OAuth2 Open ID client authentication followed by LDAP user details & authorities

Question

Our app is currently set up with OAuth OpenID connect authentication with an external (third-party) server. The requirement is to use user details service that loads the user from LDAP (along with the authorities/roles) to complete the authentication. So authentication.getPrincipal() should be returning the custom UserDetails object we use that gets generated by querying LDAP using the username obtained from the Open ID authentication.

I have tried the following:

• Followed Similar Issue but it seems like in the answer it's setting up the server-side and it doesn't work either
• Tried adding custom UserDetailsService in WebSecurityConfig
  

  @Configuration
  public class OAuth2Config extends WebSecurityConfigurerAdapter {
      @Override
      protected void configure(HttpSecurity http) throws Exception {
          http.oauth2Login().and().userDetailsService(myCustomUserDetailsService());
      }
  }
  

  where myCustomUserDetailsService() handles the call to LDAP and fetches the user details info, including the authorities.

I'm not too familiar with the spring oauth2 framework, correct me if I'm wrong: I'm guessing I need to implement my own user info endpoint to make a call to LDAP, and not the user info endpoint provided to me by the OpenID service?

Answer 1

You could add a new filter in the security filter chain right after that one. The second filter could retrieve the principal/name from authentication and query for users.

Like a two steps authentication

Answer 2

Not as clean as I hoped, but I registered an application listener on InteractiveAuthenticationSuccessEvent and manually updated the authentication after login (similar post's answer https://stackoverflow.com/a/10747856/11204609)

If anyone has better suggestions?

UPDATE: The identity provider agreed to include LDAP info in their claims so I can directly obtain via the token without having to do a call-back (still an on-going discussion at the moment). That being said, having a auth success callback app listener is only way I could solve the problem.