Spring security has long had great OAuth2.0 support from both the server and client elements. Recently spring security added support for the private_key_jwt client authentication method as part of the authorization code grant flow. Spring Security GitHub ref

To be fair there were quite some unexpected surprises in the past with Spring and Kotlin (e.g. the Cachable annotation did not work with suspend functions, not all Spring security annotations were supported with coroutines), but most of them were ironed out already.

They recently updated all the examples in the javadocs if you wanna bump your Spring Security version to 5.7.3 (see here). Otherwise the reference docs all reflect the non-deprecated approach that uses SecurityFilterChain and supporting beans.

Spring Security 5.7

Since Spring Security 5.7.0-M2 the use of WebSecurityConfigurerAdapter was deprecated (link to GitHub - https://github.com/spring-projects/spring-security/issues/10822) to move to component-based security configuration.

When i start the flow, no proxy is used and even the WebClient is not used to get access token. And i get a timeout exception for that. The same issue was discussed in Github: https://github.com/spring-projects/spring-security/issues/8966

You can extract (and validate) the JWT token into the Principal by implementing the getPreAuthenticatedPrincipal method, and map the claims to user details by providing through a custom implementation of AuthenticationUserDetailsService.

Or, maybe simpler, is to create your own filter and add it after the SecurityContextPersistenceFilter. Here, just recreate the authentication token from the database, which is what token based authentication does (token based authentication has to preauthenticated authentication from the token for the actual user authentication with the user details).

import { useEffect, useState } from "react"; import "./App.css"; import Profile from "./components/profile/Profile"; function App() { // Extracting the 'code' parameter from the URL query string (used for authorization) const urlParams = new URLSearchParams(window.location.search); const code = urlParams.get("code"); // State to store the retrieved user data const [data, setData] = useState(null); // State to indicate if data is being fetched const [loading, setLoading] = useState(false); // Runs whenever the 'code' variable changes (likely on authorization flow) useEffect(() => { const token = localStorage.getItem("token"); if (token) { setLoading(true); // Set loading to true while fetching data fetch("https://api.github.com/user", { headers: { Authorization: token }, }) .then((res) => res.json()) // Parse the response as JSON .then((data) => { setData(data); // Update state with fetched user data setLoading(false); // Set loading to false when done fetching }); } else if (code) { // If no token but 'code' is available (GitHub OAuth flow) setLoading(true); // Set loading to true while fetching data fetch( `http://localhost:8589/oauth/redirect?code=${code}&state=YOUR_RANDOMLY_GENERATED_STATE` ) .then((res) => res.json()) // Parse the response as JSON .then((data) => { setData(data.userData); // Update state with user data from response localStorage.setItem( "token", `${data.tokenType} ${data.token}` ); // Store access token in local storage setLoading(false); // Set loading to false when done fetching }); } }, [code]); // Function to redirect the user to the GitHub OAuth authorization page function redirectToGitHub() { const client_id = "blah blah"; const redirect_uri = "http://localhost:5173/"; const scope = "read:user"; const authUrl = `https://github.com/login/oauth/authorize?client_id=${client_id}&redirect_uri=${redirect_uri}&scope=${scope}`; window.location.href = authUrl; } // Conditionally render content based on loading state and data availability if (loading) { return

Loading...h4>; } if (data) { return ; } return ( <>

Login to MyApph1> Login with GitHub button> div> ); } export default App;

import hashlib from datetime import datetime import httpx from fastapi import APIRouter, HTTPException, Query from app.config import settings from app.utilities.db import db from .models import OauthException, OauthToken router = APIRouter() @router.get( "/callback", response_model=OauthToken, responses={ 400: {"description": "Oauth Error", "model": OauthException}, }, ) async def oauth_callback( code: str = Query(description="Authorization Code"), ) -> OauthToken: """ GitHub Oauth Integration Callback """ async with httpx.AsyncClient() as client: token_result = await client.post( "https://github.com/login/oauth/access_token", json={ "client_id": settings.github_oauth_client_id, "client_secret": settings.github_oauth_client_secret, "code": code, "redirect_uri": "http://localhost:8000/v1/auth/callback", }, headers={"Accept": "application/json"}, ) data = token_result.json() error = data.get("error") if error: raise HTTPException( status_code=400, detail=f"{data.get('error')}: {data.get('error_description')}", ) access_token: str = data.get("access_token") user_result = await client.get( "https://api.github.com/user", headers={"Authorization": f"Bearer {access_token}"}, ) user_data = user_result.json() user = user_data.get("login") await db.tokens.insert_one( { "user": user, "access_token_hash": hashlib.sha256(access_token.encode()).hexdigest(), "created_date": datetime.utcnow(), }, ) return OauthToken(access_token=access_token)

The actual URL is https://github.com/login/oauth/authorize?client_id=bbb58b28cdd98636e3e2&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fcallback&scope=user%3Aemail&response_type=code

