Search code examples
springrestspring-securityoauthsingle-sign-on

How to extract authentication token in @Controller

I have Spring Boot app that uses OAuth 2.0 and Authorization Server. When I try to access a secured page, I get a redirect to the login page of my authorization server (Blitz Identity Provider) and everything works like it should.

My problem is that I can't extract authorization token in @Controller (on the secured page). That token I want to use later to authorize in second application.

  • Tried this thing (in answer) and it worked, I got my token back, but as you can see, it's a hardcode of username and password parameters and it's like login over login -- I don't need to login for a second time (on authenticated page).
  • Tried to output authentication.getDetails(), it shows token type and token like < TOKEN >, but it's not enough.
  • Tried to lookup token in request-response headers, but didn't find it, so authorization server doesn't send it in headers.

Here are 2 files which can help you to understand some part of my context.

application.yml

server:
  port: 8080
  context-path: /
  session:
    cookie:
      name:FIRSTSESSION
security:
  basic:
    enabled: false
  oauth2:
    client:
      clientId: test_id
      clientSecret: f3M5m9a2Dn0v15l
      accessTokenUri: http://server:9000/blitz/oauth/te
      userAuthorizationUri: http://server:9000/blitz/oauth/ae?scope=test_scope
    resource:
      userInfoUri: http://server:9000/blitz/oauth/me
logging:
  level:
    org.springframework.security: DEBUG

SsoController.java

@EnableOAuth2Sso
@Controller
public class SsoController {

    @RequestMapping("/secondService")
    public String getContent(HttpServletRequest request, Model model) {

        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        model.addAttribute("submittedValue", authentication.getDetails());
        return "secondService";
    } 
}

So, what you can suggest? How can I extract authorization token in this case?

Solution

  • If you have configured oauth2 authorization/resource server you can try below code:

    @Autowired
private TokenStore tokenStore;

@RequestMapping(method = { RequestMethod.POST, RequestMethod.GET },
                value = "/oauth/me")
public Map<String, Object> userInfo (OAuth2Authentication auth)
{
    final OAuth2AuthenticationDetails details = 
        (OAuth2AuthenticationDetails) auth.getDetails();

    //token
    String accessToken = details.getTokenValue();

    //reference
    final OAuth2AccessToken accessToken = 
        tokenStore.readAccessToken(details.getTokenValue());

   // clientid
    String clientId = auth.getOAuth2Request().getClientId();
}

    Hope it helps!