Embedded Vaadin application authentication using access token?

I’ve created a vaadin PWA with amazon cognito as security provider. It works fine. It redirects me to cognito sign in page when unauthorized, and spring security is handling security as its supposed to.

The problem is that i want to embed my PWA inside a flutter app.

In the flutter app, I have a flutter sign in form, that gives me an access/refresh token. i do some api calls, and after some time i would like to show my vaadin PWA in a webview inside the flutter app. But of course, when i navigate to my PWA url, it shows me the cognito sign in form. Which i dont want, as i already have a valid access token, i want to be just signed in. How would i achieve that? I tried putting the header “Authorization: Bearer ”, but that didnt work.

my SecurityConfig looks like this:

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/").permitAll().oauth2ResourceServer(oauth2 -> oauth2.jwt()).authorizeRequests().antMatchers("/user/**").authenticated();
        super.configure(http);
        setOAuth2LoginPage(http, "/oauth2/authorization/cognito");
        http.oauth2Login(l -> l.userInfoEndpoint().userAuthoritiesMapper(userAuthoritiesMapper()));
    }

thats pretty much it in my securityconfig, i also have a method that maps cognito groups into roles, but thats irrelevant for this.

If you want your app to work that way you need to configure it as an oauth resource server and configure it with the correct issuer info. With that in place, it should work.

You can probably also remove the login page configuration from the app if you always have a bearer token and don’t expect people to login through the PWA

Actually i just remembered that i also have it setup as a resource server. Can be seen with the “.oauth2ResourceServer” line.

I need the application to work both for access token (mobile) users, but also for web (desktop) users that login through the cognito sign in page.

I tried changing the antmatcher for oauth resource server to /** but that didnt work. it just gives me a white page with a bunch of 401 for the /VAADIN directory

If you turn on debug logging for spring security, do you see anything helpful in the logs when you call the app with a bearer token?

I FINALLY got it working after 4 days of trying so many things.
The solutions is as follows:

First i logged in, and made my code stop somewhere using the debugger, so i could look up the SecurityContextHolder.getContext().getAuthentication(). My Authentication object is of type OAuth2AuthenticationToken. I took a close look at it, and decided to replicate it.
I did so inside a custom AuthenticationManager, and returned my OAuth2AuthenticationToken in the overriden authenticate method.

Then i created two endpoints. One that is my “login page”, and one that my filter goes to. So in my login page i take in an access token, store it in the sesion, then redirect to my other endpoint that pasess through the filter.

The filter extends AbstractAuthenticationProcessingFilter and looks up the access token from the session, creates the OAuth2AuthenticationToken, and authenticates with it.

Unforutnately i dont have enough characters to post code as well, but i’ve created a SO question that i’ve answered with code here: https://stackoverflow.com/questions/75140719/sso-between-app-and-webview-inside-the-app

I have NO IDEA if this is hacky or what it is, but i couldnt get it to work in any other way. and i’ll be really happy to learn a better way/effectivise my code.