Skip to content
This repository was archived by the owner on May 31, 2022. It is now read-only.

Additional information stored on the JwtToken are ignored when OAuth2Authentication is extracted #716

Closed
nucatus opened this issue Mar 16, 2016 · 1 comment
Closed

Additional information stored on the JwtToken are ignored when OAuth2Authentication is extracted #716

nucatus opened this issue Mar 16, 2016 · 1 comment
Labels
status: invalid

Comments

@nucatus
Copy link

nucatus commented Mar 16, 2016

If the JwtToken is loaded with additional information on the Authorization Server, that information will not make its way into the extracted OAuth2Authentication on the resource server side. Although that information is available in the decoded token and the Map that is passed to the DefaultAccessTokenConverter.extractAuthentication(Map).

When the extract operation is completed, the details field of the OAuth2Authentication is left empty. This field, in my opinion, would the best candidate for storing such information.

    /**
     * Stores additional details about the authentication request. These might be an IP
     * address, certificate serial number etc.
     *
     * @return additional details about the authentication request, or <code>null</code>
     * if not used
     */
    Object getDetails();

The workaround would be to decode the raw token value that is stored on the OAuth2Authentication each time that extra information is needed. But this seems to be an extra step that can be avoided.

Is this the intended behavior? Thanks.
@nucatus nucatus mentioned this issue Mar 16, 2016
Closed
@dsyer dsyer added this to the 2.1.0 milestone May 12, 2016
@jgrandja jgrandja modified the milestones: 2.1.1, 2.1.0 Mar 3, 2017
@pnewhook pnewhook mentioned this issue Mar 12, 2017
Closed
@jgrandja jgrandja modified the milestones: 2.1.1, 2.1.2 May 29, 2017
@jgrandja jgrandja modified the milestones: 2.1.2, 2.2.0.M1 Jun 29, 2017
@jgrandja
Copy link
Contributor

Hi @nucatus. If you would like to store the claims via AbstractAuthenticationToken.setDetails(Object) then you can do the following:

	AccessTokenConverter customAccessTokenConverter = new DefaultAccessTokenConverter() {
		@Override
		public OAuth2Authentication extractAuthentication(Map<String, ?> claims) {
			OAuth2Authentication authentication = super.extractAuthentication(claims);
			authentication.setDetails(claims);		// Store all the claims
			return authentication;
		}
	};
	JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
	jwtAccessTokenConverter.setAccessTokenConverter(customAccessTokenConverter);

	JwtTokenStore jwtTokenStore = new JwtTokenStore(jwtAccessTokenConverter);

	OAuth2Authentication authentication = jwtTokenStore.readAuthentication(jwtToken);

	Map<String, Object> claims = (Map<String, Object>)authentication.getDetails();

I'm going to close this issue as I believe the solution I've provided should work for your use case.

@jgrandja jgrandja removed this from the 2.2.0.M1 milestone Jun 30, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
status: invalid
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dsyer @nucatus @jgrandja