I know how to implement basic oauth. My problem is that if I make a simple security filter like:

` @Bean

public SecurityFilterChain configure(HttpSecurity http) throws Exception {
    http
            .authorizeHttpRequests(authorize -> authorize
                    .anyRequest().authenticated()
            )
            .oauth2Login(withDefaults());
    return http.build();
}`

Than I can adress @GetMappings in my browser and get prompted a oauth login screen and login there, but I can’t adress a PostMapping or GetMapping in postman, because it doesn’t redirect to a login screen (you get the html for the login screen as the ResponseBody in postman)

I can get a valid acces token from auth0 via ‘https://{yourDomain}/oauth/token’, but if I simply pass that jwt along as a “Bearer token” in postman, it doesn’t work. It still shows me the login-screen-html in the response body.

It seems to me there’s two things I can do:

  • Make sure postman bypasses the login screen. I maybe don’t really want to do that, since I want my backend and frontend to communicate their security through jwt. Or else I have to convince other people (from a different department) to change the way they implement frontend security, which is a pain for everyone. (If it needs to happen, it needs to happen though)
  • Make sure the backend parses the jwt somehow. Maybe an extra Filter that checks the jwt’s validity with the provider? I’m not sure how to tackle this.