flow: Cannot navigate to secured View when not logged for OAuth2

Description of the bug

When using RouterLink and Anchor to a secured @Route with @PermitAll an error page is displayed when not logged in.

Could not navigate to ‘<page>’ Available routes:

Expected behavior

A login page should be show. Azure call it user flow: https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview.

Adding router-ignore makes it work. I have added router-ignore to the /logout link which is not a Vaadin route.

Minimal reproducible example

It is the same behavior for com.azure.spring:spring-cloud-azure-starter-active-directory-b2c:4.3.0 and org.springframework.boot:spring-boot-starter-oauth2-client:2.6.7. For azure b2c the config is:

@EnableWebSecurity
public class SecurityConfig extends VaadinWebSecurityConfigurerAdapter {

    private final AadB2cOidcLoginConfigurer configurer;

    public SecurityConfig(AadB2cOidcLoginConfigurer configurer) {
        this.configurer = configurer;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.apply(configurer);
    }
}

@Route("vaadin-hello")
@PermitAll()
public class VaadinHelloView extends VerticalLayout {
    public VaadinHelloView() {
        add(new H1("Hello from VAADIN"));

Versions

Vaadin: 23.2.0.alpha3 Flow: 23.2.0.alpha2 Java: JetBrains s.r.o. 17.0.2 OS: amd64 Windows 10 10.0 Browser: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36 Live reload: Java active (HotswapAgent): Front end active IntelliJ Tomcat

About this issue

Original URL
State: closed
Created 2 years ago
Comments: 41 (10 by maintainers)

Commits related to this issue

fix: Fix navigation to secured view with oauth2 without router-ignore (#14523) This is to fix the problem of navigating to a secured view from a public view before login in while using the OAuth2 ex... — committed to vaadin/flow by taefi 2 years ago
fix: Fix navigation to secured view with oauth2 without router-ignore (#14523) This is to fix the problem of navigating to a secured view from a public view before login in while using the OAuth2 ex... — committed to vaadin/flow by taefi 2 years ago
fix: Fix navigation to secured view with oauth2 without router-ignore (#14523) (#14653) This is to fix the problem of navigating to a secured view from a public view before login in while using the ... — committed to vaadin/flow by vaadin-bot 2 years ago
fix: Fix navigation to secured view with oauth2 without router-ignore (#14523) This is to fix the problem of navigating to a secured view from a public view before login in while using the OAuth2 ext... — committed to vaadin/flow by taefi 2 years ago
fix: Fix navigation to secured view with oauth2 without router-ignore (#14523) (CP: 23.1) (#14655) This is to fix the problem of navigating to a secured view from a public view before login in while... — committed to vaadin/flow by mcollovati 2 years ago

Most upvoted comments

Seems a good topic for a cookbook

mcollovati on Oct 5, 2022

This is to be expected - see https://stackoverflow.com/a/58199008/1662997

knoobie on Oct 5, 2022

If I modify that project just a little bit to add support for oauth2 authentication (I’m attaching also this project: secured-app-oauth2.zip

So if you take this app and tell Vaadin about where the login view is, using setLoginView(http, "/oauth2/authorization/google"); then it will redirect to the login view also when navigating

Artur- on Sep 14, 2022

I investigated this issue with more detail. If I create a Vaadin application from start.vaadin.com with two views, one that is public and the other one secured, and if I add a link from the public page to the secured page, when the user clicks on the link, they are redirected to the login page, and after entering the credentials then they are redirected to the secured page. This works just fine and you can test it with this project: secured-app.zip

If I modify that project just a little bit to add support for oauth2 authentication (I’m attaching also this project: secured-app-oauth2.zip, for testing it, you have to follow the step 1 of this tutorial and then modify the application.properties as explained in step 3) then the behavior is as follows: when the user clicks on the link they are shown a page that says:

Could not navigate to 'hello'
Available routes:
<root>
hello
login
This detailed message is only shown when running in development mode.

This is a wrong behavior, the server is not allowing to navigate to that page, but is not redirecting to the login page like in the plain login example. This, of course, can be avoided by using router-ignore as explained by @knoobie earlier, but it is not a perfect solution (you have to remember to do that to every single link in public pages that target internal pages and if you forgot to do that it is hard for a new developer to realize what the problem is). The server side should figure out about the issue and send a redirect to the configured login page. If you just refresh the “Could not navigate to ‘hello’” page, it will redirect you to the google login page.

mlopezFC on Aug 11, 2022

@knoobie Thanks! I updated my post.

svein-loken on Aug 9, 2022

@svein-loken Keep in mind that this usage of executeJs leaves you open for attacks. You should convert this to the usage shown here: https://vaadin.com/docs/latest/security/advanced-topics/vulnerabilities/#running-custom-javascript

knoobie on Aug 9, 2022