0

I have a SAAS server with microservice architecture. Authentication is done by the new Spring authorization server. For some domain situation, I want to be able to re-issue a JWT for a logged-in user without forcing the user to enter their password again to enrich their token with additional claims.

Having: Logged-in user with claim set A.

Required: Create a new token for the user with claim set B. (Without user intervention)

I'm looking for something like this:

@PostMapping("/renew")
public Authentication token() {
    return jwtAuthenticationProvider.authenticate(
            new BearerTokenAuthenticationToken(JwtUtil.getCurrentAuthenticationTokenValue())
    );
}

Where JwtUtil.getCurrentAuthenticationTokenValue() extracts logged-in user token value from SecurityContextHolder. This setup creates no new token and returns the old one like no authentication process has been triggered.

But I cannot find a function/service that generates a new token in spring authorization server.

PS. I cannot use RefreshToken to get new AccessToken because my client is public and according to this, RefreshToken only is issued for confidential clients.

dur
  • 15,689
  • 25
  • 79
  • 125
Ahmad Jahanbin
  • 301
  • 3
  • 7

1 Answers1

0

You can read about OAuth2TokenCustomizer in the docs. Here's an example of customizing the access token:

    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
        return (context) -> {
            if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
                context.getClaims().claims((claims) -> {
                    claims.put("claim-1", "value-1");
                    claims.put("claim-2", "value-2");
                });
            }
        };
    }

In your case, you could issue a new request to the authorization endpoint (e.g. GET /oauth2/authorize?...) from the client to begin the authorization_code flow with different scopes or additional request parameters and use the customizer to add whatever claims you need. Based on the information you've provided, this would be the recommended way to use the authorization server to issue new tokens.

Adding custom endpoints to perform OAuth2-related actions (such as a custom /renew endpoint) without incorporating best practices and standards from the specification(s) would not be recommended.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
  • Thank you, Steve, for your answer, but my main concern is that I want to enrich token without user intervention. I don't want force the user to login again (UX issues). I know that with a complete re-login, new claims whould be issued. – Ahmad Jahanbin Jul 06 '22 at 05:35
  • If the user has a session, they will not be required to log in. Without a session or login, and without consent, the user (who is a resource owner) has not agreed to give your client access to whatever resources the new token would grant. I think then that your best bet here would be to enrich the token the first time it's issued instead of requiring re-issue. – Steve Riesenberg Jul 06 '22 at 14:25