Subject (formerly "on behalf of") tokens

[jgaribaldi]

I need to secure a couple of rest services and I'm using Spring Boot (along with Spring Security) and Spring Security OAuth. These services belong to a resource server and they assume that the users making the request are already authenticated, so they only verify the token's validity and the authorities to see if the users have the proper authorization to the service that they're calling.

I also have "on behalf of" tokens, as specified here: https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-02#section-2.2

I didn't find a way to verify these "on behalf of" tokens in Spring Security OAuth, so I did the following: I created a custom class that extends JwtAccessTokenConverter. Here I overloaded the decode() method as follows:

@Override
protected Map<String, Object> decode(String token) {
    Map<String, Object> decodedToken = super.decode(token);
    Map<String, Object> result = new HashMap<>(decodedToken);

    if (decodedToken.containsKey("on_behalf_of")) {
        // this token is an "on behalf of" token
        String representedUserToken = (String) decodedToken.get("on_behalf_of");
        result = super.decode(representedUserToken);
    }

    return result;
}

Finally I added this custom class to the ResourceServerSecurityConfigurer as follows:

@Override
public void configure(ResourceServerSecurityConfigurer resourceServerSecurityConfigurer) throws Exception {
    CustomJwtAccessTokenConverter jwtTokenEnhancer = new CustomJwtAccessTokenConverter();

    resourceServerSecurityConfigurer.tokenStore(new JwtTokenStore(jwtTokenEnhancer));
}

I was wondering if there's a better way to archieve this, being able to validate and authorize an "on behalf of" token, so the final security context has the scopes of the represented user.
Thanks in advance!!

[jgaribaldi]

Any thoughts?

[dsyer]

If that works it looks like a pretty small amount of code and quite explicit. So what's the issue?

[jgaribaldi]

Thank you very much for your answer!!
This is a question rather than an issue. Since "on_behalf_of" tokens are part of the standard, I figured that Spring Security supports them out of the box, that's why I asked if there's a better way to do it.
If Spring Security does not support "on_behalf_of" tokens, feel free to use my code in case you want to support them.

[Szellem]

Please note that the draft has changed meanwhile and "on_behalf_of" has been renamed to "subject_token". See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05

[puug]

It's now up to version 6. https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-06

I'm interested in a full implementation of this spec as it suits my use case to a tee. And by full, I mean from a authorization server perspective, able to 'swap' tokens by accepting a token in a request and returning a new one in the response.

Is there any appetite for this? Happy to contribute a PR.

[dsyer]

We are trying to defer new features until later this year (hopefully) when the OAuth features get merged/re-written into the Spring Security core codebase. A PR which can be merged with no changes would stand a chance of breaking that rule and making it into a point release though.

[puug]

Hmm, the scope of changes I had in mind consisted of creating a new TokenGranter and AuthenticationProvider which deals with verifying and converting/looking up the supplied subject_token. I've got a WIP branch over at master...puug:token-exchange if that gives you a better idea of what I mean. I haven't touched the client side or xml configuration yet though.

[jgrandja]

Closing this issue. Explanation provided in this comment