CORS configuration not taken into account by Oauth2 client

[Kevinbarre]

Hello @ch4mpy (I'm opening another thread because this question is not directly related to the previous configuration one),

I noticed that my CORS configuration doesn't seem to be taken into account by the Oauth2 client.

I added the following properties in application.yaml:

com:
  c4-soft:
    springaddons:
      oidc:
        cors:
          - path: /**
            allowed-origin-patterns: "http://localhost:3000"

but when the front-end app is performing a back-end call, I get the following error in the browser console:
Access to XMLHttpRequest at 'http://localhost:8080/myapi' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

I tried replacing allowed-origin-patterns value with "*", but I'm getting the same result.

I also tried to manually instantiate a Bean of type CorsFilter in the configuration (adapted from SpringAddonsOidcClientWithLoginBeans.java) :

@Bean
fun corsFilter(addonsProperties: SpringAddonsOidcProperties): CorsFilter {
    val corsProps = ArrayList(addonsProperties.cors)

    return ServletConfigurationSupport.getCorsFilterBean(corsProps)
}

but I still get the same error.

When manually calling the endpoint directly on the back-end server, I don't see any Access-Control-Allow-Origin in the response header in the browser console.

Is there any additional configuration to add to get the CORS configuration applied ? (I saw a comment about deprecated properties at https://github.com/ch4mpy/spring-addons/blob/master/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.java#L341, maybe I'm using the wrong ones ?)

Thanks

[ch4mpy]

Request authorization in a security filter chain with auth2Login is based on session cookies. For security reasons, these cookies should be flagged SameSite (it should also be HttpOnly and Secure, but this isn't important here).

This means that the browser will set the session cookie with XHR requests to the Spring backend only when these requests are sent by a page satisfying the SameSite policy. If this session cookie is not attached, requests are anonymous (and most likely Unauthorized).

Are you sure that you know how to send requests that are at the same time SameSite and cross-origin?

The BFF tutorial does not need cross-origin configuration because a reverse proxy makes the UI and REST API share the same origin (which ensures that these requests are SameSite). There are quite a few options to achieve this same origin:

• use a standalone Nginx as done in the tutorial
• use a dedicated route for the UI on the gateway (permitAll, without the TokenRelay= filter, and probably processed by a stateless filter-chain)
• use a built-in proxy of a SPA framework dev-server (all of Angular, React, and Vue have such a feature)
• serve UI assets from the static resources of the BFF

If you really want to allow SameSite cross-origin requests to your Spring backend, I need:

• screenshots of the "network" tab in the browser debugging tools showing the CORS error
• BFF logs with DEBUG or TRACE level for org.springframework.security

[Kevinbarre]

Hello @ch4mpy,

Are you sure that you know how to send requests that are at the same time SameSite and cross-origin?

Probably not. My understanding is that http://localhost:3000 and http://localhost:8080 are same-site, but not same origin, and it was working before, so I guess the front-end configuration for sending the requests should be OK, and the issue should come from the back-end CORS configuration.

To be complete, the existing configuration manually defines a DefaultSecurityFilterChain with the following:

http.cors {
    it.configurationSource {
        CorsConfiguration().apply {
            allowedOriginPatterns = listOf("http://localhost:3000")
            allowedMethods = listOf(
                HttpMethod.GET.name(),
                HttpMethod.POST.name(),
                HttpMethod.PUT.name(),
                HttpMethod.DELETE.name(),
                HttpMethod.OPTIONS.name()
            )
            allowedHeaders = listOf("*")
        }
    }
}

so I assume the new CorsFilter bean configuration should replicate this behavior.

If you really want to allow SameSite cross-origin requests to your Spring backend

Yes, I'm not planning on changing the current architecture, I just want to move the Oauth2 client from front-end app to back-end app.

screenshots of the "network" tab in the browser debugging tools showing the CORS error

(I redacted the real endpoint value, I hope it's fine)

