Skip to content

How-to: Use third-party opaque tokens for authentication. #806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jacko9et opened this issue Jul 21, 2022 · 4 comments
Closed

How-to: Use third-party opaque tokens for authentication. #806

jacko9et opened this issue Jul 21, 2022 · 4 comments
Assignees
@jgrandja
Labels
for: external-project For an external project and not something we can fix

Comments

@jacko9et
Copy link

My current project needs to use third-party authentication, and the other party is not compatible with oauth2, but it can obtain an opaque token, and through the opaque token, user information can be obtained.
Is it possible to give an example in this case.
@jacko9et jacko9et added the type: enhancement A general enhancement label Jul 21, 2022
@jgrandja
Copy link
Collaborator

@lu-cheng I don't understand your use case. Can you provide more details? What authentication system are you using and looking to integrate with Spring Authorization Server?

@jgrandja jgrandja added status: waiting-for-feedback We need additional information before we can continue and removed type: enhancement A general enhancement labels Aug 17, 2022
@jacko9et
Copy link
Author

@jgrandja Sorry for late. There is an old system that directly returns an opaque token to the front end after logging in, and provides a userInfo interface to obtain user information. This is similar to introspection of opaque tokens. I need to do user authentication in Spring Authorization Server with something like introspection using opaque tokens. It is hoped that an opaque token can be carried in the /authorize request for user authentication.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Aug 23, 2022
@jgrandja
Copy link
Collaborator

@lu-cheng Regarding...

I need to do user authentication in Spring Authorization Server

User Authentication is not a responsibility of Spring Authorization Server. Instead, you would use Spring Security to configure the Authentication mechanism and associated integration with the backing IdP.

The only requirement of Spring Authorization Server is that the current request must be authenticated in order to proceed with certain flows, for example, authorization_code grant flow. This is simply determined by checking SecurityContext.getAuthentication().isAuthenticated(). How the Authentication instance is populated in the SecurityContext is determined how you configure the authentication mechanism within Spring Security.

I would recommend reviewing the reference manual by first going over the Authentication options and I think the Pre-Authentication Scenario might be applicable to your use case.

@jgrandja jgrandja self-assigned this Aug 30, 2022
@jgrandja jgrandja added for: external-project For an external project and not something we can fix and removed status: feedback-provided Feedback has been provided labels Aug 30, 2022
@jacko9et
Copy link
Author

jacko9et commented Sep 26, 2022
edited
Loading

@jgrandja Thanks, I'll try the solution in #797 to fix this. By the way, since SecurityContext is already used, why not directly use the extension of SecurityContextRepository to handle the functionality of OAuth2AuthorizationService?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
for: external-project For an external project and not something we can fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgrandja @spring-projects-issues @jacko9et