Vaadin app as Oauth2 ResourceServer

Hi, regarding security integration with Vaadin Flow and external Oauth2/OIDC SSO, By the docuemntation it support only OIDC client directly exposed to UserAgents, so my question is, it is possible to configure it as a Oauth2 ResourceServer, or how it work if it is behind WAF or any kind of reverse proxy who is managing SSO with external IDP instead of application it self.

@quirky-zebra any toughts on that?

I’m not sure I understand your question tho. Do you wanna call a backend system with the AccessToken provided by your third party ID provider?

nope. in your documents, and you can see here(https://github.com/vaadin/vaadin-oauth-example/blob/v23/src/main/resources/application.properties#L9), vaadin Flow ServerSide app is configured as an oidc client as an authorization_code grant type.

And i’m interesting to see how to configure Vaadin app as Resource server, just verifijin access token - not asking IdP to issueing it.
image.jpg

and this is how vaadin is now integrated with Idp in SSO
image.jpg

There is no build in function for such use-case. This issue and the linked repo could be interesting for you with JWT usage https://github.com/vaadin/flow/issues/14936

it is looking promising, springsecurity should look like this:
https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html
verifing the JWT against IdP and then building sec context together with HTTP and Vaadin session!