BFF logs with DEBUG or TRACE level for org.springframework.security

2025-02-26T11:16:37.429+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsClientFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.class]] matching [Or [Mvc [pattern='/**']]] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Csrf, Logout, OAuth2AuthorizationRequestRedirect, OAuth2LoginAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
2025-02-26T11:16:37.429+01:00 DEBUG 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Securing POST /v1/xxxxxxxxx
2025-02-26T11:16:37.429+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/14)
2025-02-26T11:16:37.430+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/14)
2025-02-26T11:16:37.431+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/14)
2025-02-26T11:16:37.431+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/14)
2025-02-26T11:16:37.432+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (5/14)
2025-02-26T11:16:37.436+01:00 DEBUG 23061 --- [nio-8080-exec-2] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/api/v1/xxxxxxxxx
2025-02-26T11:16:37.438+01:00 TRACE 23061 --- [nio-8080-exec-2] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]

I see it's mentioning an invalid CSRF token. I tried removing the csrf: cookie-accessible-from-js, but I get the same error. I'm not sure what it means, I'll investigate on this. (I already see in the screenshot the response header set-cookie: XSRF-TOKEN=2f22c695-9fc7-4f32-b929-aa1aa302d643; Path=/api , it's probably related)

Edit: After some reading, it seems the XSRF-TOKEN cookie should be set on the front-end, so it can be sent back to the back-end on PUT, POST and DELETE request. But I guess here as the first query is a POST request, it is first checked that it contains the cookie, which is not the case yet, and then returning the error. Maybe it is expected that the front-end first request back-end with a GET, to check if it is already authenticated or not ?

I tried using configuration csrf: disable to see what happens, and I'm still getting the CORS error, with the following logs :

2025-02-26T16:31:51.703+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsClientFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.class]] matching [Or [Mvc [pattern='/**']]] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Logout, OAuth2AuthorizationRequestRedirect, OAuth2LoginAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
2025-02-26T16:31:51.706+01:00 DEBUG 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /v1/xxxxxxxxx
2025-02-26T16:31:51.710+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/13)
2025-02-26T16:31:51.716+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/13)
2025-02-26T16:31:51.720+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/13)
2025-02-26T16:31:51.722+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/13)
2025-02-26T16:31:51.723+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (5/13)
2025-02-26T16:31:51.724+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Or [Ant [pattern='/logout', GET], Ant [pattern='/logout', POST], Ant [pattern='/logout', PUT], Ant [pattern='/logout', DELETE]]
2025-02-26T16:31:51.724+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationRequestRedirectFilter (6/13)
2025-02-26T16:31:51.741+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking OAuth2LoginAuthenticationFilter (7/13)
2025-02-26T16:31:51.741+01:00 TRACE 27503 --- [nio-8080-exec-1] .s.o.c.w.OAuth2LoginAuthenticationFilter : Did not match request to Ant [pattern='/login/oauth2/code/*']
2025-02-26T16:31:51.742+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (8/13)
2025-02-26T16:31:51.742+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2025-02-26T16:31:51.742+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (9/13)
2025-02-26T16:31:51.743+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (10/13)
2025-02-26T16:31:51.744+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (11/13)
2025-02-26T16:31:51.744+01:00 TRACE 27503 --- [nio-8080-exec-1] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession 5C845F310CD3C2632DEDE0BAC7704CF3 using the SPRING_SECURITY_CONTEXT session attribute
2025-02-26T16:31:51.745+01:00 TRACE 27503 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2025-02-26T16:31:51.745+01:00 TRACE 27503 --- [nio-8080-exec-1] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2025-02-26T16:31:51.746+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=5C845F310CD3C2632DEDE0BAC7704CF3], Granted Authorities=[ROLE_ANONYMOUS]]
2025-02-26T16:31:51.747+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (12/13)
2025-02-26T16:31:51.747+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.security.web.FilterChainProxy        : Invoking AuthorizationFilter (13/13)
2025-02-26T16:31:51.751+01:00 TRACE 27503 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing POST /v1/users/synchronize-data
2025-02-26T16:31:51.751+01:00 TRACE 27503 --- [nio-8080-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on POST /v1/users/synchronize-data using org.springframework.security.authorization.AuthenticatedAuthorizationManager@9afa738
2025-02-26T16:31:51.758+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=5C845F310CD3C2632DEDE0BAC7704CF3], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
        at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:131)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:198)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
        at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:243)
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
        at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
        at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:238)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:114)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
        at java.base/java.lang.Thread.run(Thread.java:840)

2025-02-26T16:31:51.765+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.s.w.s.HttpSessionRequestCache        : Did not save request since it did not match [And [Not [Ant [pattern='/**/favicon.*']], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@46f5030f, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]], Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@46f5030f, matchingMediaTypes=[multipart/form-data], useEquals=false, ignoredMediaTypes=[*/*]]], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@46f5030f, matchingMediaTypes=[text/event-stream], useEquals=false, ignoredMediaTypes=[*/*]]]]]
2025-02-26T16:31:51.768+01:00 TRACE 27503 --- [nio-8080-exec-1] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]

[ch4mpy]

http://localhost:3000 and http://localhost:8080 are same-site

What about the production base-URLs?

