Vaadin with Spring Security and OAuth2

Ken31 · March 2, 2020, 1:42pm

I have searched the forums and Google, and don’t see anything but unanswered questions on how to get a Vaadin app working with OAuth2, especially using the Spring Security implementation.

It seems this is a pretty crucial and common use case - my application will need to support both internally managed logins - which I can implement using Spring Security (and I have this working) - as well as SSO logins from various sources (notably Okta and Azure AD).

Is there any guidance anyone can point me to to get this working?

paro · March 3, 2020, 7:56am

Hey Ken,

I am sure you stumbled over https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security already. Yes, true, it does not discuss OAuth2 implementation explicitly and concentrates on internally managed logins via credentials. But adding SSO via Spring Security does not involve Vaadin that much. Check https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/html/boot-features-security-oauth2-single-sign-on.html

The only problem I am aware of so far is that you will have to create your own login dialog component as the one used in the tutorial is hard to extend. And you will need extra buttons for all SSO providers. Another option is to not use Vaadin for the login dialog but Spring MVC: https://vaadin.com/learn/tutorials/securing-your-app-with-spring-security/speciale#_use_a_spring_thymeleaf_login_view

I hope those are some good starting points. Btw, did you thought about setting up some company SSO provider like CAS (or others: https://openappstack.net/2019/01/31/comparison-of-free-and-open-source-single-sign-on-solutions.html). Normally, those provide SSO delegation to other SSO providers and all your apps have to talk to that one, only.

Cheers,
Paul

Martin595 · March 17, 2020, 2:59am

Would love Vaadin to include OAuth2 component or at least an example. Vaadin.com supports login with Google and what not and assuming that Vaadin.com runs on Flow, why not make it reusable?

paro · March 24, 2020, 5:13pm

Hey Martin,

sorry, I was on vacation and now we first have to get used to Corona/Covid consequences at home…

Anyway, we are right now moving to CAS as our central authentication service at Vaadin. That is also why I asked if Ken considered using this approach. In yes, the plan is to create a dedicated tutorial about it.

The current approach uses Spring Security provided SSO stuff but for enterprise level this approach is quite limited when more than one service (like the website) needs authentication/authorization capabilities.

Cheers,
Paul

Martin595 · March 25, 2020, 3:03am

Hi Paul. sounds good! Hope you and your family are not too impacted by Covid.

Mark23 · July 9, 2020, 4:48pm

But how does Vaadin work with OAuth2. I understand I can use Spring MVC for the login dialog (which I already do) but once authenticated the Vaadin requests would need to add the Authorization: Bearer header and not rely on cookies to work correctly. I’m looking at OAuth2 JWT tokens to be able to seamlessly login to multiple servers should one server fail and use sticky sessions to keep the users on the same server as long as it’s available. This is necessary due to the complexities of serializing the Vaadin session across servers as it’s never worked right.

Ricardo151 · August 17, 2020, 4:56pm

Hi Paul,

Your examples worked perfect with the integration with Spring Security (both ways: using Vaadin LoginPanel or using Spring MVC Thymeleaf). My problem is when I´ve have PWAs ad I want to implement SSO (Single Sing on) I tried many ways but as soon as I inserted @EnableOAuth2Sso in my WebSecurityConfigurationAdapter I ran into many problems. I tryied to use Thymeleaf and Vaadin login view and could not make it work.
Any ideas how can I get PWAs with SSO? Do you have an example?
Thanks in advance