These are chat archives for spring-cloud/spring-cloud

6th
May 2015
wojtkiewicz
@wojtkiewicz
May 06 2015 07:56
Yes. Thats the one.
Leon Radley
@leon
May 06 2015 11:02

I've got a situation where I have a auth server, a webshop and a portal. The portal is a spring cloud sso app, but my problem is with the webshop. the webshop should show the user as logged in if they are logged in at the authentication server, but not force the user to login until he purchases something.

I've thought I solved it by sharing the session between the auth server and the webshop via spring-session, but that fails when I want to do token forwarding to a separate resource server.

How can I make the shop try to login to the auth server, but if the user isn't logged in, wait until he reaches a certain uri and then force him?

Dave Syer
@dsyer
May 06 2015 11:04
Sounds like just a normal "is this user authenticated" use case?
Am I missing something?
I get it
Leon Radley
@leon
May 06 2015 11:05
So I enable the sso for the whole webshop, and then via OAuth2SsoConfigurerAdapter specify that I want to require a Role for a certain path?
Dave Syer
@dsyer
May 06 2015 11:06
The interesting scenario for you is this: The user is not authenticated with the webshop app, but he is authenticated at the auth server, and has pre-approved the webshop for token grant.
Leon Radley
@leon
May 06 2015 11:06
yes
Dave Syer
@dsyer
May 06 2015 11:06
So effectively he is already authenticated, but you don't know it till you try it.
Leon Radley
@leon
May 06 2015 11:06
exactly
there is a auth bar at the top of the webshop which shows which user is logged on
Dave Syer
@dsyer
May 06 2015 11:06
I guess you need to attempt to obtain an access token and see if it fails.
Leon Radley
@leon
May 06 2015 11:07
how?
Dave Syer
@dsyer
May 06 2015 11:07
If it succeeds you can quietly authenticate him
You can get an access token from an OAuth2RestTemplate
Leon Radley
@leon
May 06 2015 11:07
via a pre auth filter?
Dave Syer
@dsyer
May 06 2015 11:07
Maybe that's the right way
I guess it has to apply to all requests (or a variety of requests)
I.e. it's not a request to /login
So a filter might be the best approach
Leon Radley
@leon
May 06 2015 11:09
I'll have to give that a shot
thanks for the help :)
Dave Syer
@dsyer
May 06 2015 11:09
We can probably put it in the framework if it works out. Seems like a reasonable thing to try.
Leon Radley
@leon
May 06 2015 11:10
I'll create a pull request if everything turns out
Leon Radley
@leon
May 06 2015 13:36
@dy
@dsyer I'm having troubles with using the rest template, it returns a "A redirect is required to get the users approval" exception
even though the client has autoApprove(true); but I'm guessing that is all done in the auth-server