Anyway, I tried to send a cross-origin request from a React app running on http://localhost:3000 to a stateful REST API http://localhost:8080/me and Chrome did not attach the SESSION cookie from http://localhost:8080. So, no, according to Chrome, http://localhost:3000 and http://localhost:8080 do not satisfy the SameSite policy, and there is no other choice than serving the front and back ends from the same origin for requests to be authorized.

I'm not planning on changing the current architecture

You are already changing the architecture: moving the OAuth2 client from the front to the back end and consequently switching from Bearer-based to cookie-based request authorization. Because of that:

• you must now satisfy the SameSite policies that browsers enforce on session cookies (but not on Bearer tokens)
• you must now protect your app against CSRF attacks. As the front-end seems to be a React app, your back-end must now provide an XSRF-TOKEN cookie flagged with HttpOnly=false. As React and Angular handle this cookie transparently (set an X-XSRF-TOKEN token header for POST, PUT, PATCH, or DELETE requests), exposing this cookie to Javascript code should be enough. But be aware that some other frameworks don't set this header for us (Vue, for instance, doesn't), in which case we should write an HTTP interceptor ourselves.

When simulating a call from this frontend, you have to provide a session cookie for an authorized session, and if the request is a POST, PUT, PATCH, or DELETE, with an X-XSRF-TOKEN token header. When using a REST client, providing just a Bearer token is way easier, reason why I advised earlier to use a separate BFF in front of stateless resource server(s): when using Postman, you could query the resource server(s) directly with a Bearer token instead of session cookie + CSRF token header.

Maybe it is expected that the front-end first request back-end with a GET, to check if it is already authenticated or not ?

It would be odd to allow a POST request from a user who hasn't a session yet. But anyway, yes, before sending a POST, PUT, PATCH, or DELETE request to a stateful back-end protected against CSRF, a front-end must send a GET, HEAD, or OPTIONS request to be delivered a CSRF token.

I tried using configuration csrf: disable to see what happens, and I'm still getting the CORS error, with the following logs

What I see there is not a CORS error, it is that the POST request to /v1/users/synchronize-data is not authorized. This is probably because of a missing or invalid session cookie. For some reason, this authorization issue is translated into a redirection, and it seems that it is this redirection that causes a CORS error in the browser. But as I have only partial and "redacted" information, it's hard to tell what happens exactly.

Conclusion

Follow the tutorial:

• a proper REST API should not redirect unauthorized requests (even a stateful REST API). Configure the back end to return 401 Unauthorized, not 302 Redirect to login
• in most cases, browsers won't authorize CROSS origin requests to a stateful back end because of SameSite policies. Serve the front and back ends with the same origin using one of the solutions I listed in my 1st comment

[Kevinbarre]

Hello @ch4mpy,

What about the production base-URLs?

They have the same origin starting from our development environment.

So, no, according to Chrome, http://localhost:3000 and http://localhost:8080 do not satisfy the SameSite policy, and there is no other choice than serving the front and back ends from the same origin for requests to be authorized.

OK thanks, I didn't know that. I'll try to setup a local reverse proxy.

It would be odd to allow a POST request from a user who hasn't a session yet. But anyway, yes, before sending a POST, PUT, PATCH, or DELETE request to a stateful back-end protected against CSRF, a front-end must send a GET, HEAD, or OPTIONS request to be delivered a CSRF token.

OK thanks for confirmation. I'll update the flow to first add a GET request I think.

