Search code examples
javaspring-bootauthenticationspring-securityspring-security-oauth2

Spring boot client server authentication and authorization with jwt

The application requires to be authenticated and authorized from SSO. All the required information is present in the JWT, but I'm not sure if this the correct approach as OAuth2LoginAuthenticationToken is null.

The client server WebSecurityConfigurerAdapter is as follows

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.csrf().disable();

        http.antMatcher("/**").authorizeRequests()
            .antMatchers("/", "/login**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2Login()
            .and()
            .authenticationProvider(
                new OfficeUserAuthProvider()
            );
    }
}

and OfficeUserAuthProvider is as follows

public class OfficeUserAuthProvider implements AuthenticationProvider{

    Logger logger = LoggerFactory.getLogger(OfficeUserAuthProvider.class);

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        OAuth2LoginAuthenticationToken auth = (OAuth2LoginAuthenticationToken) authentication;

        logger.info("{}", authentication);

        // TODO Auto-generated method stub
        return null;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        logger.info("{}", OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication));
        return OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication);
    }


}

The output from logger.info("{}", authentication); is

22-01-31 Mon 01:25:15.700 INFO  c.t.s.config.OfficeUserAuthProvider      Java : 27    : OAuth2LoginAuthenticationToken [Principal=null, Credentials=[PROTECTED], Authenticated=false, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=FF16A2C206F66F021109D86C4997F8F6], Granted Authorities=[]]

The decoded JWT token received from authorization serve is

{
  "dateTime": 1643570398335,
  "aud": [
    "documentRepository"
  ],
  "user_name": "admin",
  "enable": true,
  "scope": [
    "read",
    "write"
  ],
  "exp": 1643572198,
  "department": null,
  "authorities": [
    "ROLE_ADMIN_USER",
    "ROLE_OFFICE_USER"
  ],
  "jti": "bbc551c4-31ec-4744-bc92-c051f5c08719",
  "client_id": "appXXXX"
}

and application.property of client server is

spring.security.oauth2.client.registration.xyz.client-id=appXXXX
spring.security.oauth2.client.registration.xyz.client-secret=passXXXXX
spring.security.oauth2.client.registration.xyz.client-name=app
spring.security.oauth2.client.registration.xyz.scope=read, write
spring.security.oauth2.client.registration.xyz.provider=xyz-sso
spring.security.oauth2.client.registration.xyz.redirect-uri=http://localhost:8081/login/oauth2/code/
spring.security.oauth2.client.registration.xyz.client-authentication-method=post
spring.security.oauth2.client.registration.xyz.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.xyz-sso.authorization-uri=http://modern-14-b4mw:8080/oauth/authorize
spring.security.oauth2.client.provider.xyz-sso.token-uri=http://modern-14-b4mw:8080/oauth/token
Solution

  • Had to improvise and implemented a rest end point for the Principal /user/me in the SSO

    in client application.property added

    spring.security.oauth2.client.provider.xyz-sso.user-info-uri=http://modern-14-b4mw:8080/api//user/me
spring.security.oauth2.client.provider.xyz-sso.user-name-attribute=name

    with the above update was able to get OAuth2AuthenticationToken