-
Notifications
You must be signed in to change notification settings - Fork 4k
[Question] How to add custom authorities after authenticated using Oauth2 flow #640
Comments
I don't see any hard coded "ROLE_USER" in the authentication filters, the authorities depend on how you verify tokens : do you use the remote endpoint (like /oauth/check_token), a self supporting JWT or a shared database ? The user authorities come straight the authorization server. Using a spring-security-oauth2 authorization server you could implement |
Thank you for your response. I got lost somewhere during debugging so it was incorrect to say the We already have the answer for question <1> above by injecting OAuth2ClientContext object and get the access token from there. However, we're still stuck with adding custom additional authorities in the Authentication object using our logic (make another call to Cloud Foundry API and decide) so that we can use standard spring security method level access control. We would imagine of adding a custom filter into security filter chain but not sure what the correct way is. Thanks again. |
I don't think the client is usually in a position to modify the user authentication - that data comes from a server (usually the authorization server). If you want to create a facade over remote authority values, to adapt your code to an external server I guess I can understand why you might want to do it, but really without more detail I couldn't advise you to do anything except just consume the data as it comes from the server, and modify the server if you can. Ideally you would use the OAuth2 scopes (and other data that are generally decoded directly with the access token) to make all your access decisions. |
Thank you Dave for your response. You're right, the client shouldn't modify the user authentication. However, our requirements are a bit beyond the authority values that the authorization server gives us. Let me take Github as an example.
Step 3 is where it caused confusion, since we would like to use the OAuth authentication object to have spring security method level restrictions applied on our app's controller endpoints at this point - something like @Preauthorized"(hasanyrole(ROLE_REPO_OWNER)" - but after step 1, looks like we don't have enough authorities to do so. I hope the example makes sense to you and I would love to hear your thoughts and suggestions on this. Please note that we are not in a position to be able to modify authorization server such as Github in this example. Thank you and sorry for long post. |
@LeeU1911 Have you been able to come up with a solution to your use case? |
Spring Boot has a strategy called |
@jgrandja We create a filter to intercept on every request coming from front-end, and make another the call to the resource server to find out more about the user (role of the user on a particular organization). Then we extract the authorities and put into SecurityContext manually (build @dsyer Thank you Dave! As mentioned above, we look forward to using this to extract authorities of user. |
Closing this as questions are better suited on Stack Overflow. We prefer to use GitHub issues for bugs and enhancements. |
Hey,
Our goal is to secure our backend API endpoints using roles of Cloud Foundry users.
The app is implemented using spring-security-oauth2 in order to redirect anonymous user to Cloud Foundry UAA server, authenticate it then get an access token back (briefly, some intermediate steps omitted).
After we obtain the access token, it looks like spring security only extracts the token type
Bearer
and token value then stores them in Authentication object. We need to have the object OAuth2AccessToken avaiable in order to make another call to Cloud Foundry API to get the logged in user's role. So there are 2 questions:Thanks a lot!
The text was updated successfully, but these errors were encountered: