These are chat archives for spring-cloud/spring-cloud

9th
Jan 2015
William Gorder
@wgorder
Jan 09 2015 04:13
looks like this one got me spring-cloud/spring-cloud-security#26
Dave Syer
@dsyer
Jan 09 2015 08:53
Here's a sample with an authserver and a login page / form: https://github.com/dsyer/spring-security-angular/tree/master/oauth2
William Gorder
@wgorder
Jan 09 2015 12:16
Yes that was a very handy example and I had used that to model what I have now. (I actually have a pull request open on that to fix the build :) )However the login form is served by the auth server. I wanted to avoid having to leave my app and be redirected to the auth server. I was thinking the ui application could provide the login page and simply post to /login on the auth server (no gets to /login on auth server). I currently go only through the api gateway layer however when I post to /uaa/login on the api gateway when it passes through I get a CORS issue.
If I don't leave my application I can route internally based on 401's and once logged in return to the previous state(page)
Dave Syer
@dsyer
Jan 09 2015 12:19
Sounds like more trouble than it's worth
William Gorder
@wgorder
Jan 09 2015 12:19
you might be right
Dave Syer
@dsyer
Jan 09 2015 12:19
And it breaks the golden rule of OAuth2: the client never collects user credentials
William Gorder
@wgorder
Jan 09 2015 12:19
good point :)
Dave Syer
@dsyer
Jan 09 2015 12:19
Would you type your facebook password into myrandomapp.foo.com?
William Gorder
@wgorder
Jan 09 2015 12:20
nope absolutely not but this is an application where the entire system is really one app and trusted no 3rd parties
But I definitely respect your authority on this matter. I will go the route of letting the auth server do it.
is there a way to give the auth server a dynamic redirect url with # in it?
so the user can return to the correct page?
Dave Syer
@dsyer
Jan 09 2015 12:21
I think you can register a URL with a # and then set useCurrentUri=false in the client
Does the # not work with useCurrentUri=true (the default)?
William Gorder
@wgorder
Jan 09 2015 12:22
havent tried but the problem is oauth wants redirects to be registered
Dave Syer
@dsyer
Jan 09 2015 12:23
Yes. So it should.
William Gorder
@wgorder
Jan 09 2015 12:23
the user might be coming from #/products or #/products/1/3
or any number of places
Dave Syer
@dsyer
Jan 09 2015 12:23
Actually you can send the redirect uri in the authorization request
This is a nice new feature for spring-security-angular
William Gorder
@wgorder
Jan 09 2015 12:24
Ok. Yes currently it just posts username and password to /login
Dave Syer
@dsyer
Jan 09 2015 12:24
No, that's the authentication.
William Gorder
@wgorder
Jan 09 2015 12:24
and the redirect for authroization endpoint happends transparently
ohh
sorry had my terms messed up
I getit
Dave Syer
@dsyer
Jan 09 2015 12:25
OK. I think it's an interesting idea, since the normal Spring Security remembered request might not work.
Can you raise an issue in github at https://github.com/dsyer/spring-security-angular so I don't forget?
William Gorder
@wgorder
Jan 09 2015 12:26
sure. I have a pull request so that project will build to
I will actaully modify it
spring-cloud/spring-cloud-security#26 broke it
as well
since I opened it
thanks for the pointers
Dave Syer
@dsyer
Jan 09 2015 13:22
Broke what?
William Gorder
@wgorder
Jan 09 2015 13:32
You had already fixed it last night it looks like
the end point properties had to be renamed since you decided to reuse the existing
tokenUri->accessTokenUri and
authorizationUri->userAuthorizationUri.
Dave Syer
@dsyer
Jan 09 2015 13:54
Yes. Seemed like the best thing to do really. Less confusing in the long run.