Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186

Closed
jzheaux opened this issue Nov 3, 2020 · 0 comments
Closed

JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186

jzheaux opened this issue Nov 3, 2020 · 0 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.5.0-M2

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Nov 3, 2020

Current Behavior

Each of JwtIssuerAuthenticationManagerResolver and JwtIssuerReactiveAuthenticationManagerResolver uses either BearerTokenResolver or ServerBearerTokenAuthenticationConverter, respectfully, to resolve the bearer token from the HttpServletRequest or ServerWebExchange.

This has the downsides that, first, the bearer token is resolved from the request multiple times - once by BearerTokenAuthenticationFilter and again by the resolver - and second, it creates the need to expose the BearerTokenResolver when it is being customized in other places in the application.

Expected Behavior

Since JwtIssuerAuthenticationManagerResolver's role is to resolve an AuthenticationManager, it should just return an AuthenticationManager that reads the already-resolved token from a BearerTokenAuthenticationToken.

The same is true for JwtIssuerReactiveAuthenticationManagerResolver.

Making this change will make these authentication manager resolvers more widely usable since it will remove their dependency on BearerTokenResolver and ServerBearerTokenAuthenticationConverter.
@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Nov 3, 2020
@jzheaux jzheaux added this to the 5.5.0-M1 milestone Nov 3, 2020
@jzheaux jzheaux self-assigned this Nov 3, 2020
@jzheaux jzheaux modified the milestones: 5.5.0-M1, 5.5.0-M2 Nov 3, 2020
jzheaux added a commit to jzheaux/spring-security that referenced this issue Nov 12, 2020
@jzheaux
Remove Reliance on BearerTokenResolver
6965aee 
Closes spring-projectsgh-9186
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-M2
Development

No branches or pull requests
1 participant
@jzheaux