Reputation: 115
Can I use both introspection server and local check for authorize token? Spring Boot - Security
I want to
- introspect JWT token on remote server
- and then check locally if scope/aud/iss/exp are correct
How can this be done most easily in Spring Boot?
As I understand first case is something similar to opauqeToken functionality (but I have normal JWT) and second case is more like using jwt
Spring Security only supports JWTs or Opaque Tokens, not both at the same time.
If I use opaqueToken, then validation on remote server is done without any effort (even if that's JWT)
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.mvcMatchers("/api/**").hasAuthority("SCOPE_" + scope)
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.opaqueToken(opaque -> opaque
.introspectionUri(this.introspectionUri)
.introspectionClientCredentials(this.clientId, this.clientSecret)
));
return http.build();
I have scope verified. Now I want to check iss, aud, exp. Is that doable with opaqueToken?
Or should I use jwt auth instead?
IMHO opaqueToken can be JWT, so now the question is how to verify and inspect it locally after remote introspection?
It's kind of hybrid of two different approaches, but hopefully you know the simple way how to do it.
Upvotes: 1
Views: 1416
Answers (1)
Reputation: 115
Ok, I think I have my answer. I created my own introspector which is implementing OpaqueTokenIntrospector
public class JwtOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
private OpaqueTokenIntrospector delegate =
new NimbusOpaqueTokenIntrospector(
"introspect-url",
"client-id",
"client-secret"
);
@Override
public OAuth2AuthenticatedPrincipal introspect(String token) {
OAuth2AuthenticatedPrincipal introspected = this.delegate.introspect(token);
// SOME LOGIC
}
}
and I added it as a @Bean
@Bean
public OpaqueTokenIntrospector tokenIntrospector() {
return new JwtOpaqueTokenIntrospector();
}
Upvotes: 1
Related Questions
- Spring boot API with both Oauth 2.0/OpenID Connect and internal authentication?
- How to configure spring boot to validate JWT token with call instropection endpoint of authorization server
- Can I mix both basic authentication and JWT token authentication to protect APIs of a single Spring Boot project?
- With Spring Security how do i determine if the current api request should be authenticated or not?
- Spring Boot - Using JWT, OAuth, and Separate Resource and Auth Servers
- How to implement token verification via token introspection endpoint in Spring Boot?
- Spring boot Basic Authentication and OAuth2 in same project?
- Spring Boot Security how to check/verify access token
- Spring OAuth2 and JWT Authentication information
- How to separate authorization server spring security in java