[Kevinbarre]

OK so here is what I've done so far:

• I followed the BFF tutorial to add a reverse-proxy Spring Cloud Gateway (section 8.2), configured on port 7080, with one configuration for the frontend at port 3000, and one configuration for the backend at port 8080
• I added an additional GET endpoint is-authenticated, which just returns an empty HTTP 200 response, and call it before the POST endpoint in the frontend app main page
• I set the backend configuration to return 401/200 instead of 302 with

oauth2-redirections:
    authentication-entry-point: unauthorized
    pre-authorization-code: ok

• I updated the frontend code handling AxiosError with status 401 to retrieve the location header, perform a get on this URL with query parameter post_login_success_uri set to the frontend app URL, and from this response get the new location header and use it to set window.location.href

I think it should work fine, as when I access the frontend app through the reverse proxy:

• it performs the GET on is-authenticated which returns HTTP 401
• then call the Spring endpoint /oauth2/authorization/myregistration which returns 200 with location header matching the Authorization server
• the browsers then get redirected to this URL, where I can log-in
• then I get redirected back to the backend redirect-uri, which then redirects to the frontend URL.

But then it calls the is-authenticated endpoint which returns again HTTP 401, and the whole process starts over again.

I think the issue is because the browser does not provide any JSESSIONID cookie as request headers to the backend (I don't see them in the debug console, but I see the backend returns a new Set-Cookie with a new JSESSIONID value on each call).

After searching on internet, I tried adding withCredentials: true, on the Axios create configuration, and setting com.c4-soft.springaddons.oidc.cors.allow-credentials: true, but it doesn't change anything. I also tried to set server.servlet.session.cookie.http-only: false, which removes the HttpOnly attribute from the Set-Cookie header, but it doesn't solve the issue.

Do you know if this could be related to some other configuration on the backend ? Or if something should be done on the frontend app to handle the JSESSIONID cookie (but from what I've read, this should be done automatically by the browser) ?

Thanks

[ch4mpy]

I followed the BFF tutorial to add a reverse-proxy Spring Cloud Gateway (section 8.2)

Good thing. Using your UI framework proxy for its dev server would have worked too, but if the standalone proxy you added is already configured, no need to change.

I think the issue is because the browser does not provide any JSESSIONID cookie as request headers to the backend

A cookie not set by the browser is most frequently due to a cross origin request. It could also be due to a request without SSL (http, not https) and a cookie flagged with Secure.

You added a proxy, but do you point your browser and all redirection URIs to this proxy? As usual, I can't spot the issue without logs and configuration.

[Kevinbarre]

Hello @ch4mpy,

A cookie not set by the browser is most frequently due to a cross origin request.

OK. I'm confused because I thought the point of the reverse-proxy was to avoid being in a cross origin situation, but I'm probably missing something here.

It could also be due to a request without SSL (http, not https) and a cookie flagged with Secure.

I'm in http, but I guess the cookie is not flagged with Secure, because by default I see this:

and if I set the configuration server.servlet.session.cookie.secure: true, then I see this:

You added a proxy, but do you point your browser and all redirection URIs to this proxy? As usual, I can't spot the issue without logs and configuration.

Here are the logs from backend:

