Skip to content

api: move JwtAuthFilter ahead of Spring SAS validating filter#184

Merged
ExtraToast merged 1 commit into
mainfrom
platform/oidc-jwtfilter-order
May 10, 2026
Merged

api: move JwtAuthFilter ahead of Spring SAS validating filter#184
ExtraToast merged 1 commit into
mainfrom
platform/oidc-jwtfilter-order

Conversation

@ExtraToast

Copy link
Copy Markdown
Contributor

Vault OIDC sign-in 302s to ?error=invalid_request&error_description=OAuth 2.0 Parameter: principal because JwtAuthFilter was positioned too late in the auth-server chain.

Spring SAS 7's OAuth2AuthorizationCodeRequestValidatingFilter (registered before AbstractPreAuthenticatedProcessingFilter) snapshots SecurityContextHolder into a request attribute. OAuth2AuthorizationEndpointFilter later reuses that snapshot. JwtAuthFilter was added before UsernamePasswordAuthenticationFilter, which runs after the validating filter — so the snapshot was always anonymous even when the BSH_AUTH cookie was valid.

Move it to after SecurityContextHolderFilter so it runs first, like personal-stack-2 gets via HttpSessionSecurityContextRepository. Also reverts the anonymousAuthorizeLoginRedirect workaround from #183 — no longer needed once the snapshot is correct.

@ExtraToast ExtraToast added the bug Something isn't working label May 10, 2026
@ExtraToast ExtraToast self-assigned this May 10, 2026
@ExtraToast ExtraToast added the bug Something isn't working label May 10, 2026
@ExtraToast ExtraToast merged commit d1a7121 into main May 10, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant