AWS CloudFront & Google OAuth Configuration Reference

Complete Configuration State (JWT-Based OAuth)

This document shows exactly what should be configured in AWS CloudFront and Google Cloud Console for your JWT-based OAuth setup.

1. AWS CloudFront Distributions

You have THREE CloudFront distributions:

1. Main Website Distribution - sriinfosoft.com (S3 bucket) - NOT related to task manager app
2. Task Manager Frontend Distribution - taskmanager.sriinfosoft.com (React app on EC2)
3. Task Manager Backend API Distribution - api-taskmanager.sriinfosoft.com (Spring Boot on EC2)

This document covers configurations for distributions #2 and #3 only.

1.1 Task Manager Frontend Distribution (React App)

Purpose: Serve your React frontend application

Basic Settings:

• Alternate domain name (CNAME): taskmanager.sriinfosoft.com
• SSL Certificate: Your wildcard cert (*.sriinfosoft.com)
• Supported HTTP versions: HTTP/2, HTTP/1.1

Origin Settings:

Default Cache Behavior:

Why these settings:

• Frontend is static content (HTML, JS, CSS)
• Can be cached aggressively
• Only needs GET, HEAD, OPTIONS methods

1.2 Task Manager Backend API Distribution (Spring Boot)

Purpose: Proxy API requests to your backend

Basic Settings:

• Alternate domain name (CNAME): api-taskmanager.sriinfosoft.com
• SSL Certificate: Your wildcard cert (*.sriinfosoft.com)
• Supported HTTP versions: HTTP/2, HTTP/1.1

Origin Settings:

Default Cache Behavior: ⚠️ CRITICAL FOR API

Why these settings:

• ✅ CachingDisabled - APIs should never be cached
• ✅ AllViewer - Forwards ALL headers, cookies, query strings to backend
• ✅ All HTTP methods - Allows REST operations (GET, POST, PUT, DELETE, etc.)

IMPORTANT: Without CachingDisabled and AllViewer, your API will not work properly!

2. AWS Route 53 DNS Records

You have THREE DNS records in your sriinfosoft.com hosted zone:

1. Main website: sriinfosoft.com → S3 CloudFront distribution
2. Task Manager Frontend: taskmanager.sriinfosoft.com → Task Manager Frontend CloudFront
3. Task Manager Backend API: api-taskmanager.sriinfosoft.com → Task Manager Backend CloudFront

This document covers configurations for #2 and #3 only.

2.1 Task Manager Frontend DNS Record

Record name: taskmanager
Type: A - Routes traffic to an IPv4 address and some AWS resources
Alias: ON (enabled)
Route traffic to: Alias to CloudFront distribution
Choose Region: US East (N. Virginia) [us-east-1]
Choose endpoint: [Your FRONTEND CloudFront distribution]
Routing policy: Simple routing

Full domain: taskmanager.sriinfosoft.com

2.2 Task Manager Backend API DNS Record

Record name: api-taskmanager
Type: A - Routes traffic to an IPv4 address and some AWS resources
Alias: ON (enabled)
Route traffic to: Alias to CloudFront distribution
Choose Region: US East (N. Virginia) [us-east-1]
Choose endpoint: [Your BACKEND CloudFront distribution]
Routing policy: Simple routing

Full domain: api-taskmanager.sriinfosoft.com

3. Google Cloud Console OAuth Configuration

3.1 Where to Configure

1. Go to: https://console.cloud.google.com/apis/credentials
2. Select your project
3. Click on your OAuth 2.0 Client ID (under "OAuth 2.0 Client IDs")

3.2 Authorized JavaScript Origins

Add BOTH domains:

https://taskmanager.sriinfosoft.com
https://api-taskmanager.sriinfosoft.com

Rules:

• ✅ Use https:// (not http://)
• ✅ No trailing slashes
• ✅ No path components (just domain)
• ❌ Do NOT include localhost or EC2 direct URLs

Why both domains:

• taskmanager.sriinfosoft.com - Frontend initiates OAuth requests
• api-taskmanager.sriinfosoft.com - Backend makes API calls to Google

