I'm currently working on an oauth2 authorization server using spring. I would like to implement an admin dashboard for managing users. Naturally the endpoints for user management are on the auth server. To authorize a user to use the admin dashboard, they will need to log in of course, so I'm redirecting them to the /authorize endpoint when trying to access the admin dashboard. However, after logging in the spring auth server module places a session cookie in the end users browser and saves the security context to the session. Doesn't this break the oauth2 flow?
Now there is no need to request a bearer token because all the end user needs is that session ID to get access to the admin endpoints on the auth server. This seems like a security risk to me.
Should I disable saving the security context?
Access tokens are used only for requests sent from an OAuth2 client to an OAuth2 resource server.
Login being a client concern, applications with
oauth2Loginare OAuth2 clients. The requests sent from a browser to (not from) an OAuth2 client withoauth2Loginare always secured with sessions.Requests to the dashboard application (itself if it is a MVC app or a BFF if it is a SPA or mobile app) will be secured with sessions (and CSRF protection). Only requests from the dashboard application to the users management REST API can be secured with Bearer access tokens.