Spring OAuth2 Resource Server - user-name-attribute not reflected in SecurityContextHolder

Question

I have a claim named user_name within my JWT and also corresponding user-name-attribute set as user_name in spring security oauth2 client provider proper property:

spring.security.oauth2.client.provider.my-oauth-provider.user-name-attribute=user_name

I can also see this property is properly being read by ReactiveClientRegistrationRepository class (ClientRegistration.ProviderDetails.UserInfoEndpoint). But when I read SecurityContextHolder.getContext().getAuthentication().getName() on Resource Server I can see the value taken from (default) sub - IdTokenClaimNames.SUB claim.

Why is that? Do I still miss some additional configuration also on resource server side to have specified user-name-attribute taken and returned by SecurityContextHolder.getContext().getAuthentication().getName() on Resource Server? I understand that only Bearer token (and maybe some cookies) is being sent from client to resource server so maybe also some other filter is needed on Gateway/client side - just guessing?

Answer 1

The reason is that you are using a property prefixed with security.oauth2.client, which is intended for OAuth 2.0 Clients.

In Spring Security 5.2.x, there is no Spring Boot property to indicate a user name attribute to Resource Server, e.g. security.oauth2.resourceserver.xyz

You could publish your own Converter to the DSL, though:

JwtAuthenticationConverter converter = new JwtAuthenticationConverter();

http
    .oauth2ResourceServer()
        .jwtAuthenticationConverter(jwt -> {
            JwtAuthenticationToken authentication = converter.convert(jwt);
            return new JwtAuthenticationToken(authentication.getToken(), 
                    authentication.getAuthorities(), jwt.getClaim("claim"));
        });