4

I am wondering what's the best way to this. My scenario is the following:

I have separate oath2 server and resource server sharing the auth information via database. The user authentication is being made by a provider that extends from AbstractUserDetailsAuthenticationProvider. Whenever I build UserDetails object, I attach the authorities to that user details. The thing is, a specific call to my resource server might change the user authorities. As far as I understand the UserDetails is stored serialized in the database which it seems to make the process even more difficult.

My question: is that a way of doing this right? Or better, is the API prepared to handle such requirement? If not what are my options here?

Also note that the server that will make somehow a possible change in the authorities is the resource server and not the one running the oauth2 stuff.

rpvilao
  • 1,116
  • 2
  • 14
  • 31

1 Answers1

1

I suppose the way you handle this depends on your business requirements. An access token is a bit like a session - it expires and it can be revoked in one way or another. Most easily the approvals can be revoked and the refresh token thereby disabled, so the most straightforward way to handle the authority change is to use a short expiry for the access token and re-load the authorities when you refresh. (The 2.0.7 snapshots have some configuration options to make that easy or automatic, but it's work in progress.)

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • What exactly do you mean with `the approvals can be revoked and the refresh token thereby disabled`? What approvals? – James Mar 10 '15 at 09:51
  • These ones: https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java – Dave Syer Mar 10 '15 at 10:38
  • Thanks for the response. OK, the option of revoking seems to be the best one since a short session time will make the client to send their credentials more often and goes against one of the key purposes of OAuth, right? Also the short session does not cope well when there's user interaction. Example: a user as a limited access to a newspaper then buys a subscription and he'll want to use the unlimited contents right away and not just have wait for the session to expire so he could use the unlimited contents. Please comment if my idea of the thing is wrong. – rpvilao Mar 10 '15 at 13:04
  • @DaveSyer could you tell, what configuration is that exactly using which I can reload authorities when I refresh. as Mentioned in your answer at the end. I am using 2.0.10 – Nikhil Aug 29 '18 at 16:54
  • @DaveSyer question ref https://stackoverflow.com/questions/52073349/discrepancy-in-the-user-rolesauthorities-in-the-access-token-obtained-from-gra – Nikhil Aug 29 '18 at 17:06