I tried to add spring-session with xAuthToken ID resolver to spring-authorization demo client, but after authenticating the user on the OAuth2 server, the browser stuck in an infinite redirection loop. I want to user x-auth-token instead of JSESSIONID, because I want to consume demo-clinet endpoint via @RestController instead of MVC @Controller. Do you know how to use x-auth-token instead of JSESSIONID in that project?
I've started redis and use spring-session without enabling xAuthToken and all thing works fine, but when I enable xAuthToken by following snippet the browser stuck in infinite redirection loop.
@Bean
fun sessionResolver(): HttpSessionIdResolver = HeaderHttpSessionIdResolver.xAuthToken();
OAuth2 (with the
authorization_codegrant) is a redirect-based (or more generally a browser-based) flow. This means that the browser is used for session management, which also implies cookies. TheHeaderHttpSessionIdResolverin spring-session works when you have an API client but not when you have a browser client, since the browser doesn't automatically handle theX-Auth-Tokenheader in the response, while it does automatically handleSet-Cookieheaders. So I don't believe there's an easy way to use this session resolution strategy with OAuth2.Specifically, the issue happens in the first redirect after accessing an unauthenticated page. When writing to the session, the session id won't be remembered by the browser, and every subsequent request is like starting over again, hence the redirect loop.
However, I recently built up a sample that plugs implementations into Spring Security for the
AuthorizationRequestRepository,SecurityContextRepository, and a few others to make a flow like this work. Though it was actually for a reactive client application, so they are reactive implementations instead.