1

I want to implement Spring Boot Project with Angular 9 based on OAuth2 for security. The problem which is not clear for me is what is the best way to get the user role after user authentication. I found 2 ways:

  1. Add properly after user is authenticated using OAuth2 into the response payload:

    {
 "access_token": "wdwdw",
   "token_type": "bearer",
   "refresh_token": "wdwdwdwd",
   "expires_in": 4,
   "scope": "read",
   "role": [
     "ROLE_ADMIN"
   ],
   "jti": "wfwfe"
 }

  2. The second way is to use a second API call to oauth/check_token in order to get the role:

$ curl localhost:8080/oauth/check_token/?token=fc9e4ad4-d6e8-4f57-b67e-c0285dcdeb58

{
  "scope": [
    "read",
    "write"
  ],
  "active": true,
  "exp": 1544940147,
  "authorities": [
    "ROLE_USER"
  ],
  "client_id": "ger-client-id"
}

I'm interested which of both ways is better in terms of security and best practices.

Peter Penzov
  • 1,126
  • 134
  • 430
  • 808

2 Answers2

1

I'll go for the first way in case you me need to control the routing and modules loading based on user authorities so you don't need to fire a new request for just find authorities.

Samir Ghoneim
  • 591
  • 1
  • 6
  • 14
  • Thank you for the reply. There is one more case which needs to be covered. I want when I change user profile role into DB to apply this change also on the Angular side. Looks like for every request I need to get the user role in order to be able to change it dynamically. How did you implement such a case? – Peter Penzov Jul 23 '20 at 08:33
  • 1
    in this case you may invalidate access token by add it to black list to enforce user to log in again – Samir Ghoneim Jul 24 '20 at 15:14
0

I'll prefer the first way whatever the security credentials will pass as object properties and you can use it.

Harishbn
  • 97
  • 9