1

I am using Spring-Boot and Spring Security with an OAuth2 login from a third party.

The SSO provider has an accesstoken end point which returns the following JSON

{
    "access_token": "CGjok",
    "refresh_token": "TSHO6E",
    "scope": "openid profile ",
    "id_token": "eyJ0eXAiOiJKV1QiLCg",
    "token_type": "Bearer",
    "expires_in": 7199,
    "nonce": "ImplicitFlowTest"
}

The login is working with the @EnableOAuth2Sso annotation as follows:

@EnableOAuth2Sso
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {


        http.authorizeRequests().antMatchers("/restapi/**").hasAuthority("Mitarbeiter")
            .antMatchers("/login", "/static/**", "/", "/actuator/prometheus","/error**","/logout").permitAll()
            .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).invalidateHttpSession(true)
            .deleteCookies("SMSESSION", "JSESSIONID", "XSRF-TOKEN").logoutSuccessUrl("/");

           http
           // CSRF Token
           .csrf()
               .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());

    }

We are able to logout of the application but we also want to send a request to the Authorization Server. To do so I need to access the token info endpoint.

Within my controllers I am able to see the Principal is getting the correct information from the user endpoint but where in Spring Boot is the information from the accessToken endpoint stored. I have found the class OAuth2AccessToken but cannot figure out how to read it in Spring Controller. I can access the OAuth2Authentication by casting the Principal as expected.

The SSO authorization server has the following endpoint that I need to call:

/oauth2/connect/endSession?id_token_hint=<oidc-token>&post_logout_redirect_uri=<post-logout-redirect-uri>

The refers to the value in the JSON from the accesstoken endpoint. How can I access these values given my setup?

KennyBartMan
  • 940
  • 9
  • 21

1 Answers1

0

Read token value from Security Context

        String tokenValue = null;

        final Authentication authenticationObject = SecurityContextHolder.getContext().getAuthentication();
        if (authenticationObject != null) {
            final Object detailObject = authenticationObject.getDetails();
            if (detailObject instanceof OAuth2AuthenticationDetails) {
                final OAuth2AuthenticationDetails details = (OAuth2AuthenticationDetails) detailObject;
                tokenValue = details.getTokenValue();
            } else if (detailObject instanceof OAuth2AccessToken) {
                final OAuth2AccessToken token = (OAuth2AccessToken) detailObject;
                tokenValue = token.getValue();
            } else {
                tokenValue = null;
            }

        }
Matthias
  • 1,378
  • 10
  • 23
  • In our case the details object is an OAuth2AuthenticationDetails object and we can get the Bearer token from this but not the refresh token. Ideally we would have an OAuth2AccessToken but it seems our authentication object details is uncastable to this? Is there a way around this? – KennyBartMan Feb 10 '20 at 09:07