GOOGLE_CLIENT_ID = os.environ["GOOGLE_CLIENT_ID"] GOOGLE_CLIENT_SECRET = os.environ["GOOGLE_CLIENT_SECRET"] GOOGLE_TOKEN_URL = "https://www.googleapis.com/oauth2/v4/token" GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth" GITHUB_CLIENT_ID = os.environ["GITHUB_CLIENT_ID"] GITHUB_CLIENT_SECRET = os.environ["GITHUB_CLIENT_SECRET"] GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token" GITHUB_AUTH_URL = "https://github.com/login/oauth/authorize"

export const GET = async ({ cookies }) => { const state = generateRandomString(40); // I recommend using nanoid cookies.set("github_oauth_state", state, { httpOnly: true, secure: !dev, // disable when using localhost maxAge: 60 * 60 // 1 hour expiry, path: "/" }); const authorizationUrlSearchParams = new URLSearchParams({ client_id: GITHUB_CLIENT_ID, state }); const authorizationUrl = https://github.com/login/oauth/authorize?${authorizationUrlSearchParams}; // redirect to authorization url return new Response(null, { status: 302, headers: { Location: authorizationUrl } }); } ```

services.AddCookie("Google-Cookie") .AddOAuth("Google", options => { options.SignInScheme = "Google-Cookie"; options.ClientId = configuration["ClientId"]>; options.ClientSecret = configuration["ClientSecret"]; options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize"; options.TokenEndpoint = "https://github.com/login/oauth/access_token"; options.UserInformationEndpoint = "https://api.github.com/user"; options.CallbackPath = "/api/Google-Redirect"; options.Scope.Clear(); options.Scope.Add("read:user"); options.SaveTokens = true; // Not sure what does this do options.Events.OnCreatingTicket = async context => { using var request = new HttpRequestMessage(HttpMethod.Get, options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); using var result = await context.Backchannel.SendAsync(request); var user = await result?.Content?.ReadFromJsonAsync(); context.RunClaimActions(user); // I don't think this is needed // Create claims for the token var claims = new Claim[] { new Claim(ClaimTypes.Name, user.Name), new Claim(ClaimTypes.Email, user.Email) }; // Create the token var token = new JwtSecurityToken( issuer: configuration["JWT_Issuer"], audience: configuration["JWT_Audience"], claims: claims, expires: DateTime.UtcNow.AddHours(1);, signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JWT_Secret"]));, SecurityAlgorithms.HmacSha256) ); // Generate the token string var tokenString = new JwtSecurityTokenHandler().WriteToken(token); context.Response.Cookies.Append("X-Access-Token", tokenString, new CookieOptions() { HttpOnly = true, SameSite = SameSiteMode.Strict }); }; } );

# Verify the content of the artifact at the given digest, as well as the fact # that the signature has been created by a GitHub actor with the given email. $ cosign verify ghcr.io/radu-matei/hello-spin@sha256:6f886e428152a32ada6303e825975e1a9798de86977e532991a352d02c98f62c \ --certificate-oidc-issuer https://github.com/login/oauth \ --certificate-identity [email protected] Verification for ghcr.io/radu-matei/hello-spin@sha256:6f886e428152a32ada6303e825975e1a9798de86977e532991a352d02c98f62c -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates

@Bean ClientRegistrationRepository clientRegistrationRepository(JdbcTemplate jdbcTemplate) { JdbcClientRegistrationRepository jdbcClientRegistrationRepository = new JdbcClientRegistrationRepository(jdbcTemplate); ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("github") .clientId("123456") .clientSecret("123456") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}") .scope(new String[]{"read:user"}) .authorizationUri("https://github.com/login/oauth/authorize") .tokenUri("https://github.com/login/oauth/access_token") .userInfoUri("https://api.github.com/user") .userNameAttributeName("login") .clientName("GitHub").build(); jdbcClientRegistrationRepository.save(clientRegistration); return jdbcClientRegistrationRepository; }

const oauthUri = `https://github.com/login/oauth/authorize?client_id=${process.env.NEXT_PUBLIC_GH_CLIENT_ID}&scope=user:email,read:user&redirect_uri=http://localhost:3000/api/auth`

var builder = WebApplication.CreateBuilder(args); builder.Services.AddAuthentication() .AddOAuth("github", o => { o.ClientId = "###"; o.ClientSecret = "###"; o.AuthorizationEndpoint = "https://github.com/login/oauth/authorize"; o.TokenEndpoint = "https://github.com/login/oauth/access_token"; o.CallbackPath = "/oauth/github-cb"; o.UserInformationEndpoint = "https://api.github.com/user"; }); var app = builder.Build(); app.MapGet("/", (HttpContext context) => { return context.User.Claims.Select(x => new { x.Type, x.Value }).ToList(); }); app.MapGet("/login", () => { return Results.Challenge(authenticationSchemes: new List() { "github" }); }); app.Run(); --------------------------------------------- dotnet : Stack overflow. At line:1 char:1 + dotnet watch --no-hot-reload 2> output.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (Stack overflow.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError at System.Collections.Generic.Dictionary`2[[Microsoft.Extensions.DependencyInjection.Servi ceLookup.ServiceCacheKey, Microsoft.Extensions.DependencyInjection, ...Goes on for an other 60.000 lines