Add custom claim converter in a microservice with oauth2

[Falydoor]

Add a custom claim converter to fetch the oauth2 userinfo endpoint and add custom claims. This only apply to a microservice using oauth2.

Fix #10975 @mraible (can this PR be merged after September for hacktoberfest 👀)

---

Please make sure the below checklist is followed for Pull Requests.

• All continuous integration tests are green
• Tests are added where necessary
• jhipster-online was updated if necessary
• Documentation is added/updated where necessary
• Coding Rules & Commit Guidelines as per our CONTRIBUTING.md document are followed

[mraible]

Thanks, @Falydoor! I believe you need to add a converter for WebFlux too.

Be sure to add [webflux] in your commit message when you add the implementation and test so the CI tests run.

[Falydoor]

Unfortunately I can't have ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest() to work with WebFlux 😢 so might be something to see for later.

[mraible]

@Falydoor I might be able to help, but might not be for a few days. @cbornet is our resident Spring WebFlux expert.

[cbornet]

RequestContextHolder is thread local so it can't be used in the reactive stack. I think the solution here is to use a ServerWebExchangeContextFilter and then get the ServerWebExchange from the subscriberContext.
See this example

[Falydoor]

@cbornet I played with the ServerWebExchangeContextFilter but for some reason the subscriberContext is always empty in the convert method of the CustomClaimConverter.

Also even if the context contained ServerWebExchange, I don't think it would be possible to have it working because the convert method must return Map<String, Object> instead of Mono<Map<String, Object>> (which mean that .block() must be called when getting ServerWebExchange).

[mraible]

@jgrandja Do you have any tips for how to implement a CustomClaimConverter for Spring WebFlux?

[jgrandja]

@mraible A custom claim converter may be configured via OidcUserService.setClaimTypeConverterFactory() (Servlet) or OidcReactiveOAuth2UserService.setClaimTypeConverterFactory() (WebFlux). Both provide a default converter so take a look at that and customize to your needs.

[mraible]

@Falydoor Does @jgrandja's advice help?

A custom claim converter may be configured via OidcUserService.setClaimTypeConverterFactory() (Servlet) or OidcReactiveOAuth2UserService.setClaimTypeConverterFactory() (WebFlux). Both provide a default converter so take a look at that and customize to your needs.

[Falydoor]

@mraible I tried using OidcReactiveOAuth2UserService.setClaimTypeConverterFactory() but I wasn't able to make it work unfortunately. The method CustomClaimConverter.convert() is never called for some reason 😬 .

[mraible]

@Falydoor Is the code for reactive in this PR? If so, I can try and see if I can figure it out.

[Falydoor]

@mraible I created a repo with the code, check the commit (I put some comments to help you) Falydoor/jhipster-reactive-oauth@c44ff7b

[mraible]

@Falydoor I forked your project and there's no src/main/docker/keycloak.yml file. Any idea why this wasn't created?

[Falydoor]

@mraible I'm using Okta and the keycloak file only comes with the gateway.

[mraible]

@Falydoor As far as I can tell, the oidcUserService() is not used when the server is acting as a resource server. This comment from @jgrandja makes me think it'll only be used when you've logged in with oauth2Login().

[Falydoor]

@mraible that would make sense!

Did you try to uncomment this line https://github.com/Falydoor/jhipster-reactive-oauth/blob/main/src/main/java/com/mycompany/myapp/config/SecurityConfiguration.java#L164 ?

[mraible]

Yes, I did try it with that line uncommented and it does call the converter.

[Falydoor]

But then in the converter the subscriberContext is empty which means that it can't retrieve the token. Maybe there is another way to get the token?

I also tried using ReactiveSecurityContextHolder.getContext().map(SecurityContext::getAuthentication) but it's empty.

[mraible]

This conditional (and others) should include applicationType === 'monolith' and gateway too. We configure these as resource servers by default for Ionic and React Native apps.

[mraible]

@Falydoor I believe this comment still needs to be addressed.

[mraible]

Using this guide, I tried to register a WebClient:

@Bean
WebClient webClient(ReactiveClientRegistrationRepository clientRegistrations,
                    ServerOAuth2AuthorizedClientRepository authorizedClients) {
    ServerOAuth2AuthorizedClientExchangeFilterFunction oauth =
        new ServerOAuth2AuthorizedClientExchangeFilterFunction(
            clientRegistrations,
            authorizedClients);
    oauth.setDefaultOAuth2AuthorizedClient(true);
    oauth.setDefaultClientRegistrationId("oidc");
    return WebClient.builder()
        .filter(oauth)
        .build();
}

Then, I used the following line to create the CustomClaimConverter:

