Spring OAuth2.0: Getting User Roles based on ClientId (Authorization Code Grant Type)

Question

I have a setup of spring boot OAuth for AuthServer and it is resposible for serving a number of few resource server for authentication using spring-security-jwt. My problem is while authenticating I need to load the roles of a user but specific to the clientId. eg: If user1 have roles ROLE_A, ROLE_B for client1 and ROLE_C, ROLE_D for client2, then when the user logins either using client1 or client2 he is able to see all the four roles ie. ROLE_A, ROLE_B, ROLE_C, ROLE_D because I am getting roles based on username. If I need to have a role based on the client then I need clientId. FYI, I am using the authorization code flow for authentication. I have seen similar question but that is based on password grant but I am trying on authorization code flow and that solution doesn't work for me. Password grant question link

Below is my code where I need clientId
MyAuthenticationProvider.java

@Override
    public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
        String userName = ((String) authentication.getPrincipal()).toLowerCase();
        String password = (String) authentication.getCredentials();
        String clientId = ? // how to get it
        ....
    }
}

MyUserDetailsService.java

@Override
    public UserDetails loadUserByUsername(String username) {
        String clientId = ? // how to get it 
        ....
    }
}

Answer 1

get authorization header from request then parse from base64 to get the client-id.

something like this:

        HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder
.getRequestAttributes())
.getRequest();
String authHeader = request
.getHeader("Authorization");

Answer 2

Since I didn't get any appropriate solution for my question, I am posting the solution that I used after digging source code and research.
MyJwtAccessTokenConverter.java (Extend JwtAccessTokenConverter and implement enhance method)

public class OAuthServerJwtAccessTokenConverter extends JwtAccessTokenConverter {
....
    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
    String clientId = authentication.getOAuth2Request().getClientId();
    // principal can be string or UserDetails based on whether we are generating access token or refreshing access token
    Object principal = authentication.getUserAuthentication().getPrincipal();
    ....
    }
....
}

Info:
In enhance method, we will get clientId from authentication.getOAuth2Request() and userDetails/user_name from authentication.getUserAuthentication().
Along with JwtAccessTokenConverter, AuthenticationProvider and UserDetailsService are required for authentication in generating access token step and refresh token step respectively.

Answer 3

You probably need to see OAuth2Authentication in Spring-security. When your client is authenticated by oauth2, then your "authentication" is actually instance of OAuth2Authentication that eventually implements Authentication.

If you see the implementation of OAuth2Authentication, it's done as below;

    public Object getPrincipal() {
       return this.userAuthentication == null ? this.storedRequest.getClientId() : this.userAuthentication
            .getPrincipal();
    }

so if request included "clientId', then you should be able to get clientId by calling getPrincipal() and typecasting to String as long as your request didn't include user authentication.

For your 2nd case, username is actually considered as clientId. You need to call in-memory, RDBMS, or whatever implementation that has clientId stored and returns ClientDetails. You'll be able to have some idea by looking into Spring security's ClientDetailsUserDetailsService class.