Reputation: 194
OAuth2 Open ID client authentication followed by LDAP user details & authorities
Our app is currently set up with OAuth OpenID connect authentication with an external (third-party) server. The requirement is to use user details service that loads the user from LDAP (along with the authorities/roles) to complete the authentication. So authentication.getPrincipal() should be returning the custom UserDetails object we use that gets generated by querying LDAP using the username obtained from the Open ID authentication.
I have tried the following:
- Followed Similar Issue but it seems like in the answer it's setting up the server-side and it doesn't work either
- Tried adding custom UserDetailsService in WebSecurityConfig
where myCustomUserDetailsService() handles the call to LDAP and fetches the user details info, including the authorities.@Configuration public class OAuth2Config extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.oauth2Login().and().userDetailsService(myCustomUserDetailsService()); } }
I'm not too familiar with the spring oauth2 framework, correct me if I'm wrong: I'm guessing I need to implement my own user info endpoint to make a call to LDAP, and not the user info endpoint provided to me by the OpenID service?
Upvotes: 1
Views: 812
Answers (2)
Reputation: 67
You could add a new filter in the security filter chain right after that one. The second filter could retrieve the principal/name from authentication and query for users.
Like a two steps authentication
Upvotes: 1
Reputation: 194
Not as clean as I hoped, but I registered an application listener on InteractiveAuthenticationSuccessEvent and manually updated the authentication after login (similar post's answer https://stackoverflow.com/a/10747856/11204609)
If anyone has better suggestions?
UPDATE: The identity provider agreed to include LDAP info in their claims so I can directly obtain via the token without having to do a call-back (still an on-going discussion at the moment). That being said, having a auth success callback app listener is only way I could solve the problem.
Upvotes: 0
Related Questions
- Spring Boot + Oauth2 client credentials
- OAUTH2 user service with Custom Authentication Providers
- Spring Security, OAUTH2, dynamic client-secret
- Spring OAuth2 - Authorization Server - Differentiate users on clients
- Spring OAuth2 Security - Client Credentials - Custom AuthenticationProvider
- Spring Security OAuth2 clientId and clientSecret
- Oauth2 Client in Spring security
- How proper configure Spring Security OAuth 2.0 Client Credentials?
- Spring-security context setup for 2-legged (client credentials) OAuth2 server
- OAuth2 Client Authentication Spring