Spring Boot OAuth2 when implicit JWT is created?

Question

How can I get details from the OAuth2 SSO Principal into my JWT? (instance of OAuth2Authentication getDetails as OAuth2AuthenticationDetails getDecodedDetails returns null)

I have...

• Angular 6 client w/ implicit login as acme client (using angular-oauth2-oidc)

• Spring Boot OAuth2 Authorization Server with JWT TokenService configuration w/ 3rd party SSO to GitHub

• Auth server is configured with acme as implicit and GitHub client for SSO

• Auth server exposes a /login/github
• Auth server exposes a /me (protected by ResourceServer config)

When I login...

1. Angular app redirects to Auth service login
2. Auth service redirects to GitHub
3. [User Authenticates]
4. GitHub redirects to Auth Service
5. Auth Service initiates a session and issues a token
6. Auth Service redirects to Angular
7. The browser token is a proper JWT

Now, when I communicate with Auth Service /me:

• Directly, I get a Principal that contains ALL of the details from GitHub (yay)
• Indirectly from the Angular application passing the token via Authorization: Bearer ... header, I get a Principal that contains bare minimum OAuth client info for acme client (ugh)

I've tried a custom TokenEnhancer, but the OAuth2Authentication instance is already the bare minimum with no details. And, when the call is initiated from Angular, it doesn't have the same session cookie as when I call it directly (I don't want to share session - I want to put the details in the JWT).

[Update #1]

I tried a custom JwtAccessTokenConverter and used it in both of the @EnableAuthorizationServer and @EnableResourceServer (secures the /me endpoint) configuration classes. However it didn't work. I still get null details from OAuth2Authentication.

final JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setAccessTokenConverter(new CustomTokenConverter());

Answer 1

The way Spring Lemon does this is replacing the OAuth2 and OpenID connect user services (see spring security docs). See LemonOAuth2UserService and LemonOidcUserService for details. For statelessness, it passes the client a shortlived JWT token as a param to targetUrl, as you can see in its OAuth2AuthenticationSuccessHandler class. It uses some cookies mechanism for doing all this statelessly, which can be further understood by looking at its HttpCookieOAuth2AuthorizationRequestRepository and how it's configured.

Here is an article explaining this in more details: https://www.naturalprogrammer.com/blog/1681261/spring-security-5-oauth2-login-signup-stateless-restful-web-services .