authmanage | 这是一个统一管理系统权限，设计的目标是给开发者一个完整地权限管理系统，以便你能更专注自己系统业务的开发

In OpenID Connect, the Identity Token is never sent to the Provider. I think this is just a typo/naming issue and you mean the Access Token.

The end result of the user authenticating is two tokens:

1. the Access Token, an opaque token which is not meant to be introspected by the Client. It may or may not be a JWT.
2. an ID Token, a JWT which contains the user claims.

To obtain the user's email address, decode the ID/Identity Token's JWT payload. To do this in Swift, see these SO answers. The JWT should contain an email value. It looks like the email address may also be an instance property of ASAuthorizationAppleIdProvider, so you should be able to get them from credentials.email.

There does not appear to be a way to directly validate the Access Token. Most OpenID Connect Providers offer a Userinfo Endpoint, or a Token Instrospection Endpoint (I think this is the Google endpoint that was linked in question), but Apple does not. A number of steps were already performed to obtain the Access Token, however, which should make it impossible to forge. If you really only want the email address, though, JWTs are cryptographically signed, so verifying the JWT should guarantee it was issued by Apple. You can also verify the Refresh Token as shown in Apple Developer docs. In your code above, I don't see a way to access Refresh Token, but if you followed an alternative flow as shown in one of the tutorials here or here, you would be able to.

Looks like the wrong base class, per https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.html :

The purpose is then only to extract the necessary information on the principal from the incoming request, rather than to authenticate them.

Try extending https://docs.spring.io/spring-security/site/docs/4.0.x/apidocs/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.html instead.

but I would assume, that returning an access token would result in the client/browser storing it and automatically adding it to its request headers in "Authorization"

This assumption is where you're wrong. It's your apps responsibility to store the token and transmit it for each request against an endpoint. If you're planning on using regular HTML and navigating through it as a user clicking links instead of as an API endpoint, you might want to look at using cookies instead of an HTTP header (which are sent automagically by your browser).

The swagger-ui can determine from the API signature that an Authorization header is required (which is what OAuth2PasswordBearer does, among other things), it knows that it can ask for and is expected to present that header. Since swagger-ui is not a common web standard as a part of HTTP, that's not something browsers should, or are able to, do.

Cookies do serve that purpose, however - so you could use cookies if you want to do that. But API requests does not include cookies, and its far more common to use the Authorization header for those requests.

Where are you calling these actions? Also, why don't you take your reducer outside your component instead of using useCallback hook?

e.g:

I think your configuration is okay.

http.addFilter(authFilter) will put filter at appropriate position by examining the filter type.

In your case, I suspect issue is not triggering login request properly. As per the content in given repo, I ran the project and used embedded H2 instead of full blown database.

This is how you need to trigger your request if you are reading from request.getParameter(parameterName). Please note that I have received 404 error because Spring is trying to redirect me to '/' post successful login which doesn't exist. :)

There is no way to validate any credentials while the user is offline, so for most providers signing in while offline is not an option. The only built-in provider that can satisfy a signIn... call while offline, is the anonymous auth provider.

This is different when the user has already signed in in the past, and is restarting the app. In that scenario Firebase assumes the user is still signed in, will set the current user and fire the AuthStateListener event even while offline. Once the connection is reestablished it will re-validate the user credentials, to check for example if the account was suspended.

This call invokes internally embedded control of Internet Explorer. In server systems where Internet Explorer enhanced security is enabled by default, redirection to Microsoft login page is cancelled as insecure. Disable enhanced security of Internet Explorer to resolve this issue. It is done in Server Manager. You must reboot Windows to have it disabled.

I was able to find a workaround solution; I still can't get the custom controller method to execute, but I can log users in, which was my goal.

This project is using Java 17, by the way.

I enabled user login to work by deleting the whole postLogin() method in the controller, and deleting all of the configurations under formLogin() in the configure(HttpSecurity http) method. Once I did this, I no longer had my custom login page, but I did have a default login page, and it did work.

I tried to add the .loginPage("/login") directive back into the configure method to specify the custom login page, but that caused the login form to go back to 302 redirecting to itself, even after my incorrect controller was deleted.

My corrected configure method:

From what I understood I probably need a certificate. However I can't understand how the SharePoint site will know about this certificate and grant the access.

Here is an sample code of Authentication of SharePoint Online CSOM using Azure Function class script called csomHelper.csx.