can I include user information while issuing an access token?

by

You will need to implement a custom TokenEnhancer like so:

public class CustomTokenEnhancer implements TokenEnhancer {

    @Override
    public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
        User user = (User) authentication.getPrincipal();
        final Map<String, Object> additionalInfo = new HashMap<>();

        additionalInfo.put("customInfo", "some_stuff_here");
        additionalInfo.put("authorities", user.getAuthorities());

        ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);

        return accessToken;
    }

}

and add it to your AuthorizationServerConfigurerAdapter as a bean with the corresponding setters

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    // Some autowired stuff here

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        // @formatter:off
        endpoints
            // ...
            .tokenEnhancer(tokenEnhancer());
        // @formatter:on
    }

    @Bean
    @Primary
    public AuthorizationServerTokenServices tokenServices() {
        DefaultTokenServices tokenServices = new DefaultTokenServices();
        // ...
        tokenServices.setTokenEnhancer(tokenEnhancer());
        return tokenServices;
    }

    // Some @Bean here like tokenStore

    @Bean
    public TokenEnhancer tokenEnhancer() {
        return new CustomTokenEnhancer();
    }

}

then in a controller (for example)

@RestController
public class MyController {

    @Autowired
    private AuthorizationServerTokenServices tokenServices;

    @RequestMapping(value = "/getSomething", method = RequestMethod.GET)
    public String getSection(OAuth2Authentication authentication) {
        Map<String, Object> additionalInfo = tokenServices.getAccessToken(authentication).getAdditionalInformation();

        String customInfo = (String) additionalInfo.get("customInfo");
        Collection<? extends GrantedAuthority> authorities = (Collection<? extends GrantedAuthority>) additionalInfo.get("authorities");

        // Play with authorities

        return customInfo;
    }

}

I’m personnaly using a JDBC TokenStore so my “Some autowired stuff here” are corresponding to some @Autowired Datasource, PasswordEncoder and what not.

Hope this helped!

More Related Contents:

  1. How to allow a User only access their own data in Spring Boot / Spring Security?
  2. Spring Boot Security CORS
  3. Handle spring security authentication exceptions with @ExceptionHandler
  4. How Spring Security Filter Chain works
  5. How to pass an additional parameter with spring security login page
  6. Spring Security redirect to previous page after successful login
  7. How can I have list of all users logged in (via spring security) my web application
  8. How to write a custom filter in spring security?
  9. JSON Web Token (JWT) with Spring based SockJS / STOMP Web Socket
  10. Spring Security configuration: HTTP 403 error
  11. How to manually log out a user with spring security?
  12. Prevent Spring Boot from registering a servlet filter
  13. How to set up Spring Security SecurityContextHolder strategy?
  14. How do I remove the ROLE_ prefix from Spring Security with JavaConfig?
  15. Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
  16. How to get custom user info from OAuth2 authorization server /user endpoint
  17. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  18. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  19. antMatchers that matches any beginning of path
  20. Combining basic authentication and form login for the same REST Api
  21. Multiple antMatchers in Spring security
  22. An Authentication object was not found in the SecurityContext – Spring 3.2.2
  23. Spring Security 3.2 CSRF disable for specific URLs
  24. Spring Boot with embedded Tomcat behind Apache proxy
  25. How to use Spring AbstractRoutingDataSource with dynamic datasources?
  26. With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs
  27. Spring security 4 custom login j_spring_security_check return http 302
  28. Is it possible to invalidate a spring security session?
  29. How to apply Spring Data projections in a Spring MVC controllers?
  30. Custom Authentication provider with Spring Security and Java Config

Leave a Comment