My application consists of an Angular UI, and a Spring backend. Both are bundled together and deployed on the same server. I am new to Spring Security/Oauth2, I find it very confusing. I want will be exposing a few APIs which could be consumed either from the UI or from Postman/Swagger.I have successfully configured OAuth2ResourceServer of Spring security 5 for this and it works perfectly fine. When I call the API with a bearer token, it works as expected.
http.requestMatchers().antMatchers("/api/**")
.and().authorizeRequests().anyRequest().authenticated()
.and().oauth2ResourceServer().jwt();
Now, I also have to configure the same for when the API calls are made from the UI. This is very confusing. I have tried to create a separate http config as follows;
http.antMatcher("/**").authorizeRequests()
.antMatchers("/").permitAll()
.anyRequest().authenticated()
.and()
.oauth2Login();
...
...
I don't really know how to proceed. I have configured clientid, clientSecret, authorization-grant-type, redirect-uri, scope, authorization-uri, token-uri in the application.properties file. The expectation is to prompt a user with a centralised login page, and somehow exchange the grant_code for an access token(jwt). All requests from the UI must contain this token in its header to access the API, which I have described above (Resource Server config). Again, I am confused as to store the token in header or a cookie.
Apologies if I am not clear. My understanding of OAuth2 is very basic, I am trying to read through pages of documentation, it is making little sense to me.
