Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expose strategy for converting Jwt into Authentication #5629

Closed
jzheaux opened this issue Aug 1, 2018 · 3 comments
Closed

Expose strategy for converting Jwt into Authentication #5629

jzheaux opened this issue Aug 1, 2018 · 3 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
5.1.0.RC1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Aug 1, 2018

Let's expose a strategy for converting a Jwt into an Authentication.

The flow from bearer token to Authentication goes something like this:

String token -> Jwt jwt
Jwt jwt -> Authentication authentication

The first step can be configured by wiring JwtAuthenticationProvider with an instance of JwtDecoder.

We could do the same thing with the second step.

Spring Core has a Converter interface that could work well.

Let's include also an abstract implementation that makes it easier to only participate in the conversion of the Jwt into a set of GrantedAuthorities.
@jzheaux jzheaux self-assigned this Aug 1, 2018
@jzheaux jzheaux added this to the 5.1.0.RC1 milestone Aug 1, 2018
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) JWT-JOSE labels Aug 1, 2018
@jzheaux jzheaux mentioned this issue Aug 7, 2018
Merged
@gburboz
Copy link

gburboz commented Aug 9, 2018

Is this for converting jwt based access token to authentication without having to invoke user-info service?

Suggestion

  • it will also be great if default jwt converter can perform conversion based off OIDC Standard Claims and/or provide ability to configure mapping of claims on token to expected claim names.
  • need to consider which claim to be used for principal name which should default to claim expression <sub>@<iss>

@jzheaux
Copy link
Contributor Author

jzheaux commented Aug 10, 2018

@gburboz The initial target for this strategy is Resource Server, where the story is more about inferring a set of authorities from a bearer token and less about who is the subject. To that end, the converter for the time being only exposes an override for inferring a Collection<GrantedAuthority> from the jwt.

That said, yes, the idea is that broader conversions will be possible as well. At this point, the only place we have concrete plans to expose this strategy is in the Resource Server DSL.

I like your suggestions for some common conversion use cases and have taken note. Would recommend that you open a ticket and ping @jgrandja about it.

@gburboz gburboz mentioned this issue Aug 13, 2018
Closed
@gburboz
Copy link

gburboz commented Aug 13, 2018

Thanks @jzheaux , I have raised ticket #5659

jzheaux added a commit to jzheaux/spring-security that referenced this issue Aug 16, 2018
@jzheaux
Jwt -> Authentication Conversion
cbc042f 
Exposes ability to specify a strategy for converting Jwt into an
Authentication, specifically in JwtAuthenticationProvider.

Fixes: spring-projectsgh-5629
rwinch pushed a commit that referenced this issue Aug 17, 2018
@jzheaux @rwinch
Jwt -> Authentication Conversion
d610f31 
Exposes ability to specify a strategy for converting Jwt into an
Authentication, specifically in JwtAuthenticationProvider.

Fixes: gh-5629
@jzheaux jzheaux mentioned this issue May 1, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
5.1.0.RC1
Development

No branches or pull requests
2 participants
@jzheaux @gburboz