Reputation: 3
Should I use HttpServletRequest.getParameter() or HttpServletRequest.setAttribute() for passing data between components?
I would like to customize Access token based on authorization code which is sent in the token endpoint reqeust.
I am doing this as per spring boot Oauth2 documentation.Token customisation
Specifically, I’m customizing the Access token using an OAuth2TokenCustomizer and need access to the authorization_code sent as part of the /token endpoint call.
Here is the situation
Current Implementation: Easiest way (get it from request parameter)
inject HttpServletRequest to CustomTokenGenerator class and access the authorization code from the request parameter like mentioned below
@Component
@RequiredArgsConstructor
public class TokenCustomizer implements OAuth2TokenCustomizer<JwtEncodingContext> {
private final HttpServletRequest httpServletRequest;
@Override
public void customize(JwtEncodingContext context) {
if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
// get it from parameter
String authorizationCode = httpServletRequest.getParameter("code");
if (authorizationCode != null) {
context.getClaims().claim("userName", "John Doe");
}
}
}
}
Other approach (custom request filter implementation)
create a custom OnceperRequestFilter, and get the request parameter and set it to the attribute "authCode"
And then in the TokenCustomizer, instead of getParameter() use getAttribute()
My questions:
- which of this approach aligns better with best practices in Spring Security or Java EE? (mostly with regards to parameter and attribute)
- Is there any performance or architectural trade-off in using attributes versus parameters?
- Are there official references or guidelines that justify one approach over the other?
Any advice, references, or examples would be greatly appreciated!
Upvotes: 0
Views: 46
Answers (1)
Reputation: 52646
- which of this approach aligns better with best practices in Spring Security or Java EE? (mostly with regards to parameter and attribute)
Use custom claim key - value pairs https://docs.spring.io/spring-authorization-server/reference/guides/how-to-custom-claims-authorities.html#custom-claims . It likes what you called attribute .
- Is there any performance or architectural trade-off in using attributes versus parameters?
No official document about using parameters, no need thinking of trade-off at here.
- Are there official references or guidelines that justify one approach over the other?
No official document about using parameters. Use this approach https://docs.spring.io/spring-authorization-server/reference/guides/how-to-custom-claims-authorities.html#custom-claims
Upvotes: 0
Related Questions
- can't get accessToken with client-credentials grant_type with spring-authorization-server
- unsupported_grant_type error for authorization_code grant type: Spring Security OAuth2
- How should I use servlets and Ajax?
- OAuth2 server with spring boot: accessing token endpoint returns "404 NOT FOUND" for the token endpoint
- How to append custom request header during Authorization endpoint call in Spring Boot OpenID Connect
- Is there a way to receive an additional parameter in the OAuth2 token endpoint?