search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.81k stars 5.9k forks source link

Cannot get Stateless Authorisation Server to work #15413

Closed dreamstar-enterprises closed 3 months ago

dreamstar-enterprises commented 3 months ago

Sorry, I'm not sure if this is a bug or a feature request, and the reason I'm posting this here:

I have documented the issue here.

https://stackoverflow.com/questions/78747321/spring-security-cannot-get-stateless-authorization-server-to-work

But essentially if I set

session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)

The auth server does successfully authenticate the form login, but doesn't redirect with the access code, when the securityContext is set to:

@Configuration
internal class SecurityContextConfig() {

    @Bean
    // for storing user authentication objects (in an HTTP session - where HTTP request cache is also stored!)
    fun securityContextRepository(): SecurityContextRepository {
        return RequestAttributeSecurityContextRepository()
    }
}

Only this works:

HttpSessionSecurityContextRepository

Why is that? Are stateless Authorization servers not possible?

Describe the bug A clear and concise description of what the bug is.

To Reproduce Steps to reproduce the behavior.

Expected behavior A clear and concise description of what you expected to happen.

Sample

A link to a GitHub repository with a minimal, reproducible sample.

Reports that include a sample will take priority over reports that do not. At times, we may require a sample, so it is good to try and include a sample up front.

sjohnr commented 3 months ago

Thanks for getting in touch @dreamstar-enterprises, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

Having said that, I have already responded on stack overflow, so I'm going to close this issue.

dreamstar-enterprises commented 3 months ago

Thank you. However hard I tried, I just couldn't get the auth server url redirection to work without using HttpSessionSecurityContextRepository

It did not work on Null or RequestAttribute version - as on the re-direct, it just couldn't find the authenticated principal.

I don't know if it is best practice, but I ended up setting the session time to 5 seconds.

I do wish there was just ONE comprehensive guide that explained how to connect:

  1. Angular (User Agent)
  2. Spring Client Auth (BFF)
  3. Spring Auth Server (Stateless if possible, using Opaque Tokens)
  4. Spring Resource Server (Rest Statless, but with a caching strategy of the Authentication Objects, so the introspection endpoint isn't queried on every request)

And how to host the Spring Servers, where and how to use Spring Gateway or Spring Session / Redis

I've spent 6 weeks on this, but really do feel I haven't go very far : (

Thanks for the help so far though. Do you do consultancy work? I have a small budget.

sjohnr commented 3 months ago

Thank you. However hard I tried, I just couldn't get the auth server url redirection to work without using HttpSessionSecurityContextRepository

It did not work on Null or RequestAttribute version - as on the re-direct, it just couldn't find the authenticated principal.

OAuth2 involves multiple steps, and therefore requires session state. It seems possible (or even likely) that the goals you have for the auth server you are building would require heavy customization and therefore take a longer time to work out. I would recommend sticking with HttpSessionSecurityContextRepository unless you have a strong and inflexible requirement to move away from sessions. I believe things will go much easier if you do so.

I've spent 6 weeks on this, but really do feel I haven't go very far : (

I'm sorry you've struggled to get things working. I know it's not fun to get stuck on difficult projects.

where and how to use Spring Gateway

Please see spring-projects/spring-authorization-server#564 and feel free to upvote that issue. We keep track of upvotes and will prioritize highly voted issues as time allows.

Having said that, I don't want to unintentionally turn this issue tracker into a Q&A forum, so I don't plan on replying any further on this thread. If you have further questions, please reach out on stack overflow.

dreamstar-enterprises commented 3 months ago

Thanks Steve!

I have upvoted that guide.

Separately, since I posted this, I have made further progress, and have kept the Auth Server, and BFF stateful.

Here is some guidance I followed: https://github.com/eugenp/tutorials/tree/master/spring-security-modules/spring-security-oauth2-bff/backend/bff (but it uses an un official Spring OIDC starter package, which I'm relying on - that makes me a bit nervous)

Here is my progress so far:

It has a WIP auth server.

I do really like how Spring Security is architected and all the configuraiton options.

The only feedback I would give to the Sprng Team is that....

for all the documentation, and videos, and guides - which are great, but there is a lot of it, and because of that it's hard to keep everyhing connected, as things change

... I think the approach should be quite different.

There should be a donwloadable example package, which has ALL the default beans are exposed explicitly (including all the Redis Beans), with a few notes e.g. on if this Bean is turned on, turn this Bean off, and here are the Config options - only **ONE comprehensive example** is needed, for each (e.g. Resource, BFF, Gateway, Auth, Reverse Proxy) - at least definitely for the Auth and Resource Servers, and BFF, that can be periodically updated as Bean definitions change

This would GREATLY help with the developer experience, and would configuration time, from 5+ weeks to literally 2 days - as a developer I would see all the beans and configurations, and then adjust accordingly, referring to a single catalogue that explained what each Bean did, and the configuration options.

It would probably take a day or two (maybe three) from Spring (I'm guessing.....), from an expert who has lots of experience withe framework,

It's effectively how my code looks like now (except I've had to hunt around several docs, and articles, guides, and videos over several weeks to do it - and have hit a lot of bugs along the way)

I'm also not fully sure if I've missed out on anything. And some guides are quite old (e.g. (https://spring.io/guides/tutorials/spring-security-and-angular-js#_the_resource_server_angular_js_and_spring_security_part_iii) - so I've had to restart from scratch a few too many times.

...which is what has made the experience soooo challenging.

Anyway, I'm guessing that may not happen soon, so I'm pesisting with trying to complete my Auth Server, and then to try and provide Redis Session support for anything stored In Memory (sessions, registered client repositories, token repositories, etc), Then I have to move back to my BFF server and try and debug what looks like a Redis serialisation issue...

I appreciate the responses from the Spring Team.