Browser-Based Apps with a Backend support

[iilkevych]

Summary
Browser-Based App is JavaScript app with Spring boot backend.
https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07 - section 6.2
https://www.oauth.com/oauth2-servers/single-page-apps/

The best explanation of the problem is here:
#6638 (comment)

It seems there was attempt to fix it here:
#6812
and here
#8118 - WebFlux

Two more requests for this enhancement and attempts to resole it:
#9266
#8950

three more very closely related issues:
#7586
#6802
#4968 - httpBasic() can not be combined with oauth2Login() but it can be combined with formLogin()

Expected Behavior
HTML - 302
REST - 401

Current Behavior
HTML - 302
REST - 302

Context

I will write test to make sure that formLogin() works with oauth2Login() in WebFlux.

JavaScript should get 401 if it sends unauthenticated request.
If there is more then one client registration or formLogin() - response should contain location header with /login
If there is only one registration - response should contain location header with /oauth2/authorization/{registrationId}

Then JavaScript will redirect browser to location from response header. After successful login oauth2Login() should redirect browser to /. Javascript will be loaded in browser again and browser will have active http only session with Spring Boot to access API.

@jgrandja @rwinch @jzheaux what do you think?

[jgrandja]

@iilkevych The current behaviour for oauth2Login() (Servlet and WebFlux) will return 302 with Location /login (or custom login page) for unauthenticated XHR requests. This behaviour is expected and is specified in these tests:

OAuth2LoginConfigurerTests (Servlet):

spring-security/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java

Line 388 in 7ef3f61

public void oauth2LoginWithOneClientConfiguredAndRequestXHRNotAuthenticatedThenDoesNotRedirectForAuthorization()

OAuth2LoginTests (WebFlux):

spring-security/config/src/test/java/org/springframework/security/config/web/server/OAuth2LoginTests.java

Line 181 in 7ef3f61

public void defaultLoginPageWithSingleClientRegistrationAndXhrRequestThenDoesNotRedirectForAuthorization() {

As per your suggestion:

If there is more then one client registration or formLogin() - response should contain location header with /login

If there is only one registration - response should contain location header with /oauth2/authorization/{registrationId}

I don't feel this makes sense to return a different Location header depending if there is one client registered compared to more than one registered.

Then JavaScript will redirect browser to location from response header.

The redirect to /login is the current behaviour and the JavaScript client cannot perform the redirect to /oauth2/authorization/{registrationId} since this will trigger another redirect to the provider login page and ultimately fail on the CORS request.

I hope this makes sense? I'm going to close this issue as the current behaviour works as designed.