Skip to content

Allow Token Introspection to be customized #630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Allow Token Introspection to be customized #630

wants to merge 1 commit into from

Conversation

@gourav
Copy link
Contributor

@gourav gourav commented Feb 19, 2022

Closes gh-493

@gourav
Copy link
Contributor Author

gourav commented Feb 19, 2022

Hi @jgrandja
It is ready for your review.

This is my first time contributing. Please let me know the changes required. I will do them right away.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 19, 2022
@jgrandja
Copy link
Collaborator

jgrandja commented Feb 25, 2022

Apologies @gourav, as I have led you down the wrong path with my comment:

We need the capability to customize the default claims initialized by withActiveTokenClaims().

Take a look at OidcUserInfoAuthenticationProvider.setUserInfoMapper() for inspiration, as the implementation might be similar. For example, we could create a new class OAuth2TokenIntrospectionAuthenticationContext that provides a getter for accessing OAuth2TokenIntrospection.Builder, allowing to customize the claims before build() is called.

There are 2 changes that are required.

  1. The OAuth2TokenIntrospectionAuthenticationProvider.withActiveTokenClaims() initializes the standard claims as defined in the spec, however, it does not include any other claims that may be available in authorizedToken.getClaims(). For example, if an application configured an OAuth2TokenCustomizer, which added custom claims to the Jwt claim set then this would not be included in OAuth2TokenIntrospection. So we need to update this method to include ALL claims available authorizedToken.getClaims(), e.g. OAuth2TokenIntrospection.withClaims(authorizedToken.getClaims())

  2. We need to add the customization hooks, which will be very similar to the hooks that were recently added for Token Revocation in Allow Token Revocation to be customized #476. Take a look at the commits a846e93 and 4d5b288 and apply the similar changes.

@jgrandja jgrandja self-assigned this Feb 25, 2022
@jgrandja jgrandja added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 25, 2022
@jgrandja jgrandja added this to the 0.2.3 milestone Feb 25, 2022
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Feb 25, 2022
@gourav
Copy link
Contributor Author

gourav commented Mar 2, 2022
edited
Loading

Hi @jgrandja. I am pretty sure that I did not understand your comment properly. So, no apologies required. :)
Let me get it updated as per the suggestion.

@gourav
Copy link
Contributor Author

gourav commented Mar 3, 2022

Hi @jgrandja
What would these hooks be configuring ?
As per your suggestion, I can simply add OAuth2TokenIntrospection.withClaims(authorizedToken.getClaims()) to add all claims available in authorizedToken.getClaims().

What would the hook be customising as I believe all configuration is already present in the context ?
Or is it for customising Function<OAuth2TokenIntrospectionAuthenticationContext, OAuth2TokenIntrospection> activeClaimsMapper that will be introduced by current state of this pull request ?

@jgrandja
Copy link
Collaborator

jgrandja commented Mar 3, 2022

@gourav

Or is it for customising Function<OAuth2TokenIntrospectionAuthenticationContext, OAuth2TokenIntrospection> activeClaimsMapper that will be introduced by current state of this pull request

Please ignore my comment regarding activeClaimsMapper as this is not needed.

What would these hooks be configuring ?

There are use cases where an application needs to customize the request and/or response for a specific protocol flow. For example, an application may want to add a custom parameter in the access token response. How would they do that? They would supply a custom OAuth2TokenEndpointFilter.setAuthenticationSuccessHandler() to customize the response using OAuth2AccessTokenResponseHttpMessageConverter.

The same applies for the token request. For example, a custom parameter may be needed and therefore the application can supply OAuth2TokenEndpointFilter.setAuthenticationConverter() to read the custom parameter so it's carried through to the AuthenticationProvider.

We need the same customization capabilities for token introspection. For example, an application may not want to return all the claims in OAuth2TokenIntrospection.withClaims(authorizedToken.getClaims()) and possibly filter out one or more claims via OAuth2TokenIntrospectionEndpointFilter.setAuthenticationSuccessHandler() using OAuth2TokenIntrospectionHttpMessageConverter to customize the response.

Please review the code for OAuth2TokenEndpointConfigurer and OAuth2TokenRevocationEndpointConfigurer and see how all the components work together and ultimately allow for complete customization of request and response.

@gourav gourav marked this pull request as draft March 7, 2022 17:47
@gourav
Allow Token Introspection to be customized
4b626c8 
Closes gh-493

Addds custom claims to token introspection response.

Allow Token Introspection to be customized

Closes gh-493
@gourav gourav marked this pull request as ready for review March 14, 2022 19:30
@gourav
Copy link
Contributor Author

gourav commented Mar 14, 2022

Hi @jgrandja
This is ready for your review. :)

jgrandja added a commit that referenced this pull request Mar 24, 2022
@jgrandja
Polish gh-630
12ae92b
@jgrandja
Copy link
Collaborator

jgrandja commented Mar 24, 2022

Apologies for the delay @gourav. I've been quite busy with some priority tasks for the 0.2.3 release.

I came back to this yesterday and there were quite a few changes still needed before we can merge.
I'd like to include this in the 0.2.3 release so I went ahead and applied a polish commit.

Please review all the changes and let me know if you have any questions. Thanks.

@jgrandja jgrandja closed this Mar 24, 2022
@gourav
Copy link
Contributor Author

gourav commented Mar 24, 2022

Changes seem good to me. :)
Please let me know if there is any other issue I can take on.

doba16 pushed a commit to doba16/spring-authorization-server that referenced this pull request Apr 21, 2023
@jgrandja
Polish spring-projectsgh-630
df55b3a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jgrandja jgrandja

Labels

status: duplicate A duplicate of another issue type: enhancement A general enhancement

Projects

None yet

Milestone

0.2.3

Development

Successfully merging this pull request may close these issues.

Allow Token Introspection to be customized

3 participants

@gourav @jgrandja @spring-projects-issues