Fusion does not authenticate against endpoints when using Spring Boot OAuth2

[michael-newsrx]

We are trying to use Vaadin Fusion in a new project - but have run into a serious issue with authentication. It appears that some step is missing in the docs - or something else is going very wrong which causes the endpoints to reject all Fusion initiated XHR requests.

What is needed is a minimal example which authenticates against github oauth or google oauth that has a single login page that upon successful login redirects to a plain display oauth username page with a logout button. 3rd Party connective services such as Okta should not be used in the example. To keep things simple - no additional demonstration features should be added. That only causes confusion.

Tried using information in various tutorials here and there but don't even know what needs to be set in the xhr requests and where to pull it from to set it in the client browser upon successful login.

The X-CSRF-Token header being sent matches what is in the global window.Vaadin object. There is a session cookie set and sent to the endpoint. VaadinSession.getCurrent() returns null when called from an anon endpoint.

Flow based views have access to the authenticated user's details.

Example project with this issue: https://github.com/NewSRXTech/fusion-02x

[michael-newsrx]

My environment:

Ubuntu 21.04 JDK 11 Eclipse Vaadin 20.0.4 Gradle 7.0.1

[michael-newsrx]

No help for this? Is fusion incompatible with spring boot oauth2?

[haijian-vaadin]

Hi, sorry for the late reply, mostly because the team was on vacation. We are working on token-based authentication. @platosha had a prototype on how to integrate with okta, maybe you can take a look to see if it's helpful?

[michael-newsrx]

Unfortunately the Okta examples I've looked at don't help when
dealing with non-Okta OAuth authentication. They depend on Okta
custom client side JS along with a server side Okta  dependency.

We finally tracked it down to a setting in the security
configuration class.

We ended up having to cobble pieces together from multiple sources
and ended up with bad code where a CSRF auth check ended up being
turned completely off for the endpoint path.

The main issue is there are no *simple* examples showing minimal
project setup to demonstrate various functionalities. By minimal
project I mean no extra dependencies and not trying to demonstrate
non-relevant ops such as scrolling table views, dashboard widgets,
JDBC related type stuff, etc.

My coworker has decided to use a Spring Boot and Angular setup
instead of Vaadin. This is at least in part due to the poor
documentation and excessively complicated examples.

Thanks for your time.

On 8/11/21 7:50 AM, Haijian Wang wrote:

  Hi, sorry for the late reply, mostly because the team was on
    vacation. We are working on token-based authentication. @platosha
    had a prototype on how to integrate with
    okta, maybe you can take a look to see if it's helpful?
  —
    You are receiving this because you authored the thread.
    Reply to this email directly, view it on GitHub, or unsubscribe.
    Triage notifications on the go with GitHub Mobile for iOS or Android.
  [

{ @.": "http://schema.org", @.": "EmailMessage", "potentialAction": { @.": "ViewAction", "target": "https://github.com/vaadin/fusion/issues/55#issuecomment-896760017", "url": "https://github.com/vaadin/fusion/issues/55#issuecomment-896760017", "name": "View Issue" }, "description": "View this Issue on GitHub", "publisher": { @.": "Organization", "name": "GitHub", "url": "https://github.com" } } ]

[gilberto-torrezan]

Thanks @michael-newsrx for the input. It's sad to see you go, but I understand the pain. We have several projects going on to make the documentation and examples easier to digest, but they are not there yet.

If there's still time, please join us on Discord, and we can talk more directly about the issues you are facing.

If not - thanks for trying out Fusion - we will be here if you decide to give another try in the future.