I’m following the Get Started Guide here, with this code:
@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(Customizer.withDefaults()); // Enable OpenID Connect 1.0
http
// Redirect to the login page when not authenticated from the
// authorization endpoint
.exceptionHandling((exceptions) -> exceptions
.defaultAuthenticationEntryPointFor(
new LoginUrlAuthenticationEntryPoint("/login"),
new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
)
)
// Accept access tokens for User Info and/or Client Registration
.oauth2ResourceServer((resourceServer) -> resourceServer
.jwt(Customizer.withDefaults()));
return http.build();
}
@Bean
@Order(2)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
// Form login handles the redirect to the login page from the
// authorization server filter chain
.formLogin(Customizer.withDefaults());
return http.build();
}
Except that I add this to try and make the server completely stateless
.sessionManagement { session ->
session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
session.sessionFixation().migrateSession()
session.maximumSessions(1).maxSessionsPreventsLogin(true)
session.invalidSessionUrl("/session-expired")
session.enableSessionUrlRewriting(false)
}
With this I cannot get the authorization flow to work.
It redirects me back to the login page. The success handler doesn’t even run.
Without this I get redirected to the initial authorization endpoint with the code challenge (where I went before I was redirected to the login page), and immediately then get redirected to the ‘redirect url’ specified, with the authorization code (that I then later send again to the auth server to get an opaque access token).
Even if the success handler did run, how would I get the request cache (which holds the original URL), to replay the user back to that link, as from what I understand the request cache is stored in an HTTP Sessions.
The same problem as this person from 6 years ago.
Spring Authorization Server: How to use login form hosted on a separate application?
So do authorizations servers have to have state then?
3