Simplify access to OAuth 2.0 token attributes #6498
Comments
|
Hello, |
|
Hi, @kwolfp, thanks for your interest! There is still a bit of discussion among the team as to what this might look like. It's not finalized that what's been described will actually be the way it is implemented, so I'd recommend waiting. |
jgrandja
added
the
in: oauth2
|
I'm wondering if we can do something like this: GetMapping("/protected")
public String method(@CurrentSecurityContext(expression = "authentication.tokenAttributes") Map<String, Object> attrs) {
String subject = (String) attrs.get("sub");
// ...
}I like this because this also solves other attributes we might need. |
|
I'm of the mind that @GetMapping("/protected")
public String method(@CurrentSecurityContext SecurityContext context) {
}And so I'd always be at least typing What about: @GetMapping("/protected")
public String method(@CurrentAuthentication(expression="tokenAttributes") Map<String, Object> attributes) {
String subject = (String) attrs.get("sub");
// ...
}Also, what I like about both is that it's possible for a user to do something like: @GetMapping("/protected")
public String method(@OAuth2TokenAttributes Map<String, Object> attributes) {
String subject = (String) attrs.get("sub");
// ...
}with minimal effort by doing a meta-annotation. |
|
@jzheaux when I tried to implement your idea with |
|
Thanks for looking into that, @kwolfp. If This points me in the direction of a first-class object to represent attributes, e.g. |
|
@jzheaux I'd prefer to make it resolve the |
|
K, makes sense, @rwinch. I think we're ready to split this out a bit, then. I've created a ticket to introduce |
|
I propose we introduce the I'd imagine that we'd introduce public OAuth2TokenAttributes getAttributes() {
return new OAuth2TokenAttributes(getTokenValue(), getTokenAttributes());
}This would then enable an application to do: public String method(@CurrentSecurityContext(expression="authentication.attributes")
OAuth2TokenAttributes attributes)Or: @CurrentSecurityContext(expression="authentication.attributes")
public @interface CurrentOAuth2TokenAttributes
// ...
public String method(@CurrentOAuth2TokenAttributes OAuth2TokenAttributes attributes) |
|
@jzheaux Can you outline what OAuth2TokenAttributes looks like (what methods are on it)? |
|
Good question, @rwinch.
public <A> A getAttribute(String name);
public Map<String, Object> getAttributes();Originally, I was thinking it would also contain |
jzheaux
added
status: ideal-for-contribution
|
@kwolfp I believe we can start work on this ticket now. Are you still interested in submitting a PR? |
|
I've just summarized the work to be done for this ticket up in the description. |
|
Hi @jzheaux, I'm interested in trying out this ticket. |
|
Sounds great, @clementkng, glad to have you working on it. Note that the discussion is probably good for background, but the consensus can be found in the description itself. |
jzheaux
removed
the
status: ideal-for-contribution
|
Hi @jzheaux, I have a couple questions. On the high level, my understanding is that the I was also wondering if it was necessary to introduce a new test class for |
|
@clementkng Thanks for bringing up these points.
I realize that there was a bit of discussion about this in the thread, but let's just do the
I'm not sure what you mean by this. As far as I can tell, updating the sample should be a simple matter of updating its controller methods. Am I missing something, or is this what you were asking?
No, just the constructor is fine. |
To simplify access to OAuth 2.0 token attributes Fixes spring-projectsgh-6498
To simplify access to OAuth 2.0 token attributes Fixes gh-6498
To simplify access to OAuth 2.0 token attributes Fixes spring-projectsgh-6498
Uh oh!
There was an error while loading. Please reload this page.
Related to #5200 and #6352 (comment)
We should introduce
OAuth2TokenAttributes, a class that holds an OAuth 2.0 Token's attributes. To this point, each authentication token has exposed attributes simply as aMap.It works out best, though, when an new class's usage can be demonstrated, ensuring that the API is correct. So, to complete this ticket, a few things need to be done:
OAuth2TokenAttributesThis is a simple domain object that contains a
Map:It should probably go in
oauth2-coreinorg.springframework.security.oauth2.core.OAuth2IntrospectionAuthenticationToken's constructorIt should take an
OAuth2TokenAttributesfor its principal instead of aMap. While this is a breaking change, it's allowable since that API has not GA'd yetoauth2resourceserver-opaquesampleThis sample should be adjusted to use the token's principal (
OAuth2TokenAttributes)Extra Background
Spring Security offers different ways to access OAuth 2.0 token attributes, depending on how they were obtained.
For example, a Resource Server can authenticate via JWT tokens and obtain their contents in the following way:
When using introspection, though, the principal is simply a map, so the pattern is:
It would be nice if application code didn't have to know the token verification strategy to extract the attributes from the principal.
Further, there is potentially some clean up here with clarifying the meaning around attributes and claims. Claims are unverified attributes. Or, in other words, a JWT has a claim set, but the ensuing
Authenticationobject has attributes since the JWT at that point is verified.There is already one way to get attributes in an agnostic way:
But it would be nicer if this were a bit simpler and users could take advantage of more Spring Security features agnostically.
By thinking more about the principal and how to expose it, it may be possible to achieve something like:
that works for any OAuth 2.0
Authenticationtype.The text was updated successfully, but these errors were encountered: