[chapter 11.5.2] I am uncertain about the complete overview of the entire workflow.

[ongiant]

I only have a vague understanding of what is discussed in the book, and I lack a clear panoramic view of the entire authentication process. Therefore, I would like to present my current understanding here and kindly ask for any corrections if there are any. (As a beginner, I genuinely feel that this section should include a diagram similar to Figure 11.3).

workflow steps(I guessed):

1. The first request sent by Angular is an HTTP standard request. (This will trigger the authentication flow)
2. Subsequently, all requests sent are AJAX requests, which are considered unauthenticated requests.
3. Then, we instruct Spring Security to respond with an HTTP 401 response.
4. After receiving the HTTP 401 response, the SPA handles this error and initiates the authentication flow. (In other words, initiate authentication flow is required for every AJAX request).
5. Since the SPA is responsible for the authentication flow, it is necessary to allow unauthorized requests for static resources at this point.

[ThomasVitale]

@ongiant I'll consider adding a dedicated diagram in the next edition of the book, it's a really good suggestion, thank you!

The steps you described look correct. I have only one comment about step 4: after the authentication flow, AJAX requests will be allowed through since they will contain the session cookie that Spring Security to validate the request comes from an authenticated session. That means it's not necessary to initiate the authentication flow for every AJAX request. Only the first time when the first AJAX request gets an HTTP 401 response from Edge Service.

If you have more questions about this flow, feel free to comment here or open a new issue.