I am using Cloudflare Tunnel to connect to my self-hosted home PC, where I host a spring boot + spring security website setup to use auth0 SAML2.
I want to protect the Cloudflare tunnel with SAML so my PC handles ONLY logged in users. Additionally, I want to implement authentication and authorisation within my Spring Boot
I want the same set of auth0 cookies to be used for both Cloudflare SAML and spring boot website.
The problem is that when I assign SAML to Cloudflare, a cookie is created for the Cloudflare domain .cloudflareaccess.com and another cookie is created for the spring boot website behind cloudflare. Which makes me login twice.
Also, when I log out, it logs me out only off the internal website, and not cloudflareaccess.com . I do make spring use auth0 logout url.
My question, how do i implement single login and single logout for both cloudflare and spring boot using auth0, so I dont need to login twice and clear cookies for
cloudflareaccess.com domain for logout
My spring boot code is below
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authorizeHttpRequests -> authorizeHttpRequests
.requestMatchers(HttpMethod.GET,"/", "/login", "/api/public", "/error", "/api/print-token").permitAll()
.requestMatchers(HttpMethod.GET,"/api/private").authenticated()
.requestMatchers(HttpMethod.GET, "/dashboard", "/admin/**").hasAuthority(ADMIN_ROLE)
.anyRequest()
).exceptionHandling(exceptionHandling -> exceptionHandling.accessDeniedHandler(new ErrorAccessDeniedHandler()))
.oauth2Login(oauth2Login -> oauth2Login
.loginPage("/login")
.userInfoEndpoint(userInfoEndpoint -> userInfoEndpoint.userService(oAuth2UserService))
.successHandler(authenticationSuccessHandler)
)
.logout(logout -> logout
.logoutUrl("/logout")
.logoutSuccessUrl(String.format("%s?client_id=%s&returnTo=%s&federated", logoutUrl, clientId, redirectToUrl))
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.permitAll()
)
.csrf(AbstractHttpConfigurer::disable)
.build();
}application.yml
okta:
oauth2:
issuer: https://${OCTA_DOMAIN}/
clientSecret: ${OKTA_CLIENT_SECRET}
clientId: ${OKTA_CLIENT_ID}
scope: openid,profile,email,roles,groups
groups-claim: roles
logoutUrl: https://${OCTA_DOMAIN}/v2/logout
user-info-uri: https://${OCTA_DOMAIN}/userinfo
redirectToUrl: ${WEBSITE_REST_URL}