2025-03-04T10:26:24.149+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsClientFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.class]] matching [Or [Mvc [pattern='/**']]] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Csrf, Logout, OAuth2AuthorizationRequestRedirect, OAuth2LoginAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
2025-03-04T10:26:24.150+01:00 DEBUG 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Securing GET /v1/users/is-authenticated
2025-03-04T10:26:24.151+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/14)
2025-03-04T10:26:24.155+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/14)
2025-03-04T10:26:24.159+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/14)
2025-03-04T10:26:24.160+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/14)
2025-03-04T10:26:24.160+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (5/14)
2025-03-04T10:26:24.162+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2025-03-04T10:26:24.163+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/14)
2025-03-04T10:26:24.164+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2025-03-04T10:26:24.164+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationRequestRedirectFilter (7/14)
2025-03-04T10:26:24.166+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking OAuth2LoginAuthenticationFilter (8/14)
2025-03-04T10:26:24.167+01:00 TRACE 28327 --- [nio-8080-exec-8] .s.o.c.w.OAuth2LoginAuthenticationFilter : Did not match request to Ant [pattern='/login/oauth2/code/*']
2025-03-04T10:26:24.167+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking RequestCacheAwareFilter (9/14)
2025-03-04T10:26:24.168+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.s.w.s.HttpSessionRequestCache        : matchingRequestParameterName is required for getMatchingRequest to lookup a value, but not provided
2025-03-04T10:26:24.168+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderAwareRequestFilter (10/14)
2025-03-04T10:26:24.169+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking AnonymousAuthenticationFilter (11/14)
2025-03-04T10:26:24.170+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking SessionManagementFilter (12/14)
2025-03-04T10:26:24.174+01:00 TRACE 28327 --- [nio-8080-exec-8] w.c.HttpSessionSecurityContextRepository : Did not find SecurityContext in HttpSession A72F61890C65AA7B616F4126FB814217 using the SPRING_SECURITY_CONTEXT session attribute
2025-03-04T10:26:24.175+01:00 TRACE 28327 --- [nio-8080-exec-8] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2025-03-04T10:26:24.175+01:00 TRACE 28327 --- [nio-8080-exec-8] .s.s.w.c.SupplierDeferredSecurityContext : Created SecurityContextImpl [Null authentication]
2025-03-04T10:26:24.176+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=A72F61890C65AA7B616F4126FB814217], Granted Authorities=[ROLE_ANONYMOUS]]
2025-03-04T10:26:24.177+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking ExceptionTranslationFilter (13/14)
2025-03-04T10:26:24.178+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.security.web.FilterChainProxy        : Invoking AuthorizationFilter (14/14)
2025-03-04T10:26:24.180+01:00 TRACE 28327 --- [nio-8080-exec-8] estMatcherDelegatingAuthorizationManager : Authorizing GET /v1/users/is-authenticated
2025-03-04T10:26:24.180+01:00 TRACE 28327 --- [nio-8080-exec-8] estMatcherDelegatingAuthorizationManager : Checking authorization on GET /v1/users/is-authenticated using org.springframework.security.authorization.AuthenticatedAuthorizationManager@284eecc4
2025-03-04T10:26:24.181+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=A72F61890C65AA7B616F4126FB814217], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
        at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
        at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:131)
        at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:85)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:179)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:198)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
        at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:243)
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
        at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
        at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:238)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:114)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
        at java.base/java.lang.Thread.run(Thread.java:840)

