I have an OAuth2 flow (implemented using spring-boot-starter-security and spring-security-oauth2-client).
- The client goes to /authorize/{provider}?redirect_uri={redirectURL}
- The client is shown the login page of the provider and is asked to authorize
- Once the client (JavaScript) authorizes the application the resource server (Spring Boot 2.2.3) exchanges authorization code with the provider's authorization server for an access token
The resource server then sends the client to the redirectURL with a JWT token set in the cookie as follows:
Cookie cookie = new Cookie("token", token); long expiryMsec = (int) appProperties.getAuth().getTokenExpirationMsec(); int expiry = (int) Math.floor(expiryMsec/1000.0); cookie.setMaxAge(expiry); cookie.setHttpOnly(true); response.addCookie(cookie);
Although, this cookie isn't set and when the next request comes in the cookies are still empty. I think the cookie is being lost during redirection or chrome is not allowing setting the cookie because of origin issues. Whatever the reason be is there any workaround for this, I don't want to set the cookie from the client.
I am using Chrome - 79.0.3945.130
References:
