Spring Security Browser-Based Apps with a Backend support

Summary Browser-Based App is JavaScript app with Spring boot backend. https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 - section 6.2 https://www.oauth.com/oauth2-servers/single-page-apps/

The best explanation of the problem is here: https://github.com/spring-projects/spring-security/issues/6638#issuecomment-488005999

It seems there was attempt to fix it here: https://github.com/spring-projects/spring-security/issues/6812 and here https://github.com/spring-projects/spring-security/issues/8118 - WebFlux

Two more requests for this enhancement and attempts to resole it: https://github.com/spring-projects/spring-security/issues/9266 https://github.com/spring-projects/spring-security/issues/8950

three more very closely related issues: https://github.com/spring-projects/spring-security/issues/7586 https://github.com/spring-projects/spring-security/issues/6802 https://github.com/spring-projects/spring-security/issues/4968 - httpBasic() can not be combined with oauth2Login() but it can be combined with formLogin()

Expected Behavior HTML - 302 REST - 401

Current Behavior HTML - 302 REST - 302

Context

I will write test to make sure that formLogin() works with oauth2Login() in WebFlux.

JavaScript should get 401 if it sends unauthenticated request. If there is more then one client registration or formLogin() - response should contain location header with /login If there is only one registration - response should contain location header with /oauth2/authorization/{registrationId}

Then JavaScript will redirect browser to location from response header. After successful login oauth2Login() should redirect browser to /. Javascript will be loaded in browser again and browser will have active http only session with Spring Boot to access API.

@jgrandja @rwinch @jzheaux what do you think?

Comment From: jgrandja

@iilkevych The current behaviour for oauth2Login() (Servlet and WebFlux) will return 302 with Location /login (or custom login page) for unauthenticated XHR requests. This behaviour is expected and is specified in these tests:

OAuth2LoginConfigurerTests (Servlet):

https://github.com/spring-projects/spring-security/blob/7ef3f619242816683a72b35a1f8b4fb4f32d5203/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java#L388

OAuth2LoginTests (WebFlux):

https://github.com/spring-projects/spring-security/blob/7ef3f619242816683a72b35a1f8b4fb4f32d5203/config/src/test/java/org/springframework/security/config/web/server/OAuth2LoginTests.java#L181

As per your suggestion:

If there is more then one client registration or formLogin() - response should contain location header with /login

If there is only one registration - response should contain location header with /oauth2/authorization/{registrationId}

I don't feel this makes sense to return a different Location header depending if there is one client registered compared to more than one registered.

Then JavaScript will redirect browser to location from response header.

The redirect to /login is the current behaviour and the JavaScript client cannot perform the redirect to /oauth2/authorization/{registrationId} since this will trigger another redirect to the provider login page and ultimately fail on the CORS request.

I hope this makes sense? I'm going to close this issue as the current behaviour works as designed.