Spring boot client server authentication and authorization with jwt-CodePudding

The application requires to be authenticated and authorized from SSO. All the required information is present in the JWT, but I'm not sure if this the correct approach as OAuth2LoginAuthenticationToken is null.

The client server WebSecurityConfigurerAdapter is as follows

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.csrf().disable();

        http.antMatcher("/**").authorizeRequests()
            .antMatchers("/", "/login**").permitAll()
            .anyRequest().authenticated()
            .and()
            .oauth2Login()
            .and()
            .authenticationProvider(
                new OfficeUserAuthProvider()
            );
    }
}

and OfficeUserAuthProvider is as follows

public class OfficeUserAuthProvider implements AuthenticationProvider{

    Logger logger = LoggerFactory.getLogger(OfficeUserAuthProvider.class);

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        OAuth2LoginAuthenticationToken auth = (OAuth2LoginAuthenticationToken) authentication;

        logger.info("{}", authentication);

        // TODO Auto-generated method stub
        return null;
    }

    @Override
    public boolean supports(Class<?> authentication) {
        logger.info("{}", OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication));
        return OAuth2LoginAuthenticationToken.class.isAssignableFrom(authentication);
    }


}

The output from logger.info("{}", authentication); is

22-01-31 Mon 01:25:15.700 INFO  c.t.s.config.OfficeUserAuthProvider      Java : 27    : OAuth2LoginAuthenticationToken [Principal=null, Credentials=[PROTECTED], Authenticated=false, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=FF16A2C206F66F021109D86C4997F8F6], Granted Authorities=[]]

The decoded JWT token received from authorization serve is

{
  "dateTime": 1643570398335,
  "aud": [
    "documentRepository"
  ],
  "user_name": "admin",
  "enable": true,
  "scope": [
    "read",
    "write"
  ],
  "exp": 1643572198,
  "department": null,
  "authorities": [
    "ROLE_ADMIN_USER",
    "ROLE_OFFICE_USER"
  ],
  "jti": "bbc551c4-31ec-4744-bc92-c051f5c08719",
  "client_id": "appXXXX"
}

and application.property of client server is

spring.security.oauth2.client.registration.xyz.client-id=appXXXX
spring.security.oauth2.client.registration.xyz.client-secret=passXXXXX
spring.security.oauth2.client.registration.xyz.client-name=app
spring.security.oauth2.client.registration.xyz.scope=read, write
spring.security.oauth2.client.registration.xyz.provider=xyz-sso
spring.security.oauth2.client.registration.xyz.redirect-uri=http://localhost:8081/login/oauth2/code/
spring.security.oauth2.client.registration.xyz.client-authentication-method=post
spring.security.oauth2.client.registration.xyz.authorization-grant-type=authorization_code

spring.security.oauth2.client.provider.xyz-sso.authorization-uri=http://modern-14-b4mw:8080/oauth/authorize
spring.security.oauth2.client.provider.xyz-sso.token-uri=http://modern-14-b4mw:8080/oauth/token

CodePudding user response：

Had to improvise and implemented a rest end point for the Principal /user/me in the SSO

in client application.property added

spring.security.oauth2.client.provider.xyz-sso.user-info-uri=http://modern-14-b4mw:8080/api//user/me
spring.security.oauth2.client.provider.xyz-sso.user-name-attribute=name

with the above update was able to get OAuth2AuthenticationToken