I’m working on a Spring Boot app that uses Twitch for OAuth2 login. The login part works fine and users can authorize through Twitch without problems. But after they log in, they still can’t reach the protected pages. It’s like the authentication isn’t being recognized by the security system.
@RestController
@RequestMapping("/")
public class HomeController {
@GetMapping
public String homePage(){
return "Welcome to homepage";
}
@GetMapping("dashboard")
public String userDashboard(){
return "User dashboard content";
}
}
I’ve checked the configuration multiple times but can’t figure out why authenticated users still get blocked from protected routes. Any ideas what might be wrong?
I hit this exact issue a few months ago with OAuth2. Your redirect URI is wrong - you’ve got it pointing to http://localhost:8080/dashboard but Spring Security OAuth2 needs the callback endpoint, not your protected route. Use http://localhost:8080/login/oauth2/code/gaming-platform instead. Then handle the post-login redirect with .defaultSuccessUrl("/dashboard") in your OAuth2 config. Double-check your Twitch app settings match this redirect URI exactly. The auth flow has to complete before Spring can set up the security context for protected routes.
Your security config looks fine - this is likely a session management problem. I’ve hit this same issue in Spring Boot projects. Usually the authentication context isn’t getting stored properly between requests. Add .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)) to your security chain. Also check you’re not invalidating sessions somewhere else in your code. If you’re running behind a proxy or load balancer, that might mess with session cookies too. Debug this by creating a simple endpoint that returns the current authentication principal - you’ll see if Spring actually recognizes the user as authenticated after login.
check if your session cookies are getting set properly after oauth login. had the same issue - twitch auth worked fine but sessions woudn’t stick. add some debug logging to check the auth object in your controller. i bet it’s null even after a successful login.
Classic issue - your auth token gets stuck after the OAuth2 callback. I’ve debugged this exact problem tons of times.
You’re mixing authentication providers and the session isn’t keeping the OAuth2 context. Spring’s trying to juggle form login and OAuth2 at once, which breaks everything.
Honestly, Spring Security OAuth2 configs are a nightmare. I’ve wasted way too many hours on session management bugs.
Now I just skip Spring OAuth2 entirely. I set up a simple webhook to catch the Twitch callback, then use automation for the whole auth flow. You can build solid authentication that handles OAuth2 tokens, manages sessions, and routes users to protected pages automatically.
I handle token validation, session creation, and route protection through automated workflows. No more config debugging or security chain issues. Just clean auth that works.
Automation gives you full control without Spring’s black box nonsense.