1-What is the difference between OAuth2AuthenticationToken and OAuth2Authentication?
2-In my spring boot client web application, I've used dependency "spring-boot-starter-oauth2-client" to implement (single sign on) sso with an authorization server, so the principal in the client application is OAuth2AuthenticationToken. Is that right?
3-I could not use @PreAuthorize(#oauth2.hasScope('xxx')) because it's working on OAuth2Authentication not on OAuth2AuthenticationToken, why? Buth When I've use @PreAuthorize(hasRole('SomeRole')), it's worked fine.
4-Here is an example of the authentication object (The Principal)
{
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"details": null,
"authenticated": true,
"principal": {
"authorities": [
{
"authority": "ROLE_USER",
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
}
}
],
"attributes": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "127.0.0.1",
"sessionId": null,
"tokenValue": "184dd32f-7c70-4bf5-9d7f-43c8d565f996",
"tokenType": "Bearer",
"decodedDetails": null
},
"authenticated": true,
"userAuthentication": {
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"details": {
"remoteAddress": "0:0:0:0:0:0:0:1",
"sessionId": "A9ADB8153471994D338F0FDEAF98FF07"
},
"authenticated": true,
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"credentials": null,
"name": "bob"
},
"principal": {
"enabled": true,
"password": null,
"username": "bob",
"dn": "uid=bob,ou=people,dc=springframework,dc=org",
"authorities": [
{
"authority": "ROLE_ADMINISTRATORS"
}
],
"accountNonLocked": true,
"credentialsNonExpired": true,
"accountNonExpired": true
},
"oauth2Request": {
"clientId": "demo",
"scope": [
"demo_scope"
],
"requestParameters": {
"code": "yymxbk",
"grant_type": "authorization_code",
"scope": "demo_scope",
"response_type": "code",
"state": "osBji_UdByl9XG5O4Jy3lavSHSiU1FRo-knhY7gTsI8=",
"redirect_uri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"client_id": "demo"
},
"resourceIds": [
"demo_resource",
"auth_resource"
],
"authorities": [
{
"authority": "demo_auth"
}
],
"approved": true,
"refresh": false,
"redirectUri": "http:\/\/localhost:8081\/login\/oauth2\/code\/",
"responseTypes": [
"code"
],
"extensions": {},
"grantType": "authorization_code",
"refreshTokenRequest": null
},
"credentials": "",
"clientOnly": false,
"name": "bob"
},
"name": "bob"
},
"authorizedClientRegistrationId": "custom-client",
"credentials": "",
"name": "bob"
}
What are those fields?, why there are some redundant information?, why there are multiple authorities with different values?
5- If I moved to use JWT in Authorization Server, do I have to change anything in the client application?
Thanks
Here is a partial answer to your multiple questions.
You should start by noting that:
OAuth2AuthenticationToken is a class from the Spring Security project packaged into spring-security-oauth2-resource-server.
OAuth2Authentication is a class from the deprecated Spring Security OAuth project packaged into spring-security-oauth2
The class OAuth2Authentication is a annotated with @Deprecated and should not be used in new project.
If you need only to implement a resource server and an OAuth2 client, you should use classes coming from the spring-security-oauth2-resource-server and spring-boot-starter-oauth2-client Maven packages and get rid of classes coming from the spring-security-oauth2 Maven package.
If you need also an authorization server you can try to use the new Spring Authorization Server