Support absolute URI’s in authentication success redirects for WebFlux

[DidierLoiseau]

Expected Behavior

RedirectServerAuthenticationSuccessHandler/ServerRequestCache.getRedirectUri() should allow to redirect using an absolute URL (e.g. http://localhost/secured-path) so that reverse proxies can automatically rewrite the location header, like with Web MVC (SavedRequestAwareAuthenticationSuccessHandler / RequestCache).

Current Behavior

The WebFlux success handler uses a relative URI, such as /secured-path. Reverse proxies will not rewrite those paths by default as they can’t know to what this path is relative (as I understand it, tested with Nginx’s proxy_pass setup).

I understand from #7273 that this behavior is intentional, however it would be good to make it easier to change the behavior. Currently the only solution seems to be to provide a custom ServerRequestCache or a custom RedirectServerAuthenticationSuccessHandler, as a user did in this SO answer. Moreover neither WebSessionServerRequestCache nor CookieServerRequestCache can be extended to customize this behavior during the saveRequest() call because they both use static methods to build the stored URL, and the attribute/cookie name is private.

Context

We are currently upgrading from Zuul 1 to Spring Cloud Gateway. As we deploy it behind Nginx in our test environment, we noticed that it does not rewrite relative location headers by default, so the raw internal value is forwarded. As a workaround, it is possible to force Nginx to rewrite it using proxy_redirect (which also converts the location to an absolute URI):

location /api/ {
    proxy_pass http://gateway:1234/;
    proxy_redirect default;
    proxy_redirect / /api/;
}

but we would rather avoid the trouble of asking our customer to change their reverse proxy configuration (this would involve another team to whom we need to explain the issue, it’s unlikely to work on first try etc. – we are likely to end up implementing a workaround in our gateway anyway).