I am following https://spring.io/guides/tutorials/spring-boot-oauth2/ and reference to source code is https://github.com/spring-guides/tut-spring-boot-oauth2/tree/main/click. But you don’t need to understand the full code. I have one basic question.
Basically whenever I am loading the page the callback method in $.get(“/user”, function(data) { is not always hitting.
What does the $.get(“/user”) – refers to. Isn’t it mean hitting the /user endpoint provided by the Spring-boot-app. And the breakpoint in java (end-point user) and javascript (callback) method [which is making the authenticated class div to be visible and hide unauthenticated] are not always hitting – they only hit once the authentication is successful.
Question
Why the breakpoints in Java and Javascript are not always hitting? it’s only hitting when the app is successfully authenticated with github. But I’m thinking its something to do with the basics of – jquery, html and javascript rather than related to oauth2 flow here.
Can you please let me know the details? Do let me know if you have any questions in case the question is not clear.
@GetMapping("/user") public Map<String, Object> user() { return Collections.singletonMap("name", "foo"); }
<body> <h1>Login</h1> <div class="container unauthenticated"> With GitHub: <a href="/oauth2/authorization/github">click here</a> </div> <div class="container authenticated" style="display: none"> Logged in as: <span id="user"></span> </div> <script type="text/javascript"> $.get("/user", function(data) { $("#user").html(data.name); $(".unauthenticated").hide() $(".authenticated").show() }); </script> </body>
Advertisement
Answer
Actually, I got it. It’s always hitting /user end-point, but when its not authenticated in-network table I do see 401 for /user end-point.
And its because of the below configuration in the Controller – which should be enforcing oauth2Login (i.e; filter chain must be not letting the request to come to controller)
And looking at the documentaton bit closely also expalined – just copying the exceprt from the tutorial documentation.
You won’t see anything about /user in this configuration, though. Everything, including /user remains secure unless indicated because of the .anyRequest().authenticated() configuration at the end.
Finally, since we are interfacing with the backend over Ajax, we’ll want to configure endpoints to respond with a 401 instead of the default behavior of redirecting to a login page. Configuring the authenticationEntryPoint achieves this for us
.
@Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .authorizeRequests(a -> a .antMatchers("/", "/error", "/webjars/**").permitAll() .anyRequest().authenticated() ) .exceptionHandling(e -> e .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)) ) .oauth2Login(); // @formatter:on }