This pull request implements OpenID Connect (OIDC) authentication and OAuth2 authorization for this application.
Considerations
The authorization code OAuth2 flow is used. I selected this flow because the application will eventually need access to email scopes granted by Google Mail.
The front end application won't need to make those calls, so the entire flow is performed on the back end Spring server. This best protects sensitive user data from unauthorized access.
The sole OAuth2 provider used here is Google. If necessary, this implementation is certainly open to extension, either using other OAuth2 providers or a form login in the future.
Advantages to this approach
Protects sensitive user data: the front channel never receives access tokens
Centralized management: user authentication and authorization handled by the back channel allows for easier monitoring and auditing of user activity
Simplified front end logic: no need to exchange code for tokens in the front end, avoiding potential security vulnerabilities that may arise from client-side processing
Spring Security is battle-tested: provides the best out of the box configuration for CSRF protection, CORS protection
Disadvantages and counterpoints
Increased back end complexity: since the Spring application handles the entire OAuth2 flow, it's more complex. The improved security and user management capabilities outweigh this
Increased latency: the additional processing required for handling the OAuth2 flow is negligible compared to the benefits of improved security
Scope
Specific features introduced by this pull request:
Configuration of OAuth2 client details
Implementation of authorization code flow, including token exchange, scopes, and redirects using spring-security-oauth2-client
CSRF tokens on mutating HTTP requests, which are validated for added security
Centralized storage of users for easier management
Conditionally-rendered login page and navigation in React app
Overview
This pull request implements OpenID Connect (OIDC) authentication and OAuth2 authorization for this application.
Considerations
The authorization code OAuth2 flow is used. I selected this flow because the application will eventually need access to email scopes granted by Google Mail.
The front end application won't need to make those calls, so the entire flow is performed on the back end Spring server. This best protects sensitive user data from unauthorized access.
The sole OAuth2 provider used here is Google. If necessary, this implementation is certainly open to extension, either using other OAuth2 providers or a form login in the future.
Advantages to this approach
Disadvantages and counterpoints
Scope
Specific features introduced by this pull request:
spring-security-oauth2-client