-
Notifications
You must be signed in to change notification settings - Fork 6.1k
OAuth2ResourceServerSpec should allow its ServerBearerTokenAuthenticationConverter to be configurable #6186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
@edeandrea That would be great. Please do at your convenience. |
I'm almost wrapped up with it & wanted to ask a question regarding an implementation detail. I'd like to change It's implementation would look like @FunctionalInterface
public interface ServerBearerTokenAuthenticationConverter extends ServerAuthenticationConverter {
/**
* Resolve any <a href="https://tools.ietf.org/html/rfc6750#section-1.2" target="_blank">Bearer Token</a>
* value from the request
*
* @param request The {@link ServerHttpRequest}
* @return The token found in the request or {@code null} if none found
* @throws org.springframework.security.oauth2.core.OAuth2AuthenticationException If the found token is invalid
* @since 5.2
*/
@Nullable
String resolveToken(ServerHttpRequest request);
@Override
default Mono<Authentication> convert(ServerWebExchange exchange) {
return Mono.justOrEmpty(resolveToken(exchange.getRequest()))
.map(BearerTokenAuthenticationToken::new);
}
} That would constitute a breaking change though. My thought on that though is that currently the If not my thought was to modify I like the cleaner separation of an interface though and referencing the interface in the configuration DSL. I could also create a new interface and retrofit |
After thinking about it a bit more I'm going to go with the non-breaking approach - create a new interface & retro-fit |
@edeandrea So, we do have And since an extra interface is really only saving the user a couple of lines (going from String to Authentication), we can probably afford to wait on that. Note that this is how the same functionality is exposed in OAuth2Login, so it's also nice to stay consistent where possible. |
I just submitted #6190 |
Uh oh!
There was an error while loading. Please reload this page.
Currently in
ServerHttpSecurity.OAuth2ResourceServerSpec.JwtSpec.configure(ServerHttpSecurity)
theServerBearerTokenAuthenticationConverter
is hard-coded in theconfigure
method. The non-reactive side (OAuth2ResourceServerConfigurer
) allows for the user to supply aBearerTokenResolver
. The reactive side should allow for the same.I propose adding similar functionality to
ServerHttpSecurity.OAuth2ResourceServerSpec
for this.I'm happy to supply a PR for this if you would like.
The text was updated successfully, but these errors were encountered: