Should I use both SocialAuthenticationFilter and ProviderSignInController together

Question

In Short

Authentication events are not fired when using ProviderSigninController. How can I use the full spring security integration?

Long Version

To the best of my understanding I have a functional Spring-social setup working as follows:

ProviderSignInController is setup to create social connections and automatically provision user accounts when a new user appears. I use a SignInAdapter, as shown by the documented example,

I also have a regular spring-security-based authentication service using a UserDetailsService.

However, one difference that I have seen is that the social authentication sign-in does not raise any *AuthenticationEvents. These events are raised by the filter for regular accounts.

I wonder - Am I missing some part of this integration?.
It seems a little vulnerable NOT going through the SocialAuthenticationFilter, and just manually setting the auth context.

I want a central place for logging authentication events.

Answer 1

I had a similar situation where I wanted to use the SocialAuthenticationFilter for auth and implicit signup with Spring Security, rather than the ProviderSignInController (I agree it feels a little dirty using the controller).

I hooked it up & it mostly worked, but I lost my onAuthenticationSuccess events that the normal log-in gave me.

What I finally did to get my filter working as I needed, was to add an ObjectPostProcessor to it. This allowed me to manually set my AuthenticationSuccessHandler after the filter had been initialised deep within the SpringSocialConfigurer (without a handle on it).

Here's a snippet.

            // Spring Social configurer integrates with Spring Security for us
            .and().apply(new SpringSocialConfigurer()
                    .postLoginUrl("/")
                    // other setup
                    .addObjectPostProcessor(new ObjectPostProcessor<SocialAuthenticationFilter>() {
                        @Override
                        public <O extends SocialAuthenticationFilter> O postProcess(O filter) {
                            filter.setAuthenticationSuccessHandler(loginSuccessHandler);
                            return filter;    
                        }
                    });

loginSuccessHandler, is just the same bean I set in my normal filter configuration via, .formLogin().successHandler(loginSuccessHandler).

You could also set your failureHandler here.

This served my purposes ok. The solution now uses my SocialUserDetailsService for auth and ConnectionSignUp for implicit signup (when registered on the UsersConnectionRepository).

Hope this helps.