Oauth2, angular and spring webflux

I’m trying to get around these topics and I found really great tutorials on your forums.

The one tutorial that is exactly how I want to implement my authentication scheme is :
Use React and Spring Boot to Build a Simple CRUD App

The only distinction is that I use spring webflux and angular. I get stuck because my RequestCache bean is overwritten by springsecuritywebflux. Thus I’m redirected to the default (/) on :8080 instead of :4200

Can you offer some guidance?

Thanks and best regards,

You can try modifying your Angular app so it redirects to http://localhost:8080/login/oauth2/code/okta instead of just /login or /private. That way, Spring Security will redirect back to the referrer automatically (which will be http://localhost:4200 in your case).

It seems that I have gotten a bit further :slight_smile: now I receive an error : OAuth2AuthorizationException: [authorization_request_not_found]

Although, previously I was getting to the authorization server and now, I’m not.

Thanks for your help!

Make sure you’re using the issuer for your default authorization server (it should end in /oauth2/default and not have -admin in the URL).

When I set it ot the url : http://localhost:8080/login/oauth2/code/okta , I receive an error because the “?code=” part is missing.

When I use another link that is protected and that I log in, I am referred back to say : http://localhost:8080/private instead of http://localhost:4200/home. I do the redirection in an Authenticated Guard in Angular with location.href.

I’m a bit at lost here. I could use some host trick to make it work, but your solution seemed perfect for development :slight_smile:


Hmmmm, I’m not sure what the problem could be. Are you able to push your app to GitHub so I can take a look at your code?

The problem really lies into the RequestCache. I did what you did… well in a similar way.

    ServerRequestCache serverRequestCache() {
        return new WebSessionServerRequestCache() {
            private final ServerWebExchangeMatcher serverWebExchangeMatcher = createDefaultRequestMatcher();

            public Mono<Void> saveRequest(ServerWebExchange exchange) {
                Optional<String> referrer = Optional.ofNullable(

                return this.serverWebExchangeMatcher.matches(exchange)
                    .filter(m -> m.isMatch())
                    .flatMap(m -> exchange.getSession())
                    .doOnNext(attrs -> attrs.put(DEFAULT_SAVED_REQUEST_ATTR, referrer.orElse("")))

            private ServerWebExchangeMatcher createDefaultRequestMatcher() {
                ServerWebExchangeMatcher get = ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/**");
                ServerWebExchangeMatcher notFavicon = new NegatedServerWebExchangeMatcher(ServerWebExchangeMatchers.pathMatchers("/favicon.*"));
                MediaTypeServerWebExchangeMatcher html = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML);
                return new AndServerWebExchangeMatcher(get, notFavicon, html);

But my ServerRequestCache is never called…

Here’s how it’s registered :

    SecurityWebFilterChain configure(ServerHttpSecurity http) {
        return http.build();

Ok forget it! I just rewrote everything to what I’ve shared with you and it does work :slight_smile:

1 Like

@christiangoudreau, although I think this should work, I don’t think this would work since adding this RequestCache currently only affects the OAuth2AuthorizationRequestRedirectWebFilter and not the RedirectServerAuthenticationEntryPoint. See https://github.com/spring-projects/spring-security/blob/5.2.1.RELEASE/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java#L1184
I’ve created an issue for this on spring-security: https://github.com/spring-projects/spring-security/issues/7721