I am implementing an Oauth2 auth server using Spring. After authentication I need to generate an JWToken with some extra information in it.
I have an AuthorizationServerConfigurerAdapter configuration:
@Configuration
public class AuthServerConfig extends AuthorizationServerConfigurerAdapter {
//extra code omitted
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("angular")
.secret(passwordEncoder().encode("the_secret"))
.autoApprove(true)
.scopes("")
.authorizedGrantTypes("implicit", "password", "refresh_token")
.redirectUris("http://localhost:4200");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.authenticationManager(manager)
.accessTokenConverter(new CustomJwtTokenEnchancer())
.tokenStore(tokenStore());
}
}
My CustomJwtTokenEnhancer will add some information about the user profiles:
public class CustomJwtTokenEnhancer extends JwtAccessTokenConverter {
//extra code omitted
@Override
public OAuth2AccessToken enhance(
OAuth2AccessToken accessToken,
OAuth2Authentication auth) {
final Map<String, Object> additionalInfo = new HashMap<>();
additionalInfo.put("profiles", authService.getProfiles(auth.getName()));
additionalInfo.put("activeProfile", authService.getActiveProfile(auth.getName()));
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
return super.enhance(accessToken, authentication);
}
}
The token generation is ok but the redirect URI will have all the extra information as parameters:
localhost:4200/#access_token={token}&token_type=bearer&expires_in=21599&scope=&profiles=%5B200022032,%201786154,%201616954,%201666754%5D&activeProfile=1666754&jti=e0677289-94a5-47da-a00e-b63c3d4c0598
This is a problem because some users have a lot of profiles and due to these cases I needed to increase the max-http-header-size.
As it is duplicated information I would really like to omit it from the URI. Is there any way to achieve that?
