I would like to use FEDIZ WS-federation in s setup where Authentication
is delegated to an external OAuth provider.
Per my understanding, this is more related to configuration with Spring
Security than core FEDIZ, but thought it best to ask this forum for
advise on how to do it right. My use case is as follows:
1. User accesses RP
2. RP redirects to IDP with signin request
*3*. IDP should redirect to OAuth provider with grant type = code
4. OAuth provider to redirect to Authorization server
5. On sucesfull AuthN, OAuth provider to return with code to IDP
6. IDP can exchange code for access token and establish identity
7. Normal STS flows continue
I have read some spring security documentation that suggests the
approach of extending the AbstractPreAuthenticatedProcessingFilter and
implementing AuthenticationUserDetailsService interface.
AbstractPreAuthenticatedProcessingFilter assumes that the user has been
authenticated via some other means and the identity can be established
via some http header etc.
My problem is that, I dont know who is responsible for the initial
redirection to the external OAuth server, Should I just implement a
Filter "customOAuthSessionCheckFilter" that does this redirection and
add it to the SpringSecurityFilterChain?
Some thing like:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<bean id="springSecurityFilterChain"
class="org.springframework.security.util.FilterChainProxy">
<sec:filter-chain-map path-type="ant">
<sec:filter-chain pattern="/css/**" filters="none"/>
<sec:filter-chain pattern="/js/**" filters="none"/>
<sec:filter-chain pattern="/img/**" filters="none"/>
<sec:filter-chain pattern="/**"
filters="customOAuthSessionCheckFilter, preAuthenticatedProcessingFilter"/>
</sec:filter-chain-map>
</bean>
