3

I'm new to Spring boot and Spring Security. I have microservice project using Spring boot. And in my gateway app, I use OAuth2 for authentication. The authentication provider is from my organization and it is OIDC implementation.

I'm using oauth2 resource server to authenticate the bearer token, by configuring jwk-set-uri and jwk-set-uri properties.

  • spring-boot-starter-web => 2.6.7
  • spring-boot-starter-oauth2-resource-server => 2.6.7
  • spring-security => 5.6.3

application.properties

spring.security.oauth2.resourceserver.jwt.issuer-uri=https://<org-auth-url>.com
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://<org-auth-url>/<jwk-uri>

With just above configuration, the authentication works fine. So I have not added any Security Config class also. But for authorization and other processing like to get user data in Controller, I need the user information and AD group details.

I have the user information endpoint URL. And when I test it in postman client, the response contains user information along with AD groups.

How to get the User details for Authorization?

  • iam not sure i understand correctly, but can you use the SecurityContext.getContext() to get the user data? – Loading Oct 14 '22 at 17:13
  • @Loading Not the complete data that;s coming from userinfo end point. –  Nov 07 '22 at 11:18

1 Answers1

0

Ok.

You've already added the required uri. Good.

Now you need to add some configuration:

@Configuration
@EnableWebSecurity
public class OAuth2ResourceServerSecurityConfiguration {

    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    String jwkSetUri;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        
        http
                .authorizeHttpRequests((authorize) -> authorize
                        .requestMatchers(HttpMethod.GET, 
                     ///// more your requestMatchers ///// 

                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
        
        return http.build();
    }

    @Bean
    JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withJwkSetUri(this.jwkSetUri).build();
    }

}

Now you should be able to receive jwt claims in your controllers with @AuthenticationPrincipal annotation.

@RestController
public class YourController {

    @GetMapping("/")
    public String doAnything(@AuthenticationPrincipal Jwt jwt) {
        return jwt.getSubject();
    }
}

Please add more info and I'll try to explain it better :-)

==== UPD ====

Really useful official manual on this.

Official code samples

Viktor Born
  • 186
  • 1
  • 5
  • Hello, Thank you. And sorry for delayed response as I had to hold this task. With this I'm able to get the subject. But how about custom attributes that's coming from the user info endpoint.? In my custom user info endpoint, the AD group is part of an attribute called *memberOf* and is an array. Similarly there are other custom attributes I want to get. Is there any way to get other than calling the rest URL directly? –  Nov 07 '22 at 10:09
  • It depends on the claims inside the token. If the identity provider puts this "memberOf" attribute to the claims you can parse it on the backend. If not, it's better to set up the identity provider to put authorities(user groups/roles) to the token claims. – Viktor Born Nov 07 '22 at 20:42