3.3 Authorized Redirect URIs (JWT-Based OAuth)

Add ONLY ONE URI:

https://taskmanager.sriinfosoft.com/login/oauth2/code/google

Rules:

• ✅ Points to FRONTEND domain (not backend API)
• ✅ Exact path: /login/oauth2/code/google
• ✅ No trailing slash
• ❌ Do NOT add backend API URL here

Why frontend URL:

• With JWT-based OAuth, Google redirects to your frontend
• Frontend receives the OAuth authorization code
• Frontend sends code to backend to exchange for JWT token
• This avoids cross-domain cookie issues

3.4 Complete Google Console Configuration Summary

Authorized JavaScript Origins:

https://taskmanager.sriinfosoft.com
https://api-taskmanager.sriinfosoft.com

(2 origins)

Authorized Redirect URIs:

https://taskmanager.sriinfosoft.com/login/oauth2/code/google

(1 redirect URI - frontend only)

Screenshot reference:

┌─────────────────────────────────────────────────────────┐
│ OAuth 2.0 Client ID                                     │
├─────────────────────────────────────────────────────────┤
│ Authorized JavaScript origins                           │
│ ┌─────────────────────────────────────────────────┐   │
│ │ https://taskmanager.sriinfosoft.com             │   │
│ └─────────────────────────────────────────────────┘   │
│ ┌─────────────────────────────────────────────────┐   │
│ │ https://api-taskmanager.sriinfosoft.com         │   │
│ └─────────────────────────────────────────────────┘   │
│                                                         │
│ Authorized redirect URIs                                │
│ ┌─────────────────────────────────────────────────┐   │
│ │ https://taskmanager.sriinfosoft.com/login/      │   │
│ │ oauth2/code/google                              │   │
│ └─────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────┘

4. AWS EC2 Security Group

Required Inbound Rules:

Note:

• Port 80 for nginx (frontend)
• Port 8080 for Spring Boot (backend API)
• Both need to accept from CloudFront (0.0.0.0/0)

5. Application Configuration Files

5.1 Backend application.properties

Key configuration for JWT-based OAuth:

# CORS - Allow frontend domain
cors.allowed-origins=${FRONTEND_URL:https://taskmanager.sriinfosoft.com}

# OAuth redirect goes to FRONTEND
spring.security.oauth2.client.registration.google.redirect-uri=${FRONTEND_URL:https://taskmanager.sriinfosoft.com}/login/oauth2/code/google

NOT:

# ❌ WRONG - Do not use backend domain for redirect
spring.security.oauth2.client.registration.google.redirect-uri=https://api-taskmanager.sriinfosoft.com/login/oauth2/code/google

5.2 Environment Variables (.env)

FRONTEND_URL=https://taskmanager.sriinfosoft.com
# No BACKEND_URL needed for OAuth redirect

NOT:

# ❌ Don't use BACKEND_URL for OAuth redirect
BACKEND_URL=https://api-taskmanager.sriinfosoft.com

6. What to Remove/Revert

6.1 In Google Console - REMOVE These:

❌ Remove from Authorized redirect URIs:

• https://api-taskmanager.sriinfosoft.com/login/oauth2/code/google

❌ Remove any localhost URLs:

• http://localhost:3000
• http://localhost:8080/login/oauth2/code/google

✅ Keep ONLY:

• https://taskmanager.sriinfosoft.com/login/oauth2/code/google

6.2 In application.properties - REVERT These:

❌ Remove any session cookie configurations:

# These are NOT needed for JWT-based OAuth
server.servlet.session.cookie.domain=.sriinfosoft.com
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.same-site=none
server.forward-headers-strategy=framework

✅ Keep simple JWT configuration:

jwt.secret=${JWT_SECRET}
jwt.expiration=86400000
spring.security.oauth2.client.registration.google.redirect-uri=${FRONTEND_URL}/login/oauth2/code/google

6.3 In docker-compose.yml - REMOVE These:

❌ Remove from backend environment:

