-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Add post-authentication callback in ResourceOwnerPasswordTokenGranter #791
Comments
Can't you do that in the |
Don't know, I don't have an own implementation of |
No, the |
I am writing a small test program to fully understand what you mean in order to properly implement this. If I create my own I then tried to make my own I tried this code:
with:
But it does not work, I get this when trying to get a token:
If it would help to understand, I created a public GitHub repo with the example: https://github.com/wimdeblauwe/multiple-oauth-clients The file https://github.com/wimdeblauwe/multiple-oauth-clients/blob/master/auth-tests.http can be used in IntelliJ to test. The checked in version just allows any user on any Oauth client. I would like to now modify the code to only allow a user with role |
@wimdeblauwe I modified an existing sample I have that demonstrates how to perform post authentication logic for a The delegation-based Let me know if you have any questions. |
…But it does not seem to be working. The Admin still gets an access token, no matter what client he is using.
@jgrandja Thank you for this. I tried to apply this on my example, but I don't get it working. I created a branch in my repo: https://github.com/wimdeblauwe/multiple-oauth-clients/tree/test-jgrandja-example The admin user still gets an access token, no matter what client he uses. Am I doing something wrong? Since I am not using JWT, I also did not configure a TokenEnhancer. I don't know if that would be a problem? |
I'm not sure I understand the problem you are having. FYI, a user can use any client depending on your application setup. If the user authorizes the client than the client gets an access token. I looked at your sample and it's not clear which flow you are going through that produces the issue you are having. It would be helpful if the sample contained detailed steps on how to reproduce. Please see the following references for what a complete and minimal sample should consist of. |
I have added a unit test (https://github.com/wimdeblauwe/multiple-oauth-clients/blob/c186c4a2c5c191fc07212460dcb68afa9c968ef1/src/test/java/com/example/multipleoauthclients/infrastructure/security/SecurityTest.java) on the https://github.com/wimdeblauwe/multiple-oauth-clients/tree/test-jgrandja-example branch to show the problem. You'll see 2 tests. One will succeed ( Let me know if you still have questions and thank you for looking into this! |
@wimdeblauwe To get both tests to pass in In @Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("mobile_client_id")
.authorities("MOBILE_APP")
....
.and()
.withClient("angular_app_id")
.authorities("WEB_APP")
....
} In public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
UsernamePasswordAuthenticationToken userAuthentication =
(UsernamePasswordAuthenticationToken) authentication.getUserAuthentication();
ApplicationUserDetails userDetails = (ApplicationUserDetails) userAuthentication.getPrincipal();
Map clientDetails = (Map) userAuthentication.getDetails();
String clientId = (String) clientDetails.get("client_id");
// Post-authentication callback
// TODO Validate/authenticate user and/or client
LOGGER.info("username: {}", userDetails.getUsername());
LOGGER.info("clientId: {}", clientId);
// *** Add this bit of code
ClientDetails authenticatedClient = clientDetailsService.loadClientByClientId(clientId);
boolean isUserAdmin = authentication.getUserAuthentication().getAuthorities().stream()
.map(GrantedAuthority::getAuthority).anyMatch(a -> a.equals("ROLE_ADMINISTRATOR"));
boolean isClientWebApp = authenticatedClient.getAuthorities().stream()
.map(GrantedAuthority::getAuthority).anyMatch(a -> a.equals("WEB_APP"));
if (isUserAdmin && !isClientWebApp) {
throw new UnauthorizedClientException("TODO: Add message");
}
// *** Up to here
if (userDetails.getAuthorities().contains(new SimpleGrantedAuthority("ROLE_ADMINISTRATOR"))
&& !clientId.equals("angular_app_id")) {
LOGGER.info("ADMIN trying to log on via wrong client!");
authentication.setAuthenticated(false);
}
return tokenServices.createAccessToken(authentication);
} The thrown I'm going to close this issue as answered. However, if you're still having an issue we can re-open. |
I need to allow only users with a certain role access via OAuth2 when using a certain clientId. Currently to do this, I have created a subclass of
ResourceOwnerPasswordTokenGranter
where I copied the code fromprotected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest)
and added my own logic:It would be better if there was an extension point where I can add my code without having to copy over parts of the framework.
The text was updated successfully, but these errors were encountered: