@Configuration
@RequiredArgsConstructor
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

private final ABACPermissionEvaluator abacPermissionEvaluator;
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
    // set custom permission evaluator for hasPermission expressions
    DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
    handler.setPermissionEvaluator(abacPermissionEvaluator);
    return handler;
}

}

Apologies for the cross post but struggling to find an answer:

Wondering if it is possible to "mix" multiple OAuth flows on the same Gateway for different routes. Specifically I was wondering if we could use the authorization flow for interactive users (human) and resource server flow for service-to-service interactions on API routes?

We don't currently have a guide for how to do this, but there are a number of approaches. I would recommend starting small and simply creating a custom endpoint in a @RestController to do this. You can publish an @Bean of type AuthenticationManager and configure a DaoAuthenticationProvider with a UserDetailsService and PasswordEncoder like this:

@Bean
public AuthenticationManager authenticationManager(
        UserDetailsService userDetailsService,
        PasswordEncoder passwordEncoder) {
    DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
    authenticationProvider.setUserDetailsService(userDetailsService);
    authenticationProvider.setPasswordEncoder(passwordEncoder);

    return new ProviderManager(authenticationProvider);
}

Which can be used like this:

authenticationManager.authenticate(UsernamePasswordAuthenticationToken.unauthenticated("user", "password"));

You may also be interested in the AuthenticationFilter, which is very flexible, and can be added as a filter via:

http.addFilterAfter(new AuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

• add session initiation on /oauth/token but before token creation
  as of right now I have to create session in OAuthTokenGenerator

• add custom validation on pre/post login
  for example I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

• add session initiation on /oauth/token but before token creation
  as of right now I have to create session in OAuthTokenGenerator

• add custom validation on pre/post login
  for example I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

• add session initiation on /oauth/token but before token creation
  as of right now I have to create session in OAuthTokenGenerator

• add custom validation on pre/post login
  for example I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

thanks will check,
I am more interested on production readiness features like:
logging, metrics etc.

also I'd like to see some kind of hooks that allow to inject custom code into existing filters

examples:

• add session initiation on /oauth/token but before token creation.
  as of right now I have to create session in OAuthTokenGenerator

• add custom validation on pre/post login.
  for example: I would like to let my user connect via facebook and then validate and forbid further steps by IP or country for example

@Bean
    public SecurityWebFilterChain webFilterChain(ServerHttpSecurity http) {
        return http
                .csrf(csrf -> csrf.disable())
                .authorizeExchange(authorize -> authorize
                                                .pathMatchers("/signup").permitAll()
                                                .anyExchange().authenticated())

                .formLogin(customizer -> customizer

                                            .authenticationSuccessHandler(new ServerAuthenticationSuccessHandler() {

                                                @Override
                                                public Mono<Void> onAuthenticationSuccess(WebFilterExchange webFilterExchange, Authentication authentication) {
                                                    webFilterExchange.getExchange().getResponse().setStatusCode(HttpStatus.OK);
                                                    return Mono.empty();
                                                }
                                            })

                                            .authenticationFailureHandler(new ServerAuthenticationEntryPointFailureHandler(new HttpStatusServerEntryPoint(HttpStatus.BAD_REQUEST)))

                                            .authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.NOT_FOUND))                                            
                                            .requiresAuthenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/auth/login", HttpMethod.POST))

                        )

Thanks @sjohnr. I have in fact tried this and it doesn't seem to work for me which I'll attribute to what is likely an error on my side. I think what's happening is that my user configuration is more aggressive and "overriding" the api. Changing the order of my Beans doesn't make a difference as I'm guessing the "anyExchange().authenticated()" is what is preventing the api config from kicking in.

`
@Bean
@Order(2)
fun securityWebFilterChain_Api(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {
http
.authorizeExchange()
.pathMatchers("/api/**").authenticated()
.and()
.oauth2ResourceServer()
.jwt()

    return http.build()
}

@Bean
@Order(1   )
fun securityWebFilterChain_User(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {

    http
            .authorizeExchange()
               .pathMatchers("/management/health").permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .logout()

    return http.build()
}

`

Thanks @sjohnr. I have in fact tried this and it doesn't seem to work for me which I'll attribute to what is likely an error on my side. I think what's happening is that my user configuration is more aggressive and "overriding" the api. Changing the order of my Beans doesn't make a difference as I'm guessing the "anyExchange().authenticated()" is what is preventing the api config from kicking in.

`
@Bean
@Order(2)
fun securityWebFilterChain_Api(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {
http
.authorizeExchange()
.pathMatchers("/api/**").authenticated()
.and()
.oauth2ResourceServer()
.jwt()

    return http.build()
}

@Bean
@Order(1   )
fun securityWebFilterChain_User(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {

    http
            .authorizeExchange()
               .pathMatchers("/management/health").permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .logout()

    return http.build()
}

`

Thanks @sjohnr. I have in fact tried this and it doesn't seem to work for me which I'll attribute to what is likely an error on my side. I think what's happening is that my user configuration is more aggressive and "overriding" the api. Changing the order of my Beans doesn't make a difference as I'm guessing the "anyExchange().authenticated()" is what is preventing the api config from kicking in.

`
@Bean
@Order(2)
fun securityWebFilterChain_Api(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {
http
.authorizeExchange()
.pathMatchers("/api/**").authenticated()
.and()
.oauth2ResourceServer()
.jwt()

    return http.build()
}

@Bean
@Order(1   )
fun securityWebFilterChain_User(http: ServerHttpSecurity, sessionProperties: SessionProperties): SecurityWebFilterChain {

    http
            .authorizeExchange()
               .pathMatchers("/management/health").permitAll()
            .anyExchange().authenticated()
            .and()
            .oauth2Login()
            .and()
            .oauth2Client()
            .and()
            .logout()

    return http.build()
}

`

@cruzatadelacruzc, you can navigate the browser to the authorization request base uri to initiate the flow again. For example, if your {registrationId} is keycloak, redirect the user to /oauth2/authorization/keycloak.

I adjusted your suggestion and worked very well.