-1

I am implementing a custom auth server using spring's new authorization server. Our need was to implement a CustomAccessTokenResponseHandler for providing additional information in the http json response. I have achieved that by implementing AuthenticationSuccessHandler and overriding onAuthenticationSuccess method to add some extra user information. Also being used in the configuration are custom authentication grant type (authentication converter,provider and token) and TokenCustomizer to add extra claims to the token. The issue is wrt refresh token, i.e; when providing grant type as refresh token and while requesting for a new access token, as I am not providing username and password, the token is still getting generated if I dont use the customResponseHandler but not without it. Problem now is the authentication object contains the acccess token but in its principal now, I can not find the user details. I am at loss trying to understand how the securityContext is having the user information while creating the access-token from refresh-token and where will I find those details. I just need the username to query db and fetch some extra information for it to provide in the response.

    @Transactional
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
            Authentication authentication) throws IOException, ServletException {
Auth2AccessTokenAuthenticationToken accessTokenAuthentication =
                (OAuth2AccessTokenAuthenticationToken) authentication;
        OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) accessTokenAuthentication.getPrincipal();
        CustomPasswordUser user = (CustomPasswordUser) oAuth2ClientAuthenticationToken.getDetails();
..................
..........................}```

This piece of code is giving error because oAuth2ClientAuthenticationToken.getDetails() now has the following structure 
OAuth2ClientAuthenticationToken [Principal=eQCLrL7JVHw1GRzP, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[]]. 
SecurityContextHolder.getContext().getAuthentication().getDetails() returns WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null].

P.S : I can get the actual accesstoken from authentication but I am parallely working on creating custom JWTEncoder using JWE, and do not want to decode the token inside authorization server nor does I think it is the right approach.
dur
  • 15,689
  • 25
  • 79
  • 125
Abhishek Mishra
  • 19
  • 3
  • 1
    Have you looked at the `OAuth2AuthorizationService`? You can query for an `OAuth2Authorization` and get all the details of the user from the `refresh_token` in the `authentication` passed to you. If you would like additional help, please post a [minimal, reproducible sample](https://stackoverflow.com/help/minimal-reproducible-example) with some code that illustrates what you're trying to do and shows what you've tried so far. – Steve Riesenberg Jun 14 '23 at 14:38
  • Thank you very much, With your's solution as base and tweaking around some extra things, it finally worked – Abhishek Mishra Jun 15 '23 at 17:28
  • Awesome! Glad you got it working. – Steve Riesenberg Jun 15 '23 at 18:08
  • 1
    I've added an answer in case it helps make it more official. – Steve Riesenberg Jun 15 '23 at 18:37

1 Answers1

1

Take a look at the OAuth2AuthorizationService. You can query for an OAuth2Authorization and get all the details of the user from the refresh_token in the authentication passed to you.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26