I had implemented Authorization server with defaults and configured other service as resource server this are working fine when I get access token calling /authorize first which renders default login page after logging I get the access token and using that I can query resource server.
Problem: Access to our applications is done by third party authentication, so when request comes to my application user is already authenticated, I want to skip the authentication asked by authorization server.
Like we do in usual spring boot security app using AbstarctPreAuthenticatedProcessingFilter->RequestAttributeAutheticationFilter where I can set expected header and authorize.
I tried RequestAttributeAutheticationFilter in 2nd Security Filter chain but /authorize calls are always denied. Seems all OAuth endpoints are protected with its own filter->manager->provider flow including Session.
Here are both SecurityFilterChain taken from documentation
@Bean
@Order(1)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
throws Exception {
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
.oidc(Customizer.withDefaults()); // Enable OpenID Connect 1.0
http
// Redirect to the login page when not authenticated from the
// authorization endpoint
.exceptionHandling((exceptions) -> exceptions
.defaultAuthenticationEntryPointFor(
new LoginUrlAuthenticationEntryPoint("/login"),
new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
)
)
// Accept access tokens for User Info and/or Client Registration
.oauth2ResourceServer((resourceServer) -> resourceServer
.jwt(Customizer.withDefaults()));
return http.build();
}
@Bean
@Order(2)
public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
throws Exception {
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().authenticated()
)
// Form login handles the redirect to the login page from the
// authorization server filter chain
.formLogin(Customizer.withDefaults());
return http.build();
}
Please suggest configuration for skipping login page as we don't want to maintain user credential in authorization server also.
Is there any thing we can do with RequestAttributeAutheticationFilter for OAuth2 filter chain.
I do get some headers from preauthenticated application on request so looking out on Pre-Authenticated use cases for authorization server.
Spring Authorization Server will generally work with all of the authentication mechanisms supported by Spring Security, so pre-authentication would work as well. The difference comes from the fact that traditional (form-based) authentication results in an authenticated session, and a redirect back to the /oauth2/authorize endpoint which can now be authenticated by the session. That's why splitting authentication into a 2nd filter chain works nicely for the configuration suggested by the docs.
However, for pre-authentication you will need to ensure that the configured pre-authentication filter is set to authenticate each request prior to (using http.addFilterBefore()) the OAuth2AuthorizationEndpointFilter. This customization would be done on the 1st filter chain, not the 2nd.