3

In my Spring boot application I'm trying to configure Oauth2 & JWT, it works fine but I would like hide additionnal informations from the oauth2 token because they are in plain text and the same informations are duplicated in the JWT token.

This is my Oauth2ServerConfig : 

    @Configuration
    public class OAuth2ServerConfiguration {

        @Configuration
        @EnableAuthorizationServer
        protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

            private final AuthenticationManager authenticationManager;

            private final OAuth2ApprovalRepository oAuth2ApprovalRepository;

            private final OAuth2CodeRepository oAuth2CodeRepository;

            private final OAuth2ClientDetailsRepository oAuth2ClientDetailsRepository;


            public AuthorizationServerConfiguration(@Qualifier("authenticationManagerBean") AuthenticationManager authenticationManager) {
                this.authenticationManager = authenticationManager;
            }

            @Bean
            public ApprovalStore approvalStore() {
                return new MyDBApprovalStore(oAuth2ApprovalRepository);
            }

            @Bean
            protected AuthorizationCodeServices authorizationCodeServices() {
                return new MyDBAuthorizationCodeServices(oAuth2CodeRepository);
            }


            @Override
            public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
                TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
                tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));

                endpoints.authorizationCodeServices(authorizationCodeServices())
                    .approvalStore(approvalStore())
                    .tokenStore(tokenStore())
                    .tokenEnhancer(tokenEnhancerChain)
                    .authenticationManager(authenticationManager);
            }


            @Bean
            public TokenEnhancer tokenEnhancer() {
                return new CustomTokenEnhancer();
            }


            @Bean
            public TokenStore tokenStore() {
                return new JwtTokenStore(accessTokenConverter());
            }


            @Bean
            public JwtAccessTokenConverter accessTokenConverter() {
                JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
                converter.setSigningKey("123");
                return converter;
            }


            @Override
            public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
                clients.withClientDetails(new MyClientDetailsService(oAuth2ClientDetailsRepository));
            }
        }

    }

And my custom information adding : 

    public class CustomTokenEnhancer implements TokenEnhancer {

        @Override
        public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
            Map<String, Object> additionalInfo = new HashMap<>();
            additionalInfo.put("organizationId", "123");
    ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
            return accessToken;
        }
    }

This is an example of the response of my authenticating WS call : 

{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml6YXRpb25JZCI6IjEyMyIsImF1ZCI6WyJyZXNfYmh1YiJdLCJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJleHAiOjE0OTc4NjkyNDMsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiOGNhYTZjN2YtNTU0Yy00OTZmLTkwYTUtZTA4MjAyM2I3ZTFlIiwiY2xpZW50X2lkIjoiYmh1YmFwcCJ9.B58c2_tmfuV_L1py8ZzOPuTK3OZAhVFviL9W1gxRoec",
"token_type": "bearer",
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdhbml6YXRpb25JZCI6IjEyMyIsImF1ZCI6WyJyZXNfYmh1YiJdLCJ1c2VyX25hbWUiOiJhZG1pbiIsInNjb3BlIjpbInJlYWQiLCJ3cml0ZSJdLCJhdGkiOiI4Y2FhNmM3Zi01NTRjLTQ5NmYtOTBhNS1lMDgyMDIzYjdlMWUiLCJleHAiOjE0OTc4Njk0NDMsImF1dGhvcml0aWVzIjpbIlJPTEVfQURNSU4iLCJST0xFX1VTRVIiXSwianRpIjoiMGJjNWJhYzctMWI3Ny00OGFiLWI1N2MtNDM4ZjMyN2JmNGM2IiwiY2xpZW50X2lkIjoiYmh1YmFwcCJ9.DkQoCEX47PmmxOEj0n9kb2L5Yu6DqFgmUh7HBSTO_z4",
"expires_in": 1799,
"scope": "read write",
"organizationId": "123",
"jti": "8caa6c7f-554c-496f-90a5-e082023b7e1e"

}

I don't want to expose the organizationId of this token to external world and would like to encode this information in only the JWT token (access_token) .

How it can be implemented with Spring Boot, OAuth2, JWT ?

Rachid_59
  • 33
  • 5

2 Answers2

2

If the connection is over HTTPS (as it should be) then the information won't be exposed to the external world (just the client which is requesting it).

In any case, the access token you have is only a JWS (it's not encrypted) so the information isn't hidden if you put it in there (it's just Base64 encoded).

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • The problem is we're adding more information and the response keeps growing because the additional info get duplicated, i.e. in the token as well as in the response... is there any way to remove it from the response? The issue is that, a malicious code in the browser may modify those additional info (for example in the above case organizationId to 444) while organizationId in the encoded token is still 123 and a developer for convenience is using the exposed data rather than the value in the token in order to fetch some details from the back end services – xbmono Apr 16 '18 at 07:15
1

I found a solution here:

Spring OAuth 2 + JWT Inlcuding additional info JUST in access token

I also changed the configure method...

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
  TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
  tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer())); 
  endpoints
    .tokenStore(tokenStore())
    .tokenEnhancer(tokenEnhancerChain)
    .reuseRefreshTokens(false)
    .userDetailsService(userDetailsService)
    .authenticationManager(authenticationManager);
}
leofds
  • 51
  • 1
  • 4