@Bean
ReactiveJwtDecoder jwtDecoder(ReactiveClientRegistrationRepository clientRegistrationRepository, WebClient webClient) {
    ...
    jwtDecoder.setClaimSetConverter(new CustomClaimConverter(clientRegistrationRepository.findByRegistrationId("oidc").block(), webClient));

    return jwtDecoder;
}

Then, I modified the CustomClaimConverter to be the following:

package com.mycompany.myapp.security;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.jwt.MappedJwtClaimSetConverter;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;

import java.util.Collections;
import java.util.Map;

public class CustomClaimConverter implements Converter<Map<String, Object>, Map<String, Object>> {
    private final Logger log = LoggerFactory.getLogger(CustomClaimConverter.class);

    private final MappedJwtClaimSetConverter delegate = MappedJwtClaimSetConverter.withDefaults(Collections.emptyMap());

    private final WebClient webClient;
    private final ClientRegistration registration;

    public CustomClaimConverter(ClientRegistration registration, WebClient webClient) {
        this.webClient = webClient;
        this.registration = registration;
    }

    public Map<String, Object> convert(Map<String, Object> claims) {
        Map<String, Object> convertedClaims = this.delegate.convert(claims);
        log.debug("convertedClaims : {} ", convertedClaims);

        Mono.subscriberContext()
            .subscribe(context -> {
                log.debug("CONTEXT SIZE : {}", context.size());
            });

        ClientRegistration.ProviderDetails.UserInfoEndpoint userInfoEndpoint = registration.getProviderDetails().getUserInfoEndpoint();
        log.debug("USER INFO : {}", userInfoEndpoint);

        Mono<String> retrievedResource = webClient.get()
            .uri(userInfoEndpoint.getUri())
            .retrieve()
            .bodyToMono(String.class);

        retrievedResource.subscribe(System.out::print);

        return convertedClaims;
    }
}

I get the following error:

reactor.core.Exceptions$ErrorCallbackNotImplemented: java.lang.IllegalArgumentException: serverWebExchange cannot be null
Caused by: java.lang.IllegalArgumentException: serverWebExchange cannot be null
        at org.springframework.security.oauth2.client.web.DefaultReactiveOAuth2AuthorizedClientManager.lambda$loadAuthorizedClient$9(DefaultReactiveOAuth2AuthorizedClientManager.java:102)

If I modify the WebClient bean to remove setDefaultClientRegistrationId("oidc"), it results in:

401 Unauthorized from GET https://dev-162929.okta.com/oauth2/default/v1/userinfo

It does make the call, but maybe it doesn't have an access token associated with it? I'm not sure.

I thought it might be possible to get the access token like we get the ID token in LogoutResource, but I'm not sure how that might work.

@AuthenticationPrincipal(expression = "idToken") OidcIdToken idToken

Maybe it's possible to get the Authentication from ReactiveSecurityContextHolder (like this), and then cast it to a Jwt, which has a getTokenValue() method.

[mraible]

I spent several hours working on this yesterday but didn't succeed. Maybe documenting what I tried will help.

First of all, I found this concise blog post that makes it look easy to make a WebClient request with an access token. However, it uses client_credentials, whereas JHipster uses auth code flow. https://medium.com/@asce4s/oauth2-with-spring-webclient-761d16f89cdd

I found a Spring Security example that seems close to what we want. However, I need something that works without oauth2Login() since that’s not part of JHipster when it’s a resource server. https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2webclient-webflux

Error I'm getting:

2020-11-11 16:08:46.649  INFO 36332 --- [ctor-http-nio-3] c.m.myapp.security.CustomClaimConverter  : userinfo endpoint https://dev-162929.okta.com/oauth2/default/v1/userinfo
2020-11-11 16:08:46.656 ERROR 36332 --- [ctor-http-nio-3] reactor.core.publisher.Operators         : Operator called default onErrorDropped
reactor.core.Exceptions$ErrorCallbackNotImplemented: java.lang.IllegalArgumentException: serverWebExchange cannot be null
Caused by: java.lang.IllegalArgumentException: serverWebExchange cannot be null
        at org.springframework.security.oauth2.client.web.DefaultReactiveOAuth2AuthorizedClientManager.lambda$loadAuthorizedClient$9(DefaultReactiveOAuth2AuthorizedClientManager.java:102)
        Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException: 
Assembly trace from producer [reactor.core.publisher.MonoErrorSupplied] :

Adding this at the top of the security config doesn’t help:

.addFilterAt(new ServerWebExchangeContextFilter(), SecurityWebFiltersOrder.FIRST)

To test everything, I'm using Ionic for JHipster since it surfaced the problem for me. I re-generated @Falydoor's project as a monolith running on 8080 so it would work with Ionic4J. You can see the difference between the projects at Falydoor/jhipster-reactive-oauth@main...mraible:userinfo.

Search for "SecurityConfiguration.java" and "CustomerClaimConverter.java" to see the changes I tried.

[mraible]

@Falydoor Maybe we should just merge this and open a new issue for reactive?

[Falydoor]

@mraible yes I agree. You did more research than me for the reactive support and it is trickier than what we thought...

[Tcharl]

Using new RestTemplate causes so much pains in real world (for example, when your app is behind an outbound proxy).
please prefer RestTemplate rt = restTemplateBuilder.build();

[pascalgrimaud]

Use new @IntegrationTest plz, otherwise, it's broken for some config like Redis etc.

[Falydoor]

Sounds good! I opened #13462

[mraible]

After thinking about this a bit more, I'm not sure we need a /userinfo lookup in a microservice. I think it's only needed in a monolith or gateway - because that's where the access token will come in from the client. Thoughts?