Spring Authorization Server with Remember me

92 views Asked by At

I am in the process of implementing Spring Authorization Server (v1.1.3) to provide SSO for multiple web applications, with additional REST endpoints for user management and overall administration of the identity provider. All clients are React SPAs with Spring Cloud Gateway BFF architecture.

I followed the sample project from the Authorization Server Github repository and everything works as expected but when I try to enable the Remember Me functionality the autoLogin method never gets called and I arrive on the form login page every time. The remember me token is properly persisted after first login and the corresponding cookie is also present on subsequent login requests.

My security configuration looks like this:

@Configuration
@EnableMethodSecurity
public class SecurityConfig {

    @Bean
    @Order(1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .oidc(Customizer.withDefaults());
        http
                .exceptionHandling(exception -> exception
                        .authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")))
                .cors(Customizer.withDefaults())
                .csrf(CsrfConfigurer::disable);
        return http.build();
    }

    @Bean
    @Order(2)
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http,
                                                          RememberMeServices rememberMeServices) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated())
                .oauth2ResourceServer(resourceServer -> resourceServer.jwt(Customizer.withDefaults()))
                .formLogin(Customizer.withDefaults())
                .rememberMe(remember -> remember.rememberMeServices(rememberMeServices))
                .cors(Customizer.withDefaults())
                .csrf(CsrfConfigurer::disable);
        return http.build();
    }

    @Bean
    public RememberMeServices rememberMeServices(UserDetailsService userDetailsService,
                                                 PersistentTokenRepository persistentTokenRepository) {
        return new PersistentTokenBasedRememberMeServices("superSecretKey", userDetailsService, persistentTokenRepository);
    }

    ...
}

The RememberMeAuthenticationFilter is present in the SecurityFilterChain but it's way down the line after the DefaultLoginPageGeneratingFilter by design from the looks of the FilterOrderRegistration, even though the Remember Me docs suggests it should come right after the UsernamePasswordAuthenticationFilter.

What would be the correct way to tackle this problem?

0

There are 0 answers