Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable authentication converter for resource-servers with token introspection #11661

Closed
ch4mpy opened this issue Aug 4, 2022 · 0 comments
Closed

Configurable authentication converter for resource-servers with token introspection #11661

ch4mpy opened this issue Aug 4, 2022 · 0 comments
Assignees
@ch4mpy
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.8.0-M3

Comments

@ch4mpy
Copy link
Contributor

ch4mpy commented Aug 4, 2022
edited

Expected Behavior

Something like the JwtAuthenticationConverter but for token instrospection.

My first thougt is, inside OpaqueTokenAuthenticationProvider, delegateAbstractAuthenticationToken convert(OAuth2AuthenticatedPrincipal principal, String token) to a configurable bean.

As we already have the possibility to configure the introspector, an other option would be bypassing the call to convert when introspector return value implements both AuthenticatedPrincipal and Authentication. This option has minimal impact on code base, but is probably less flexible (and clean) than preceding one.

Current Behavior

We have no hand on the type of Authentication returned by OpaqueTokenAuthenticationProvider (at least, none I could find)

Context

I'm writing a spring-boot resource-server with token introspection and would like to:

  • easily switch the token attribute(s) authorities are mapped from and how it is processed (prefix, case transformation, etc.). For instance, Keycloak puts user authorities into realm_access.roles and resource_access.{client-id}.roles, not in scope (which is used for ... scopes). Other vendors could put it in groups.
  • populate security-context with something else than BearerTokenAuthentication

Ideally, introspection process would not be touched. Just add a sort of post-preccssing to successful introspections.

Overriding introspector for just altering autorities mapping is overkill and I'd like to keep default introspector: if it is found out that Nimbus introspector should be updated or replaced whith another implementation for whatever security or performance reason, I'd like to benefit it (which won't happen if it is overriden for authorities mapping).
@ch4mpy ch4mpy added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Aug 4, 2022
@ch4mpy ch4mpy changed the title Configurable authentication converter in OpaqueTokenAuthenticationProvider Configurable authentication converter for resource-servers with token introspection Aug 4, 2022
@marcusdacoregio marcusdacoregio added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 5, 2022
@ch4mpy ch4mpy mentioned this issue Aug 5, 2022
Closed
ch4mpy added a commit to ch4mpy/spring-security that referenced this issue Sep 10, 2022
@ch4mpy
spring-projectsgh-11661 authentication converter for introspected tokens
d2b2d66 
Adds configurable authentication converter for resource-servers with token introspection (something very similar to what JwtAuthenticationConverter does for resource-servers with JWT decoder).

The new (Reactive)OpaqueTokenAuthenticationConverter is given responsibility for converting successful token introspection result into an Authentication instance (which is currently done by a private methods of OpaqueTokenAuthenticationProvider and OpaqueTokenReactiveAuthenticationManager).

The default (Reactive)OpaqueTokenAuthenticationConverter, behave the same as current private convert(OAuth2AuthenticatedPrincipal principal, String token) methods: map authorities from scope attribute and build a BearerTokenAuthentication.
@sjohnr sjohnr closed this as completed in 1efb633 Sep 14, 2022
@sjohnr sjohnr added this to the 5.8.0-M3 milestone Sep 14, 2022
@sjohnr sjohnr assigned ch4mpy and unassigned sjohnr Sep 20, 2022
@jgrandja jgrandja mentioned this issue Dec 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ch4mpy ch4mpy

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.8.0-M3
3 participants
@sjohnr @ch4mpy @marcusdacoregio