I am currently developing an application using Spring Boot and React. I am using Spring Security with OAuth2. When users visit my React application and request data from my Spring Boot backend, they are prompted to log in. They have the option to log in via GitHub or Google. This setup uses JSESSIONIDs, following the standard documentation.

Now, I need to allow another application to interact with my API, either by fetching data or sending data via POST requests. For example, I want to enable a simple JavaScript application running with Node.js to access my API.

I’m having trouble figuring out how to achieve this. Does someone know how to set up authentication and authorization for this scenario?

Thank you very much for your help! 🙂

Here is my securityFilterChain

@Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .csrf(AbstractHttpConfigurer::disable)
                .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                .authorizeHttpRequests( auth -> auth.anyRequest().authenticated())
                .oauth2Login( oauth2 -> oauth2.successHandler(oAuth2LoginSuccessHandler))
                .oauth2ResourceServer(oauth2ResourceServer -> oauth2ResourceServer.jwt(Customizer.withDefaults()))
                .build();
    }

and here my custom LoginSuccessHandler (Note that this is WIP)

@Override
    public void onAuthenticationSuccess(final HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
        OAuth2AuthenticationToken token = (OAuth2AuthenticationToken) authentication;

        if("github".equals(token.getAuthorizedClientRegistrationId())){
            DefaultOAuth2User principal = (DefaultOAuth2User) authentication.getPrincipal();
            Map<String, Object> attributes = principal.getAttributes();
            String email = attributes.getOrDefault("email", "").toString();
            String name = attributes.getOrDefault("name", "").toString();
            userService.findByEmail(email)
                    .ifPresentOrElse(user -> {
                        DefaultOAuth2User newUser = new DefaultOAuth2User(List.of(new SimpleGrantedAuthority(user.getRole().name()))
                                , attributes, "id");
                        Authentication securityAuth = new OAuth2AuthenticationToken(newUser, List.of(new SimpleGrantedAuthority(user.getRole().name()))
                                , token.getAuthorizedClientRegistrationId());
                        SecurityContextHolder.getContext().setAuthentication(securityAuth);
                    }, () -> {
                        BMUser userEntity = new BMUser();
                        userEntity.setRole(BMUserRole.ROLE_USER);
                        userEntity.setEmail(email);
                        userEntity.setName(name);
                        userService.createNewUser(userEntity);
                        DefaultOAuth2User newUser = new DefaultOAuth2User(List.of(new SimpleGrantedAuthority(userEntity.getRole().name()))
                                , attributes, "id");
                        Authentication securityAuth = new OAuth2AuthenticationToken(newUser, List.of(new SimpleGrantedAuthority(userEntity.getRole().name()))
                                , token.getAuthorizedClientRegistrationId());
                        SecurityContextHolder.getContext().setAuthentication(securityAuth);
                    });
        }

        this.setAlwaysUseDefaultTargetUrl(true);
        this.setDefaultTargetUrl(frontendUrl);
        super.onAuthenticationSuccess(request, response, authentication);
    }

I’ve reviewed the official Spring Boot documentation, watched YouTube videos, and read Baeldung guides, but I’ve only been able to authenticate React users so far.