4

Context: Multiple devices can use the same client credentials and as a result they share tokens, which can lead to race conditions when 2 or more devices try to refresh token. Device identification can be found in headers, so custom AuthenticationKeyGenerator implementation can use device id to generate a token per device. Device id can be stored as an additional parameter in OAuth2Request.getExtensions().

Problem: As I mentioned, device id is not coming from GET/POST parameters, so it is not present in OAuth2Request.getRequestParameters(), but can be found in headers. But OAuth2Request is created in DefaultOAuth2RequestFactory(implementation of OAuth2RequestFactory), which does not have access to the original http request to copy information from headers and add it to OAuth2Request.getExtensions()

What is the best way to capture the header and store it inside OAuth2Request.getExtensions() for AuthenticationKeyGenerator to later use it as a part of the key?

schatten
  • 1,497
  • 1
  • 12
  • 19

1 Answers1

1

I had a similar implementation of AuthenticationKeyGenerator where device/user agent was used to generate a key for auth_to_access using Redis as a token store.

Below is a code snippet of how I captured the user agent in my custom AuthenticationKeyGenerator implementation

HttpServletRequest request = ((ServletRequestAttributes)RequestContextHolder.currentRequestAttributes()).getRequest();

String userAgent = request.getHeader("User-Agent");
qwerty
  • 2,392
  • 3
  • 30
  • 55