- BACKEND_URL=${BACKEND_URL}  # Not needed for OAuth

✅ Keep these:

environment:
  - FRONTEND_URL=${FRONTEND_URL}
  - JWT_SECRET=${JWT_SECRET}
  - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID}
  - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET}

6.4 In .env File - REMOVE These:

❌ Remove:

BACKEND_URL=http://taskmanager-backend:8080
BACKEND_URL=https://api-taskmanager.sriinfosoft.com

✅ Keep:

FRONTEND_URL=https://taskmanager.sriinfosoft.com
JWT_SECRET=your-secret
GOOGLE_CLIENT_ID=your-id
GOOGLE_CLIENT_SECRET=your-secret
DB_PASSWORD=your-password

7. Verification Checklist

After making changes, verify:

AWS CloudFront:

• Frontend distribution CNAME: taskmanager.sriinfosoft.com
• Backend distribution CNAME: api-taskmanager.sriinfosoft.com
• Backend cache policy: CachingDisabled
• Backend origin request policy: AllViewer
• Backend allowed methods: All (GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE)

Route 53:

• taskmanager A record → Frontend CloudFront
• api-taskmanager A record → Backend CloudFront

Google Console:

• JavaScript origins: Both domains (taskmanager + api-taskmanager)
• Redirect URI: ONLY frontend domain (taskmanager.sriinfosoft.com/login/oauth2/code/google)

Application Config:

• redirect-uri uses ${FRONTEND_URL}/login/oauth2/code/google
• No BACKEND_URL in backend environment variables
• JWT_SECRET configured in .env
• No session cookie configurations

EC2:

• Security group allows port 80 and 8080
• Containers rebuilt and running
• Backend logs show successful startup

8. Testing After Configuration

8.1 Test CloudFront Distributions

# Test frontend
curl -I https://taskmanager.sriinfosoft.com
# Should return: 200 OK

# Test backend API
curl https://api-taskmanager.sriinfosoft.com/actuator/health
# Should return: {"status":"UP"}

8.2 Test OAuth Flow

1. Clear all browser cookies
2. Open incognito window
3. Go to: https://taskmanager.sriinfosoft.com
4. Click "Sign in with Google"
5. Should redirect to Google
6. After Google login, should redirect back to https://taskmanager.sriinfosoft.com/login/oauth2/code/google?code=...
7. Frontend should exchange code for JWT token

9. Quick Reference: What Goes Where

Frontend Domain (taskmanager.sriinfosoft.com):

• ✅ Google OAuth redirect URI
• ✅ Frontend React app
• ✅ User-facing UI
• ✅ Receives OAuth authorization code from Google

Backend Domain (api-taskmanager.sriinfosoft.com):

• ✅ REST API endpoints
• ✅ OAuth code → JWT token exchange
• ✅ Database operations
• ✅ Business logic
• ❌ NOT the OAuth redirect target

10. Common Mistakes to Avoid

❌ Mistake 1: Using backend URL for OAuth redirect

# WRONG
redirect-uri=https://api-taskmanager.sriinfosoft.com/login/oauth2/code/google

❌ Mistake 2: Adding session cookie config with JWT

# WRONG - Not needed with JWT
server.servlet.session.cookie.domain=.sriinfosoft.com

❌ Mistake 3: Not setting CloudFront cache policy correctly

# WRONG - API responses will be cached
Cache policy: CachingOptimized (for backend API)

# RIGHT
Cache policy: CachingDisabled (for backend API)

❌ Mistake 4: Forgetting to allow all HTTP methods for API

# WRONG - Only GET, HEAD, OPTIONS
Allowed methods: GET, HEAD, OPTIONS

# RIGHT - All methods for REST API
Allowed methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE

❌ Mistake 5: Using trailing slashes in Google Console

# WRONG
https://taskmanager.sriinfosoft.com/

# RIGHT
https://taskmanager.sriinfosoft.com

Summary Table

This is your complete reference. Follow these exact configurations and your OAuth should work correctly with the JWT-based flow.