Callback configuration

You need to define the callback endpoint (CallbackController) only for web applications, that is for indirect clients.

For indirect clients (like Facebook), the user is redirected to an external identity provider for login and then back to the application. Thus, a callback endpoint is required in the application. It is managed by the CallbackController which has the following behaviour:

1. the credentials are extracted from the current request to fetch the user profile (from the identity provider) which is then saved in the web session

2. finally, the user is redirected back to the originally requested url (or to the defaultUrl).

The following properties are available:

1. pac4j.callback.defaultUrl (optional): it's the default url after login if no url was originally requested (/ by default)

2. pac4j.callback.multiProfile (optional): it indicates whether multiple authentications (and thus multiple profiles) must be kept at the same time (false by default)

3. pac4j.callback.renewSession (optional): it indicates whether the web session must be renewed after login, to avoid session hijacking (true by default).

4. pac4j.callback.saveInSession (optional): it indicates whether the profile should be saved into the web session (true by default)

5. pac4j.callback.defaultClient (optional): it defines the default client to use to finish the login process if none is provided on the URL (not defined by default)

6. pac4j.callback.path (optional): the URL path to the callback controller. This needs to match what you have registered with your identity provider (/callback by default).

The CallbackController must be defined by class scanning to be available on the /callback url:

Spring context file:

<context:component-scan base-package="org.pac4j.springframework.web" />

Spring configuration class:

@ComponentScan(basePackages = "org.pac4j.springframework.web")