I have an Authorization Server built in .Net Core Using Identity Server 4! It is working as expected to authorize clients and resources from Node Js and .Net. Now I’m trying to add a Java spring Boot 2 API (jdk 1.8) as a Protected Resource. I have achieved that goal by using the OAuth2 Boot Documentation! Everything works fine so far. Now, I need to extract the claims from the access token generated by the Authorization Server. This is a Bearer Token of Type JWT. The implementation I have for this is the following:
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {
public String resourceId;
@Autowired
public SecurityConfiguration(@Value("${security.oauth2.resource.id}") String resourceId) {
this.resourceId = resourceId;
}
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.resourceId(this.resourceId);
}
@Override
public void configure(HttpSecurity httpSecurity) throws Exception {
httpSecurity
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/swagger-ui.html", "/webjars/**", "/swagger-resources/**", "/**/api-docs/**", "/actuator/**")
.permitAll()
.and()
.authorizeRequests().anyRequest().fullyAuthenticated();
}
The problem is that when I try to access the claims inside a controller, they are not available. I have checked the default extractAuthentication Method from DefaultAccessTokenConverter, inside spring security, and indeed It is ignoring all non-default claims. What cross my mind is creating a new Converter extending the DefaultAccessToken Converter, as following:
@Component
public class CustomAccessTokenConverter extends DefaultAccessTokenConverter {
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
OAuth2Authentication authentication = super.extractAuthentication(claims);
authentication.setDetails(claims);
return authentication;
}
}
But I have not figured out where to inject or reference this new converter.
Advertisement
Answer
Unfortunately, the Spring Boot auto-configuration doesn’t seem to provide a way to replace the DefaultAccessTokenConverter, which is the default token converter in RemoteTokenServices. To replace the converter, you would have to replace the RemoteTokenServices that’s created by default.
If your converter is a bean, you could set it on your own RemoteTokenServices object, which you can then set on ResourceServerSecurityConfigurer (so that it could be applied to the OAuth2AuthenticationManager behind the scenes):
@Configuration
@EnableResourceServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends ResourceServerConfigurerAdapter {
// ...
@Autowired
private ResourceServerProperties resource;
@Autowired
private CustomAccessTokenConverter customConverter;
@Override
public void configure(ResourceServerSecurityConfigurer resources) {
resources.tokenServices(customTokenServices());
// ..
}
private RemoteTokenServices customTokenServices() {
RemoteTokenServices services = new RemoteTokenServices();
services.setAccessTokenConverter(this.customConverter);
// configure based on .properties file
services.setCheckTokenEndpointUrl(this.resource.getTokenInfoUri());
services.setClientId(this.resource.getClientId());
services.setClientSecret(this.resource.getClientSecret());
return services;
}
// ..