These are chat archives for spring-cloud/spring-cloud

7th
May 2015
Dave Syer
@dsyer
May 07 2015 08:55 UTC
I see. For this use case you actually need to follow the redirect. So you have to just go with the flow (I think).
I'm not even sure you can hide this from the user without writing code in the browser - it's the browser that has the session with the auth server (if there is one).
So a pre-auth filter isn't such a great idea after all
Leon Radley
@leon
May 07 2015 08:57 UTC
not good :worried:
since I already have spring-session working between the two
Dave Syer
@dsyer
May 07 2015 08:58 UTC
Maybe that saves your bacon then
Leon Radley
@leon
May 07 2015 08:58 UTC
but the problem is that the authenticated user isn't a oauth2 user, which means I cannot relay the token
Dave Syer
@dsyer
May 07 2015 08:59 UTC
You know the user, but he hasn't got a token yet?
Leon Radley
@leon
May 07 2015 08:59 UTC
yes
Dave Syer
@dsyer
May 07 2015 08:59 UTC
How did you identify/authenticate him?
Leon Radley
@leon
May 07 2015 08:59 UTC
i log into the auth server, and by sharing the session via spring-session I'm automagically logged into the other app on refresh
making shure they both have the same custom userDetails pojo
in both apps
Dave Syer
@dsyer
May 07 2015 09:00 UTC
OK, so if there is an authenticated user you know who it is.
Leon Radley
@leon
May 07 2015 09:00 UTC
yes
Dave Syer
@dsyer
May 07 2015 09:00 UTC
There is still the scenario that he didn't yet authenticate with the auth server
Leon Radley
@leon
May 07 2015 09:00 UTC
yes
the problem is that I need to at checkout get the users customer details, which are in the auth server via a OAuth2RestTemplate
Dave Syer
@dsyer
May 07 2015 09:01 UTC
OK, so you just need to send the cookie when you ask for an auth code.
And if there are any exceptions, you can't pre-authenticate.
I think the OAuth2RestTemplate can do this. I just don't think that feature gets used much outside tests.
Leon Radley
@leon
May 07 2015 09:04 UTC
so if I use the OAuth2RestTemplate but add the SESSION cookie to the request, it knows it's logged in and then the restTemplate stores the accessToken?
Dave Syer
@dsyer
May 07 2015 09:04 UTC
You might be a step ahead there
But something like that.
I need to refresh my memory
(Twiddling thumbs waiting for Eclipse to finish spinning)
Leon Radley
@leon
May 07 2015 09:07 UTC
I've created this gist, with what I've got so far https://gist.github.com/leon/182f2a221341411f7d1a
Dave Syer
@dsyer
May 07 2015 09:09 UTC
Where did the OAuth2RestTemplate come from?
I have a nervous feeling about shared state between your auth server and all the little client apps (assuming there might actually be more than one).
Leon Radley
@leon
May 07 2015 09:10 UTC
It is probably the one that gets created via @EnableOAuthSso
Dave Syer
@dsyer
May 07 2015 09:11 UTC
Right.
Leon Radley
@leon
May 07 2015 09:11 UTC
me 2
I'd rather not share the session state between the apps, but as usual I'm trying to grant all the customers wishes :)
Dave Syer
@dsyer
May 07 2015 09:12 UTC
So unless you want all client apps to share a token, then sharing a session with the auth server is bad. If you don't mind sharing, maybe you can still be careful and not corrupt each other's state.
Leon Radley
@leon
May 07 2015 09:12 UTC
I'd rather just force login at the checkout and be done with it. but they really want the auth bar to be visible across all apps :(
Dave Syer
@dsyer
May 07 2015 09:14 UTC
This much shared state seems risky. Maybe you ought to look into the client-side implementation?
Leon Radley
@leon
May 07 2015 09:15 UTC
The question is how would you implement it, I've got a webshop, a portal and more apps coming. and a couple of resource servers both in spring and in .net
Dave Syer
@dsyer
May 07 2015 09:15 UTC
You need a bit of Javascript fu
And that code gets shared between all the UIs.
Leon Radley
@leon
May 07 2015 09:15 UTC
The front end apps webshop, portal and wordpress need to have the same user logged into all of them, and when he / she logs out it should logout of all apps
so it's more of a CAS solution I'm guessing
Dave Syer
@dsyer
May 07 2015 09:16 UTC
Logout is a whole other ball of wax
Leon Radley
@leon
May 07 2015 09:16 UTC
:)
Dave Syer
@dsyer
May 07 2015 09:16 UTC
CAS has all the same "features"
You don't get a free lunch
Leon Radley
@leon
May 07 2015 09:17 UTC
I would probably find myself stuck with the .net apps instead there
Dave Syer
@dsyer
May 07 2015 09:17 UTC
Because they are fat clients? No Javascript?
Leon Radley
@leon
May 07 2015 09:17 UTC
at the moment everything is turning out great except the unified login experience
the portal is angular only, the webshop is part spring part angular because of SEO aspects
Dave Syer
@dsyer
May 07 2015 09:17 UTC
Fat clients require a different approach anyway (auth code flow makes no sense, Spring Session is never going to help)
Above you said the resource server was .net, not the client.
Leon Radley
@leon
May 07 2015 09:18 UTC
the portal gets redirected to the auth server and since it has auto approve, you get logged in straight away
Dave Syer
@dsyer
May 07 2015 09:18 UTC
So maybe it's not an issue
You only get logged in straight away if you already have a session with the auth server though
Leon Radley
@leon
May 07 2015 09:19 UTC
I'm in charge of all the UI apps, the .net apps are data only apps returning data from legacy systems
Dave Syer
@dsyer
May 07 2015 09:19 UTC
I thought we were trying to avoid going to the auth server if the user is not authenticated there?
Leon Radley
@leon
May 07 2015 09:20 UTC
I've implemented remember me functionality with the authserver, so you are logged in the for as long as that cookie exists
that only applies to the webshop
in the portal you are always logged in
I'm going to have a stab at sending a request to the authserver including the session cookie, and if the user is logged in, I can redirect the webshop to /login which will force it to login, thus getting the auth token
Dave Syer
@dsyer
May 07 2015 09:26 UTC
You don't even need an OAuth2RestTemplate to do that (send a cookie and look at the result)
Leon Radley
@leon
May 07 2015 09:27 UTC
so a normal RestTemplate, and then append the cookie, check if it isn't a 401, and redirect to /login
that seems like a much better solution, even though they are sharing session state
Dave Syer
@dsyer
May 07 2015 09:27 UTC
It depends on the implementation of the auth server
I don't know why you need to go to /login (assuming that's a UI)
Leon Radley
@leon
May 07 2015 09:28 UTC
I've created a /authenticated endpoint that is behind the normal security firewall
Dave Syer
@dsyer
May 07 2015 09:28 UTC
So you just need to send the cookie to that endpoint and see what it says, right?
Leon Radley
@leon
May 07 2015 09:28 UTC
it returns the @AuthenticatedPricipal email
yes
I'll give it a go :)
thanks for the help, it's great to have someone to discuss the inner workings :+1:
Dave Syer
@dsyer
May 07 2015 09:30 UTC
No problem
Leon Radley
@leon
May 07 2015 09:30 UTC
I'll be a spring cloud guru after this project :)