How can I ensure that a new token is used for each user when issuing WebClient http requests altered from within an ExchangeFilterFunction?
If you want to get a bit more context regarding this question, know this is a follow-up question to: How can I authenticate using the token exchange grant type for impersonation with spring boot and keycloak?
I need to impersonate through token exchange various users and as such I'm going to be needing a new token for each user. So basically the token exchange authentication query is the same each time but with a new requested_subject parameter. I'm fetching its value for the ClientRequest's attributes. This looks like this right now:
MonoGraphQLClient.createWithWebClient(WebClient.builder()
.baseUrl(properties.httpUrl)
.filter { request, next ->
val userAttribute: String = request.attribute(REQUESTING_USER_ATTRIBUTE).map(Any::toString).orElseThrow()
ServerOAuth2AuthorizedClientExchangeFilterFunction(
AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(
clientRegistrationRepository,
clientService
).apply {
setAuthorizedClientProvider(TokenExchangeReactiveOAuth2AuthorizedClientProvider().apply {
// Bypassing subject token presence check in TokenExchangeReactiveOAuth2AuthorizedClientProvider::authorize
setSubjectTokenResolver { Mono.just(OAuth2Token { null }) }
// Overriding client with our more permissive one
setAccessTokenResponseClient(LenientWebClientReactiveTokenExchangeTokenResponseClient().apply {
parametersProvider = {
LinkedMultiValueMap<String, String>().apply {
add("audience", properties.tokenAudience)
add("requested_subject", userAttribute) // This is where I set it
}
}
})
})
}
).also {
// We know we use only one provider, so it's easier and less coupled to the actual value to do things like this
it.setDefaultClientRegistrationId(clientRegistrationRepository.first().registrationId)
}.filter(request, next)
}
.build()
So the issue here is that on each request it reuses the previous token as long as it's not expired as it's being stored by ReactiveOAuth2AuthorizedClientService. I'd like a new token for each requested_subject.
The thing is, ReactiveOAuth2AuthorizedClientService's methods are based on the clientRegistrationId and principalName and ServerOAuth2AuthorizedClientExchangeFilterFunction, gets the principalName from these lines:
Note that the SecurityContext is not present here so we're always falling back to the anonymous user. The reason is that I'm in a service that reacts to events and does graphQL queries to a third party service. It's completely isolated and not publicly exposed and as such there is no authentication to this service.
So I have a couple solutions in my mind but I'm not really satisfied with any of these.
- Recode
ServerOAuth2AuthorizedClientExchangeFilterFunctionso that it allows me to override the default token to change the principal name (and maybe ask this as an upgrade to spring?). - I could use a different
ReactiveOAuth2AuthorizedClientServiceperrequested_subject. This would require me to create some kind of factory on top of it but nothing too big. - I guess a 3rd option would be to inject a custom context in the
ReactiveSecurityContextHolderfrom myExchangeFilterFunctionbut I haven't tried to pursue this option because I'm really not sure how this is going to behave if multiple queries for different users are triggered in parallel.
Solution 2 seems the cleanest to me so far.
How can I properly authenticate with a different requested_subject only when needed and in a spring-friendly way ?
The third option is actually the intended way to override the authentication. It uses the reactive Context (not a ThreadLocal like in a servlet application).
- perform SpringBoot request validation based on configurable property
- Setting cookie from java spring boot rest API to angular
- Validate list inside request with springboot against [null]
- Unable to run Spring Boot native application with AWSSecretsManagerPostgreSQLDriver
- Spring Boot Redis Cache @CachePut is not updating the cache
- spring batch dependency cycle
- SimpMessagingTemplate not sending messages in spring boot
- Hibernate StaleObjectStateException After Upgrading to 6.6.3: Row was updated or deleted by another transaction or unsaved-value mapping was incorrect
- Spring doesn't recommend to annotate interface methods with @Cache* annotation on Spring HttpInterface
- Spring Boot 3.4.0 lets integration tests with JPA/Hibernate fail
- I get "No message available" in postman response from api spring
- How to fix jackson java 8 data/time error?
- How to use both @RestControllerAdvice and Swagger UI in Spring boot
- @RequestParam return null value from Postman
- Why is my controller calling different API when there is no match API for the request?
- Throw TestContainers issue in Jenkins for CI/CD in Spring Boot on Windows (Can not connect to Ryuk at 172.17.0.1: port_number)
- Spoof-proof file type validation in a Spring Boot app
- Why does @Size(min) validation trigger before @NotBlank validation in Spring Boot?
- Process finished with exit code 1 Spring Boot Intellij
- Pooling RestTemplante setReadTimeout
- Why Postman and mongoDb db.getCollectionNames return empty array?
- Spring Boot with Redis as a second-level cache. Any way to set TTL on cache entries in Redis so they are deleted when Redisson is not running?
- Getting Server-Side Request Forgery (SSRF) (CWE ID 918) restTemplate.getForEntity
- There was an unexpected error (type=Forbidden, status=403).Forbiden
- Space getting replaced by new line (\n) in double quoted string passed as request body in REST API
- How can I ensure only the first validation error per field is returned in Spring Boot, even when there are multiple validation rules?
- DateTimeParseException: Text cannot be parsed to a Duration
- java.lang.ClassNotFoundException: jakarta.enterprise.inject.spi.el.ELAwareBeanManager
- @MAPSTRUCT. No property named "packaging" exists in source parameter(s)
- Cannot find the cache named xxx for the builder in spring boot application