sjohnr
commented
1 month ago Thanks for reaching out @dreamstar-enterprises! There is a lot going on in your post and it's difficult to know what the issue is without a minimal, reproducible sample. Also at least one of the links did not work when I tried it, and the repo you're linking to is not minimal, which makes it more difficult to diagnose your issue.
It also seems you're asking a question, and you may know that questions would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.
Having said that, most of the time when I see an error on the auth server side as you describe, I enable trace logging (logging.level.org.springframework.security=trace) which helps me see everything going on in the auth server. Usually, the error actually happens earlier in the flow than you expect (but is hidden because the /error page is not public), so tracing the entire flow and going through the logs is quite helpful.
I'm going to close this issue, but if you feel you have found a bug, please add a minimal, reproducible sample and we can go from there.
dreamstar-enterprises
Probably my last BFF bug, before I shift to Tailwind and Angular (hopefully). It's been an epic 3 month journey so far into Spring Security so far!
Here it is:
I have a login configuration between Angular, a Spring OAuth Client BFF (Spring Gateway), and Spring Auth Server. (There is also a Spring Reverse Proxy)
On Successful Login
The public client (Angular) sends the following link to a Spring OAuth Client (a BFF)
http://localhost:9090/oauth2/authorization/in-house-auth-server?post_login_success_uri=http%3A%2F%2Flocalhost%3A7080%2Fangular-ui%2Fhome&post_login_failure_uri=http%3A%2F%2Flocalhost%3A7080%2Fangular-ui%2Flogin-errorA post-login success and failure uri are also sent with it as query parameters. 9090 is the BFF Server.
When the OAuthClient gets this, it redirects to the Auth Server
http://localhost:7080/auth/oauth2/authorize?response_type=code&client_id=bff_client&scope=openid&state=jSWq1YCgNK_XCdODrfEJm7ai594-FLDXR4s6EHdiFV0%3D&redirect_uri=http://localhost:7080/bff/login/oauth2/code/in-house-auth-server&nonce=-uutf6nFrr4w8O9seNOIvZPNjNLXZYPhLaCky2w2NEU&code_challenge=09dvQwB0Q02xTiVkhlYpdgMWHJcCGUzQvH2fT7M7GPA&code_challenge_method=S256The Auth Server is actually at port 6060, but 7080/auth is the reverse proxy that redirects to it. 7080/bff is what redirects to the BFF server, at 9090.
When the Auth Server gets this, it redirects to the default login page
http://localhost:6060/loginAfter I enter correct credentials, I get redirected to the original re-direct link (but now I'm authenticated on the auth server via a session, and security context object)
http://localhost:6060/oauth2/authorize?response_type=code&client_id=bff_client&scope=openid&state=jSWq1YCgNK_XCdODrfEJm7ai594-FLDXR4s6EHdiFV0%3D&redirect_uri=http://localhost:7080/bff/login/oauth2/code/in-house-auth-server&nonce=-uutf6nFrr4w8O9seNOIvZPNjNLXZYPhLaCky2w2NEU&code_challenge=09dvQwB0Q02xTiVkhlYpdgMWHJcCGUzQvH2fT7M7GPA&code_challenge_method=S256&continueThe auth server then responds with the following. This is the step when it sends back the code to the BFF server.
http://localhost:7080/bff/login/oauth2/code/in-house-auth-server?code=kBEJChv26wsdlKPRy2hGgEYojPyGvygqYHXNJPOKqXE0_XCjW9yvpz-f1HbeJ603zJQwhKcEat0bY99-XKAgvGzbAcDNhX6zqVAbECCviXMBLlEJP11OtiAdDXZRsKTn&state=jSWq1YCgNK_XCdODrfEJm7ai594-FLDXR4s6EHdiFV0%3DI then get redirected back to Angular
http://localhost:7080/angular-ui/homeSo everything works!
(for Auth Server itself after a successul login, the OAuth Client calls, Securing POST /oauth2/token, and also later Securing GET /userinfo, then it does No HttpSession currently exists, and Access Denied, then Redirecting to http://localhost:6060/login)
Overall, in the OAuthClient (the BFF), this works because, the OAuthClient saves the Angular post-login success and failure uris to the session. See the OAuthRequestResolver here:
OAuthRequestResolver
The uri then gets called by the success handler here, from the session attribute:
OAuth2 Success Handler
On A Failed Login
On entering bad credentials though, the Auth Server gets this from its own login form
Securing POST /login
But, now it goes here
Securing POST /error
Then this happens
Access Denied, and then Redirecting to http://localhost:6060/login
This is fine I suppose, but, the OAuthClient Failure Handler, here doesn't even fire
OAuth2 Failure Handler
As a result it just stays upto where it was after the end of the request resolver. OAuthRequestResolver
The browser page as a result just stays are the Auth Server login page. If at this point I now enter correct credentials, the Auth Server authorizes, but then just goes to /error page (in the Auth Server) which doesn't exist, so I get redircted to the 'Whitelabel Error Page'. (There is no communication between the OAuthClient and AuthServer)
Relevant Files
The OAuthClient (BFF) configuration file is here: BFF Config file
The AuthServer configuration file can be found here:
File 1 Auth Server config 1
File 2 Auth Server config 2
Can someone help explain how I can get the redirect from Angular to the OAuthClient to the Auth Server to work?
Lastly, would there be a way of sending the credentials via an Angular Form, through the OAuthClient to the Auth Server, instead of using the login form of the Auth Server.
Thanks in advance for any help