Infinite loop when using spring boot oauth2 client with spring-session xAuthToken session ID resolver

279 views Asked by At

I tried to add spring-session with xAuthToken ID resolver to spring-authorization demo client, but after authenticating the user on the OAuth2 server, the browser stuck in an infinite redirection loop. I want to user x-auth-token instead of JSESSIONID, because I want to consume demo-clinet endpoint via @RestController instead of MVC @Controller. Do you know how to use x-auth-token instead of JSESSIONID in that project?

I've started redis and use spring-session without enabling xAuthToken and all thing works fine, but when I enable xAuthToken by following snippet the browser stuck in infinite redirection loop.

    @Bean
    fun sessionResolver(): HttpSessionIdResolver = HeaderHttpSessionIdResolver.xAuthToken();
1

There are 1 answers

0
Steve Riesenberg On

OAuth2 (with the authorization_code grant) is a redirect-based (or more generally a browser-based) flow. This means that the browser is used for session management, which also implies cookies. The HeaderHttpSessionIdResolver in spring-session works when you have an API client but not when you have a browser client, since the browser doesn't automatically handle the X-Auth-Token header in the response, while it does automatically handle Set-Cookie headers. So I don't believe there's an easy way to use this session resolution strategy with OAuth2.

Specifically, the issue happens in the first redirect after accessing an unauthenticated page. When writing to the session, the session id won't be remembered by the browser, and every subsequent request is like starting over again, hence the redirect loop.

However, I recently built up a sample that plugs implementations into Spring Security for the AuthorizationRequestRepository, SecurityContextRepository, and a few others to make a flow like this work. Though it was actually for a reactive client application, so they are reactive implementations instead.