2025-03-04T10:26:24.182+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.s.w.s.HttpSessionRequestCache        : Did not save request since it did not match [And [Ant [pattern='/**', GET], Not [Ant [pattern='/**/favicon.*']], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@3d2e1d18, matchingMediaTypes=[application/json], useEquals=false, ignoredMediaTypes=[*/*]]], Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@3d2e1d18, matchingMediaTypes=[multipart/form-data], useEquals=false, ignoredMediaTypes=[*/*]]], Not [MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.ContentNegotiationManager@3d2e1d18, matchingMediaTypes=[text/event-stream], useEquals=false, ignoredMediaTypes=[*/*]]]]]
2025-03-04T10:26:24.183+01:00 TRACE 28327 --- [nio-8080-exec-8] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2025-03-04T10:26:24.209+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsClientFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.class]] matching [Or [Mvc [pattern='/**']]] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Csrf, Logout, OAuth2AuthorizationRequestRedirect, OAuth2LoginAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
2025-03-04T10:26:24.210+01:00 DEBUG 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Securing GET /oauth2/authorization/myregistration?post_login_success_uri=http%3A%2F%2Flocalhost%3A7080%2Ffrontend
2025-03-04T10:26:24.210+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/14)
2025-03-04T10:26:24.210+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/14)
2025-03-04T10:26:24.211+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/14)
2025-03-04T10:26:24.211+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/14)
2025-03-04T10:26:24.211+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (5/14)
2025-03-04T10:26:24.212+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2025-03-04T10:26:24.212+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/14)
2025-03-04T10:26:24.213+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2025-03-04T10:26:24.213+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationRequestRedirectFilter (7/14)
2025-03-04T10:26:24.216+01:00 TRACE 28327 --- [nio-8080-exec-9] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]
2025-03-04T10:26:26.121+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsClientFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.class]] matching [Or [Mvc [pattern='/**']]] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Csrf, Logout, OAuth2AuthorizationRequestRedirect, OAuth2LoginAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
2025-03-04T10:26:26.122+01:00 DEBUG 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Securing GET /login/oauth2/code/myregistration?code=w5PBtYjKGDOyoYNKK6QYiWqgncw&iss=xxx&state=p3gFNLcfG_Xe3Zhw2i_-Pxx-_7L1MIx0-2l_yfuQM_U%3D&client_id=XXX
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/14)
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/14)
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/14)
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/14)
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (5/14)
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2025-03-04T10:26:26.122+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/14)
2025-03-04T10:26:26.123+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2025-03-04T10:26:26.123+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationRequestRedirectFilter (7/14)
2025-03-04T10:26:26.123+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.security.web.FilterChainProxy        : Invoking OAuth2LoginAuthenticationFilter (8/14)
2025-03-04T10:26:26.124+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.s.authentication.ProviderManager     : Authenticating request with OAuth2LoginAuthenticationProvider (1/3)
2025-03-04T10:26:26.124+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.s.authentication.ProviderManager     : Authenticating request with OidcAuthorizationCodeAuthenticationProvider (2/3)
2025-03-04T10:26:26.457+01:00 TRACE 28327 --- [io-8080-exec-10] s.CompositeSessionAuthenticationStrategy : Preparing session with ChangeSessionIdAuthenticationStrategy (1/2)
2025-03-04T10:26:26.457+01:00 DEBUG 28327 --- [io-8080-exec-10] .s.ChangeSessionIdAuthenticationStrategy : Changed session id from D3AAFC84FC72A834171FB32C71565C64
2025-03-04T10:26:26.458+01:00 TRACE 28327 --- [io-8080-exec-10] s.CompositeSessionAuthenticationStrategy : Preparing session with CsrfAuthenticationStrategy (2/2)
2025-03-04T10:26:26.459+01:00 DEBUG 28327 --- [io-8080-exec-10] o.s.s.w.csrf.CsrfAuthenticationStrategy  : Replaced CSRF Token
2025-03-04T10:26:26.459+01:00 DEBUG 28327 --- [io-8080-exec-10] w.c.HttpSessionSecurityContextRepository : Stored SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=XXX]
2025-03-04T10:26:26.460+01:00 DEBUG 28327 --- [io-8080-exec-10] .s.o.c.w.OAuth2LoginAuthenticationFilter : Set SecurityContextHolder to OAuth2AuthenticationToken [Principal=XXX]
2025-03-04T10:26:26.460+01:00 TRACE 28327 --- [io-8080-exec-10] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]

and from the browser console:

Here are the related parts of the backend configuration:

spring:
  security:
    oauth2:
      client:
        provider:
          myprovider:
            issuer-uri: https://xxx
        registration:
          myregistration:
            authorization-grant-type: authorization_code
            client-name: XXX
            client-id: XXX
            client-secret: XXX
            provider: myprovider
            scope: profile,other,occupation,manager,address,email,facility,roles,openid

com:
  c4-soft:
    springaddons:
      oidc:
        client:
          csrf: cookie-accessible-from-js
          security-matchers:
            - /**
          permit-all:
            - /restricted/**
            - /oauth2/**
            - /
          login-uri: /oauth2/authorization/myregistration
          client-uri: http://localhost:8080
          oauth2-redirections:
            authentication-entry-point: unauthorized
            pre-authorization-code: ok
        cors:
          - path: /**
            allowed-origin-patterns: "http://localhost:7080"
            allow-credentials: true

server:
  servlet:
    context-path: /api
    session:
      cookie:
        http-only: false

For me everything is configured to go through the proxy, except the client-uri which is still is http://localhost:8080 otherwise it will be rejected by the authorization server until I ask them to add the new URI. But I don't think this is the reason that the cookie is not stored on the frontend.

Let me know if there are other logs/configurations that I missed that might be needed for debugging ?

Thanks

[ch4mpy]

I'm confused because I thought the point of the reverse-proxy was to avoid being in a cross origin situation, but I'm probably missing something here.

A reverse-proxy can give the same origin only to requests that go through it...

everything is configured to go through the proxy, except the client-uri which is still is http://localhost:8080

About the client-uri in the 1st issue you opened: "This enables using something else than the internal host name and port and is pretty convenient when using a reverse proxy"

The generated documentation for the client-uri property (should pop-up when overring it in your IDE):

Section 4.5. of the Baeldung article: "Here, with the client-uri property, we force the usage of the reverse-proxy URI as a base for all redirections (instead of the BFF internal URI)". And in the source code, the property is set as follows: client-uri: ${reverse-proxy-uri}${bff-prefix}

I don't know how to be clearer than in my preceding comment and the references above: point your browser and all redirection URIs to the reverse proxy.

