@dsyer I have things pretty close I think with the login. I modified your example some. I am not using cookies for auth in favor of a header based approach (to support multiple tabs with spring session)
I seem to be getting by ok on the CSRF bit but I also wanted the UI application to provide the login page rather then redirecting and having the auth server provide it
That is working as well. However when I post to the api gateway the users credentials at /uaa/login
it seems to be triggering security rather then passing through to the auth server
I think that is the real problem there but subsequently I get a null pointer in the Ouath2ClientContext filter because the redirect URL is null.
Anyways once I get this one figured out hopefully it will work, and I can have you take a look at the auth bit.