Accessing JWT Token from a Spring Boot Rest Controller

Question

I am implementing a REST API with Spring Boot and I am securing it with JWT and Oauth 2.

I have no problems with authentication and producing an access token.

When a user makes a request I want to access its JWT token from the controller.

@RequestMapping(value = "/users", method = RequestMethod.GET)
public List<AppUser> getUsers(OAuth2Authentication auth) {
    logger.info("CREDENTIALS:" + auth.getCredentials().toString());
    logger.info("PRINCIPAL:" + auth.getPrincipal().toString());
    logger.info("OAuth2Request:" + auth.getOAuth2Request());
    logger.info("UserAuthentication:" + auth.getUserAuthentication());
    return userService.findAllUsers();
}

I tried something like above but could not reach the token, I only get user name. Is there a way to achieve this in Spring Boot?

Any help would be appreciated.

score 49 · Accepted Answer · edited Apr 01 '20 at 15:31

Tartar,

Is the UI sending the token as header in the request? if that is the case then you can get that value using @RequestHeader annotation in your method

@RequestMapping(value = "/users", method = RequestMethod.GET)
public List<AppUser> getUsers(OAuth2Authentication auth, @RequestHeader (name="Authorization") String token)

Note: For this example Authorization is the header name that contains the token, this could be a custom header name.

Cheers!

score 18 · Answer 2 · answered Feb 27 '19 at 17:52

18

The answer provided by Karl should solve your issue.

In addition to that answer, you can use the following method and access the token anywhere in the code

public static String getToken() {
    String token = null;
    var authentication = SecurityContextHolder.getContext().getAuthentication();
    if (authentication != null) {
      token = ((OAuth2AuthenticationDetails) authentication.getDetails()).getTokenValue();
    }
    return token;
  }

answered Feb 27 '19 at 17:52

Abhijay

278
1
8

1

OAuth2AuthenticationDetails is deprecated – Osama Sbieh Dec 24 '19 at 06:45
@OsamaSbieh can you provide a link that shows that the latest (2.4.0.RELEASE) is deprecated? Looking at the Maven Repository, and diving into the JAR, this doesn't appear to be true. Only the ImplicitGrantService is deprecated because it's been found to be insecure and is being reworked for a future release so Implicit Grant types can be structured and honored correctly. – Blake Neal Feb 11 '20 at 22:35
Just to cast light, yes, it was deprecated https://github.com/spring-projects/spring-security-oauth/blob/6234826671d75632d84c524da1dd8818cee1b4c2/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java – Javi Vazquez Jan 10 '21 at 11:35

score 0 · Answer 3 · answered Jun 26 '23 at 19:27

I have use the following approach on Spring Security 6:

@RestController
@RequestMapping(path = "/api/v1/")
public class ApiController {

  public ApiResponse search(final JwtAuthenticationToken auth, @RequestBody final ApiRequest request) throws Exception {
    // ...
  }

}

Accessing JWT Token from a Spring Boot Rest Controller

3 Answers3

Linked