-
Notifications
You must be signed in to change notification settings - Fork 244
Adapt token forwarding for JWT tokens #85
Comments
I'm not sure where this feature would live actually (here or Spring Boot). I'll give it some thought. N.B. You can do this already String token = ((OAuth2AuthenticationDetails)SecurityContextHolder.getContext().getAuthentication().getDetails()).getTokenValue()
restTemplate.getOAuth2ClientContext().setAccessToken(new DefaultOAuth2AccessToken(token)) |
OK I'll try that out....thanks. |
This works fine BTW....thanks again. May I ask a related question? I have added some additional details to the User (an email address) via the usual means (extending UserDetails, etc). I then extended JwtTokenAccessConverter so I could override enhance() to add the email address to the 'additional info' property. After fowarding the token downstream, I can see during authentication that the additional info is indeed present, but when OAuth2AccessToken is converted to an OAuth2Authentication object the additional info is lost (during DefaultTokenServices.loadAuthentication() ). Is there another way to access this additional information from the token, or do I need to decode it again? thanks... |
Not sure I follow completely. If the data is in the JWT then you need to extract it in the token services (i.e. inject the same |
I only overrode enhance() on the TokenAccessConverter, which I think is only called when the token is created. This happens in the auth server. The 'additional info' is held in a map inside OAuth2AccessToken.getAdditionalInformation(), so I wouldn't think I needed anything special to then extract this, as it's just a map in a non-custom object. For example, say I'm in a RestController or some other 'business' object and i want to get that email address from the token. I can get the OAuth2Authentication object like this; ((OAuth2Authentication)SecurityContextHolder.getContext().getAuthentication(); But that object doesn't have the additional information - it was lost when the token was decoded. Also, I don't want to have to introduce or share dependencies in my downstream services (e.g. my customer UserDetails implementation or the Token services)....I just want to be able to get at that 'additional information' map to get the stuff I put there when the token was created. EDIT: I say the information was 'lost', but it's still in the encoded token itself - I just don't know how I can get at it without decoding it again.... |
I think all the claims in the JWT are in the additional info map by default. Is that not what you see? |
I can see them in the OAuth2AccessToken (in the debugger) during authentication, but it's OAuth2Authentication that gets stored in the SecurityContext, and I can't see them in that. The code that 'translates' the token into the authentication object only takes the principal and the authorities (and maybe a couple of other things), but not the additional info. |
I got this to work. Some other people on SO had similar problems so I answered the question (mines the second answer): |
Are there any updates on this? |
No, if there were I think you'd see them. Feel free to send code. |
Do you have some hint on which classes are some interesting ones to look at? |
There are actually 2 issues being discussed here. If you care about token forwarding look at my first comment which shows you exactly how to do it (and apparently you don't even need to do that if using |
I was into the first issue about relay access tokens. Load Balanced RestTemplates are created here |
I don't see how a |
OK, I agree, just misunderstood your previous comment. Yes I'd handle it the same way you described it in your first comment. |
Token relay is now working for JWT tokens via an MVC interceptor (see docs for details). |
@dsyer I think there is a bug that affects the JWT token relay functionality. I created a pull request and opened a new issue #123 Until the issue is fixed a workaround is here
|
As described in this Stack Overflow issue, token forwarding will not occur if JWT tokens are being used. Propose the token-forwarding functionality be adapted for use with JWT.
The text was updated successfully, but these errors were encountered: