When dealing with spring security I was never able to find a way to use an SPA (say angular) to initiate a oauth2 login flow through spring security. Most people don't use the login page that is provided by spring security, but there seems to be no documentation on how would you implement this kind of stuff without using that login page. For this reason what happens when I want to have an oauth2 login is that I implement it myself. I have some endpoint to which I redirect from an spa, then it redirects me to oauth2 consent screen, redirects me back to my provided callback and from there I redirect back to an spa with the token saved in a cookie. I don't know if it's possible to do this with spring security, without implementing it on my own, but I can for sure say I tried to find a way and I could not, and that's not good. I think it's a common scenario and it should be easy to find an example of how to do it if it's possible.
Comment From: Claudius10
0Auth2 has simple full stack guides which provide downloadable projects all set up and ready to use. You can check it on their website at this link.
-> Select the use-case -> Select Basic Access Control OR Basic Role-Based Access Control -> Single-Page app -> Select your front-end -> Select your back-end -> And finally follow the guide on how to setup and download the projects.
Once you have them running locally you can examine the code and see how it's implemented.
Comment From: NerminKarapandzic
Thanks for sharing that @Claudius10 , this is a great resource, but it's not quite what I was looking for, or maybe I have a wrong idea oh how things should work...
They show me a scenario where my backend is a resource server and auth0 is the authorization server, I just can't make a picture to myself of how would this relate to what I need, which is what I described in my question. SPA makes a request to spring spring redirects to eg. google google redirects back to spring spring saves a user to db if not existing already and generates it's own token which it returns to spa
regardless, my point is that even if auth0 had this exact case covered, how many people will think: I'm working with spring security let me see what kind of documentation auth0 has about it. People should be able to find most relevant examples on the spring security docs and not on auth0
Comment From: marcusdacoregio
Hi @NerminKarapandzic, I don't think I follow what you are requesting.
There are a few ways to implement OAuth2 with a SPA. Based on what you described, your SPA should be an OAuth2 Public Client, which would use the authorization_code grant to retrieve an access token and then pass the token to the resource servers (see https://github.com/manfredsteyer/angular-oauth2-oidc). If that is the scenario, the Spring Security-protected service would be just an OAuth2 Resource Server.
However, if you want Spring Security to take care of the OAuth2 Flow for you, then the HTML pages should be served from the backend itself where it has total control over redirects, etc, a BFF would be a good choice here.
That said, I'm closing this as answered, if you feel that you need more explanation I think that StackOverflow is a better place to ask such questions, we prefer to use GitHub issues only for bugs and enhancements.