Search code examples
springspring-securityoktaspring-oauth2

How to ensure make my custom OidcUserService called over the default?

tl;dr: why isn't my OidcUserService despite being registered?

I am trying to use my own OAuth2UserService by registering it as documented in the Spring Security documentation.

However, when I put a breakpoint on the OidcUserService.loadUser(OidcUserRequest)](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserService.html#loadUser-org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest-) method, it keeps hitting the com.okta.spring.boot.oauth.OktaOidcUserService instead! I am using com.okta.spring:okta-spring-boot-parent:1.2.2-SNAPSHOT which may be the problem?

I register my OidcUserService like documented:

@SpringBootApplication
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class RedirectCodeFlowApplication {

    public static void main(String[] args) {
        SpringApplication.run(RedirectCodeFlowApplication.class, args);
    }

    @Configuration
    static class WebConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            final OidcUserService delegate = new OidcUserService();

            http.authorizeRequests().anyRequest().authenticated()
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .oidcUserService( (userRequest) -> {
                        System.out.println( "!!xXx!! never gets here" );

                        OidcUser oidcUser = delegate.loadUser(userRequest);

                        OAuth2AccessToken accessToken = userRequest.getAccessToken();
                        Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

                        oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());

                        return oidcUser;
                    })
            ;
        }

and the method I'm calling is simple:

@RestController
public class WelcomeController {

    @GetMapping("/")
    public Welcome getMessageOfTheDay(Principal principal) {
        return "The message of the day is boring.";
    }
}

This is all adapted from: https://github.com/okta/okta-spring-boot/blob/master/examples/redirect-code-flow/src/main/java/com/okta/spring/example/RedirectCodeFlowApplication.java

Solution

  • This is a known issue: https://github.com/okta/okta-spring-boot/issues/136 (and still open as: https://github.com/okta/okta-spring-boot/issues/160 )

    This was a work around used to deal with how HttpSecurity and HttpConfigurer are loaded.

    I'm not 100% sure we can work around this, but, it would be easy to expose a way to add custom GrantedAuthority.

    I'm going to look into the former again, but as a last resort can you confirm you are trying to set custom GrantedAuthority?