this post was submitted on 11 Jan 2024
13 points (100.0% liked)

Learn Programming

1546 readers
25 users here now

Posting Etiquette

  1. Ask the main part of your question in the title. This should be concise but informative.

  2. Provide everything up front. Don't make people fish for more details in the comments. Provide background information and examples.

  3. Be present for follow up questions. Don't ask for help and run away. Stick around to answer questions and provide more details.

  4. Ask about the problem you're trying to solve. Don't focus too much on debugging your exact solution, as you may be going down the wrong path. Include as much information as you can about what you ultimately are trying to achieve. See more on this here: https://xyproblem.info/

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
13
[Question] What is the proper way to implement a pure-backend oauth security in SpringBoot? (lemm.ee)
submitted 5 months ago by [email protected] to c/[email protected]
2 comments fedilink hide all child comments
 

I know how to implement basic oauth. My problem is that if I make a simple security filter like:

` @Bean

public SecurityFilterChain configure(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests(authorize -> authorize
                    .anyRequest().authenticated()
            )
            .oauth2Login(withDefaults());
    return http.build();
}`

Than I can adress @GetMappings in my browser and get prompted a oauth login screen and login there, but I can't adress a PostMapping or GetMapping in postman, because it doesn't redirect to a login screen (you get the html for the login screen as the ResponseBody in postman)

I can get a valid acces token from auth0 via 'https://{yourDomain}/oauth/token', but if I simply pass that jwt along as a "Bearer token" in postman, it doesn't work. It still shows me the login-screen-html in the response body.

It seems to me there's two things I can do:

  • Make sure postman bypasses the login screen. I maybe don't really want to do that, since I want my backend and frontend to communicate their security through jwt. Or else I have to convince other people (from a different department) to change the way they implement frontend security, which is a pain for everyone. (If it needs to happen, it needs to happen though)
  • Make sure the backend parses the jwt somehow. Maybe an extra Filter that checks the jwt's validity with the provider? I'm not sure how to tackle this.
top 2 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 3 points 5 months ago

I cross posted your question to the Java @Programming.dev community.

[โ€“] [email protected] 1 points 5 months ago

@[email protected], any thoughts on OP's Spring Boot issue?