I don't think this is the reason that the cookie is not stored on the frontend.

A session cookie should be flagged with HttpOnly, meaning it is stored in the browser but not accessible to the Javascript code (your React frontend) to protect them against XSS. I already wrote that the browser does not attach the SameSite cookies set by http://localhost:8080 to XHR requests sent with http://localhost:3000 as origin and that you should use something to have both served with the same origin.

If you can't easily update the authorization server "Valid redirect URIs" configuration, switch the BFF and proxy ports (use 7080 for the BFF and 8080 for the Nginx instance).

[Kevinbarre]

I don't know how to be clearer than in my preceding comment and the references above: point your browser and all redirection URIs to the reverse proxy.

OK I'll request the new redirect_uri on the authorization server so that client-uri can be updated as well

I already wrote that the browser does not attach the SameSite cookies set by http://localhost:8080 to XHR requests sent with http://localhost:3000 as origin and that you should use something to have both served with the same origin.

Currently I have the XHR requests sent by http://localhost:7080/frontend to http://localhost:7080/backend, but the Cookie is still not set between the first request and the second one. This is what I don't understand how to fix.

If you can't easily update the authorization server "Valid redirect URIs" configuration, switch the BFF and proxy ports (use 7080 for the BFF and 8080 for the Nginx instance).

I don't think it will work, as I will also have the prefix /backend in the url, which will not match. As stated above, I'll request the new redirect_uri, but I still don't understand how it would fix the cookie not set issue.

Edit: Just tested it, and I confirm I get a redirect_uri_mismatch error.

Edit 2: The redirect_uri has been added on the authorization server. I tested again with client-uri: http://localhost:7080/backend, and I'm now having an error during the call to http://localhost:7080/backend/api/login/oauth2/code/myregistration endpoint, which returns HTTP 302 with a redirect to /?error=[authorization_request_not_found]%20 instead of the URL provided as post_login_success_uri.

I have the following logs on the backend for this call:

2025-03-05T15:00:58.769+01:00 DEBUG 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing GET /login/oauth2/code/myregistration?code=fIUDDnkXeUDAGPspBZRBiba29R8&iss=xxx&state=DyjyjSqhlT5zBUcfKZXfFOhEN_dahLdgmx3DQKJYFsI%3D&client_id=XXX
2025-03-05T15:00:58.769+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking DisableEncodeUrlFilter (1/14)
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking WebAsyncManagerIntegrationFilter (2/14)
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking SecurityContextHolderFilter (3/14)
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking HeaderWriterFilter (4/14)
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking CsrfFilter (5/14)
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.csrf.CsrfFilter         : Did not protect against CSRF since request did not match CsrfNotRequired [TRACE, HEAD, GET, OPTIONS]
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking LogoutFilter (6/14)
2025-03-05T15:00:58.770+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.s.w.a.logout.LogoutFilter            : Did not match request to Ant [pattern='/logout', POST]
2025-03-05T15:00:58.771+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking OAuth2AuthorizationRequestRedirectFilter (7/14)
2025-03-05T15:00:58.773+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Invoking OAuth2LoginAuthenticationFilter (8/14)
2025-03-05T15:00:58.778+01:00 TRACE 26695 --- [nio-8080-exec-3] .s.o.c.w.OAuth2LoginAuthenticationFilter : Failed to process authentication request

org.springframework.security.oauth2.core.OAuth2AuthenticationException: [authorization_request_not_found]
        at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:173)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:231)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:198)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:227)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)
        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:323)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:224)
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:137)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191)
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
        at org.springframework.web.servlet.handler.HandlerMappingIntrospector.lambda$createCacheFilter$3(HandlerMappingIntrospector.java:243)
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:113)
        at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:74)
        at org.springframework.security.config.annotation.web.configuration.WebMvcSecurityConfiguration$CompositeFilterChainProxy.doFilter(WebMvcSecurityConfiguration.java:238)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:362)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:278)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:114)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:115)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:397)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:905)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1741)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
        at java.base/java.lang.Thread.run(Thread.java:840)

