
MattSmiglarski picture MattSmiglarski on 27 Sep 2017

@adolfoweloy @MattSmiglarski You can now configure a custom login page for oauth2.

Example security configuration:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/custom-login").permitAll()
                .anyRequest().authenticated()
                .and()
            .oauth2Login()
                .loginPage("/custom-login");

    }

You would also need to define your Controller that provides your custom login page:

    @RequestMapping("/custom-login")
    public String login() {
        return "login";
    }
jgrandja picture jgrandja on 11 Oct 2017
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

aotrzonsek picture aotrzonsek  路  3Comments
berniegp picture berniegp  路  3Comments
cipriandumitrel picture cipriandumitrel  路  3Comments
silentsnooc picture silentsnooc  路  3Comments
mstoecklmayr picture mstoecklmayr  路  3Comments