Secures Spring Boot's OAuth2/OIDC.
Note
Primarily designed for OIDC (OAuth2 should also work but might require some manual fixes and adjustment) and E-Mails
Note
Fixed the underlying problematic:
By default Spring only logs the user in. Once logged in there is no re-check if the user is still valid at the OAuth2/OIDC server.
As long as the app is not restarted the user can potentially be logged in forever.
Used for checking if the used OAuth2/OIDC token is still valid.
Once the token is no longer valid it's rechecked.
Also provides a OAuth2/OIDC server "is offline" fallback, which means that the user is still considered valid when the server can't be reached for some time (default: 3h).
- The OAuth2/OIDC Server should provide a refresh token (to recheck authentication).
Usually this can be achieved with theoffline_accessscope but it's highly dependent on the OIDC Provider. For example IdentityServer requires it, while KeyCloak must not use it at all (as the UI otherwise asks for a login every time) and requires a different setting.
- You need to implement
EmailBasedOAuth2AuthCheckerUserServiceor provide a customOAuth2IsDisabledChecker.
Enforces that requests are properly authenticated as specified in CheckAuth above.
- Inside your main
WebSecurity#configureadd:http.addFilterBefore(this.oAuth2RefreshFilter, AnonymousAuthenticationFilter.class)
Allows custom ReloadCommunicators to communicate to the client that the user is no longer authenticated and some kind of action (e.g. a page reload) is required.
Tries to auto auth the user using the last OAuth2 provider that was used by them.
- Inside your main
WebSecurity#configureadd:http .oauth2Login(c -> { // Other stuff this.rememberLoginProvider.configureOAuth2Login(c); }) .logout(this.rememberLoginProvider::configureOAuth2Logout)