2025-03-05T15:00:58.781+01:00 TRACE 26695 --- [nio-8080-exec-3] .s.o.c.w.OAuth2LoginAuthenticationFilter : Cleared SecurityContextHolder
2025-03-05T15:00:58.782+01:00 TRACE 26695 --- [nio-8080-exec-3] .s.o.c.w.OAuth2LoginAuthenticationFilter : Handling authentication failure
2025-03-05T15:00:58.787+01:00 TRACE 26695 --- [nio-8080-exec-3] o.s.s.w.header.writers.HstsHeaderWriter  : Not injecting HSTS header since it did not match request to [Is Secure]

I don't understand why going through the proxy for this call is not correctly handled.

[Kevinbarre]

Hello @ch4mpy,

With the help of other developers, we've finally figured out what was the issue.

The path in the Set-Cookie was defaulting to /api which was the context-path of the backend, but because of the reverse-proxy, it has to be overriden to /backend/api so the frontend reuse it.

So adding the following configuration makes the cookie properly provided to the backend:

server:
  servlet:
    context-path: /api
    session:
      cookie:
        path: /backend/api

which is also fixing the authorization_request_not_found error above.

Now I think we have a similar issue with the default XSRF-TOKEN cookie, which is also configured with path /api.

I'll check how to update it with spring-addons

Edit: I ended up removing the above configuration, and instead handling the prefix in the reverse-proxy directly, with a RewriteResponseHeader filter:

      # BFF
      - id: backend
        uri: ${bff-uri}
        predicates:
        - Path=${bff-prefix}/**
        filters:
        - StripPrefix=1
        - RewriteResponseHeader=Set-Cookie, , Path=(.+), Path=${bff-prefix}$1

This handles both JSESSIONID and XSRF-TOKEN cookies, I guess this is cleaner.

Now I get successfully authenticated, but then I get a HTTP 403 on the first POST request. I can see a log from CsrfFilter indicating that the CSRF token is invalid.

After debugging, I see in CsrfTokenRequestHandler that the request correctly have a Cookie XSRF-TOKEN, but it doesn't have an header X-XSRF-TOKEN nor a _csrf parameter, so the actualToken value is null. I tried adding withXSRFToken: true in axios.create but it doesn't add the header, I don't know why.

The configuration csrf: cookie-accessible-from-js is correctly set, and I confirm the cookie is not set as HttpOnly

so from what I've read, it should be added automatically as header.

Edit 2: It seems the issue was also with the path. If set to /backend/api, then the frontend app cannot access it's value to set it as header. I updated the reverse proxy configuration so that only the JSESSIONID has Path=/backend/api, and XSRF-TOKEN has Path=/ so it can be accessed on both backend and frontend apps.
Here is the configuration:

      # BFF
      - id: backend
        uri: ${bff-uri}
        predicates:
        - Path=${bff-prefix}/**
        filters:
        - StripPrefix=1
        - RewriteResponseHeader=Set-Cookie, JSESSIONID=(.+); Path=(.+), JSESSIONID=$1; Path=${bff-prefix}$2
        - RewriteResponseHeader=Set-Cookie, XSRF-TOKEN=(.+); Path=(.+), XSRF-TOKEN=$1; Path=/

[ch4mpy]

Maybe you don't need a context-path at all in the Spring application: one is already used at the gateway level (and removed by the StripPrefix=1 filter). Without this context path, the default cookie path is /, and you're at the same point as with your 2nd edit.

Note that if the production server hosts several applications, you may want to set a context-path or session.cookie.path specific to the application you're working on. Just remember that the path set for the cookie must be a parent for the base path used for the UI and the API. In your current conf, / is a parent of /backend/api and /frontend. But you could have to configure something like /machin with /machin/backend and /machin/frontend to avoid collisions with /truc and /bidule applications hosted on the same server (both having a /frontend and a /backend)

[Kevinbarre]

Hello @ch4mpy,

Thanks for feedback. I think context-path is used in deployed environments to handle redirection to the backend APIs. As I only have 3 days left and will probably not have the ability to test it on our development environment, I'd prefer not to change it for now, and finalize the work already done locally.