Support AuthoritiesProvider for Resource Server flows (opaque and jwt) #160
Comments
|
NOTE: As part of this change it should be possible, to lookup and use the |
|
Hi, is there any way to add custom authorities on resource servers using JWT and OKTA? |
|
@paulorego Currently you would need to do something like this: However, some of those classes are package protected, so they would need to be wrapped (with something like a |
|
@bdemers How would this bean get picked up? Looking at OktaOAuth2Configurer (https://github.com/okta/okta-spring-boot/blob/master/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2Configurer.java#L155-L156), it doesn't use the JwtAuthenticationConverter bean but instantiates a new one. Is there something I'm missing here? We are also trying to add our own authorities but haven't been able to. |
NOTE: This doesn't work, I was just putting thoughts down, and it ended up being a be more complicated: TODO: * There is probably a better Spring Security abstraction for all of this * Need to check to see if returning a `Converter` bean will inject correctly everywhere (including with native images) * Need to implement something similar for opaque tokens * Need to add tests that will make sure scope authorities and claim/group authorities are merged correctly * The new method in AuthoritiesProvder's return type doesn't match the other very related method in this interface (and it still doesn't cover the opaque token use case) Related: #160
|
@swargolet good catch, I guess I was typing faster than thinking 😄 I started writing a reply, but then figured it would be easier to try to hack something up, I was wrong... TL;DR: it's still going to take a bit of work 😞 |
|
Ended up coming up with a solution around this. Only downside to this, which I call out in a comment is that it overrides the @Configuration
@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
private JwtDecoder jwtDecoder;
private Converter<Jwt, Collection<GrantedAuthority>> myJWTGrantedAuthoritiesConverter;
@Autowired
public void setJwtDecoder(JwtDecoder jwtDecoder) {
this.jwtDecoder = jwtDecoder;
}
@Autowired
public void setMyJWTGrantedAuthoritiesConverter(Converter<Jwt, Collection<GrantedAuthority>> myJWTGrantedAuthoritiesConverter) {
this.myJWTGrantedAuthoritiesConverter = myJWTGrantedAuthoritiesConverter;
}
private Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter() {
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(myJWTGrantedAuthoritiesConverter);
return jwtAuthenticationConverter;
}
private AuthenticationProvider authProvider() {
JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder);
Converter<Jwt, ? extends AbstractAuthenticationToken> jwtAuthenticationConverter = jwtAuthenticationConverter();
jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtAuthenticationConverter);
return jwtAuthenticationProvider;
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.csrf().disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.authenticationProvider(authProvider()) // This overrides OktaJwtAuthenticationConverter and this we lose claims to Authorities functionality
.oauth2ResourceServer()
.jwt()
;
}
} |
|
Thanks for following up! |
|
why is this closed as completed if the related PR was not merged and the problem remains in the latest release? Please can this be reopened. |
Currently, the
AuthoritiesProviderinterface only supports authorization code flow and not resource servers.We should be able to add a new method or two in
AuthoritiesProviderto support resource servers.The text was updated successfully, but these errors were encountered: