search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.82k stars 1.27k forks source link

The first time accessing `/oauth2/authorize`, the 'remember-me' feature does not work #1710

Open lemos1235 opened 2 weeks ago

lemos1235 commented 2 weeks ago

Describe the bug Spring Security enables 'remember-me'. However, when accessing the service endpoint for the first time at https://xxx.com/oauth2/authorize?response_type=code&client_id=xxx&scope=openid&redirect_uri=xx, it directly jumps to the login page without executing the 'remember-me' process, thus not restoring my login information.

Expected behavior Restore my login information and successfully redirect back to the OAuth2 client.

Some codes

oAuth2 Server config

    @Bean
    @Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
            throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .oidc(Customizer.withDefaults());    // Enable OpenID Connect 1.0
        http
                // Redirect to the login page when not authenticated from the
                // authorization endpoint
                .exceptionHandling((exceptions) -> exceptions
                        .defaultAuthenticationEntryPointFor(
                                new LoginUrlAuthenticationEntryPoint("/login"),
                                new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                        )
                )
                // Accept access tokens for User Info and/or Client Registration
                .oauth2ResourceServer((resourceServer) -> resourceServer
                        .jwt(Customizer.withDefaults()));

        return http.build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http,
                                                          RememberMeServices rememberMeServices)
            throws Exception {
        http.csrf(AbstractHttpConfigurer::disable);
        http
                .authorizeHttpRequests((authorize) -> authorize
                        .requestMatchers("/login", "/logout",  "/userinfo", "/connect/**")
                        .permitAll()
                        .anyRequest().authenticated()
                )
                .rememberMe((remember) -> remember
                        .rememberMeServices(rememberMeServices)
                )
                .logout((logout) ->
                        logout.deleteCookies("user")
                                .invalidateHttpSession(true)
                                .logoutUrl("/logout")
                                .logoutSuccessHandler(new CustomLogoutSuccessHandler())
                )
                // Form login handles the redirect to the login page from the
                // authorization server filter chain
                .formLogin((formLogin) ->
                        formLogin.loginPage("/login"));
        return http.build();
    }

oAuth2 client config

    @Bean
    @Order(1)
    public SecurityFilterChain oauth2SecurityFilterChain(HttpSecurity http, OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver)
            throws Exception {
        //If the front-end directly accesses /oauth2/authorization/secretarial, it will be redirected to the oauth2 login system. After a successful login, it will be redirected to the redirect_uri.
        http.requestMatcher(new AntPathRequestMatcher("/oauth2/**"))
                .authorizeHttpRequests(authorize ->
                        authorize.anyRequest().authenticated()
                )
                .exceptionHandling(Customizer.withDefaults())
                .oauth2Login(oauth2Login -> oauth2Login
                        .authorizationEndpoint()
                        .authorizationRequestResolver(oAuth2AuthorizationRequestResolver));
        return http.build();
    }
jgrandja commented 1 week ago

@lemos1235 The remember me feature is part of Spring Security so the issue should be logged there. I can still look into it for you but I'll need you to provide a minimal sample that reproduces the issue so I can look into it further.

lemos1235 commented 6 days ago

@jgrandja https://github.com/lemos1235/oauth2-sample.git