Spring security with OAuth2

Hello!
I am new with Spring & Vaadin. I did some research but I would like to have opinions here. We can connect to my vaadin/spring web application only through OAuth2 (Discord), I have set up this properly and it is working perfectly BUT I would like Spring to save in cookies the token to keep the user authenticated as long as possible so the user don’t have to re-login too often. I also want to be sure Spring fetch the Discord data often to be sure my authenticated user object is up to date because some views of my application are constrained by these data. Can someone guide me with this please? Thanks! :pray:

(Vaadin 24)

Here is my SecurityConfiguration:

@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {

    private static final String DEFAULT_SUCCESS_URL = "/home";
    private static final String FAILURE_URL = Application.LANDING_URL;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .oauth2Login()
                .tokenEndpoint().accessTokenResponseClient(this.getRestOAuth2AccessTokenResponseClient())
                .and()
                .authorizationEndpoint()
                .and()
                .userInfoEndpoint().userService(this.getCustomOAuth2UserService())
                .and()
                .defaultSuccessUrl(DEFAULT_SUCCESS_URL, true)
                .failureUrl(FAILURE_URL);

        super.configure(http);
    }

    @Override
    protected void configure(WebSecurity web) {
        web.ignoring().requestMatchers("/api/**");
    }

    @Bean
    public RestOperations restOperations() {
        return new RestTemplate();
    }

    @Bean
    public RestOAuth2AccessTokenResponseClient getRestOAuth2AccessTokenResponseClient() {
        return new RestOAuth2AccessTokenResponseClient(this.restOperations());
    }

    @Bean
    public CustomOAuth2UserService getCustomOAuth2UserService() {
        return new CustomOAuth2UserService(this.restOperations());
    }


}```

Bump

My help here is limited, I can just advise you to ask ChatGPT for “how to use jwt cookies in spring boot” . If the answer from chatgpt is cut off, just type in continue for it to continue :wink:

Autologin these days is usually implemented using JWT cookies that store the authenification information in a signed token cookie

I’m doing something similar myself, but I’ve implemented the JWT handling myself (without spring) which would be of limited usage for anyone else.

And there’s also this: https://github.com/mstahv/flow-with-jwt-authentication

In any case you’d have to store your OAuth token inside the jwt cookie

Thanks for this, I also think about doing the whole system myself instead of using the Spring security system

Don’t even think for one second that you can implement a secure version yourself. Use spring security if you are already in this ecosystem. Baeldung’s tutorials should get you pretty far.

Yes, but I guess it is fine if I use Spring security but I just handle all the cookies & OAuth by myself?

If you use Spring security and follow the tutorials you’ll probably have a secure system. If you do it yourself, you’re on your own. Also depending on the use-case, liability is an issue. If your implementation allows unauthorized access which leads to you leaking customer data, you could be in trouble.

Yeah, thanks for the advice, I will do more research before taking a decision and work on this seriously/carefully