I tried to add spring-session with xAuthToken ID resolver to spring-authorization
demo client, but after authenticating the user on the OAuth2 server, the browser stuck in an infinite redirection loop. I want to user x-auth-token
instead of JSESSIONID
, because I want to consume demo-clinet
endpoint via @RestController instead of MVC @Controller. Do you know how to use x-auth-token
instead of JSESSIONID
in that project?
I've started redis and use spring-session without enabling xAuthToken and all thing works fine, but when I enable xAuthToken by following snippet the browser stuck in infinite redirection loop.
@Bean
fun sessionResolver(): HttpSessionIdResolver = HeaderHttpSessionIdResolver.xAuthToken();
OAuth2 (with the
authorization_code
grant) is a redirect-based (or more generally a browser-based) flow. This means that the browser is used for session management, which also implies cookies. TheHeaderHttpSessionIdResolver
in spring-session works when you have an API client but not when you have a browser client, since the browser doesn't automatically handle theX-Auth-Token
header in the response, while it does automatically handleSet-Cookie
headers. So I don't believe there's an easy way to use this session resolution strategy with OAuth2.Specifically, the issue happens in the first redirect after accessing an unauthenticated page. When writing to the session, the session id won't be remembered by the browser, and every subsequent request is like starting over again, hence the redirect loop.
However, I recently built up a sample that plugs implementations into Spring Security for the
AuthorizationRequestRepository
,SecurityContextRepository
, and a few others to make a flow like this work. Though it was actually for a reactive client application, so they are reactive implementations instead.