Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow R2dbcReactiveOAuth2AuthorizedClientService to save scope when JWT has custom attribute for scopes #13258

Closed
tvogel8570 opened this issue Jun 1, 2023 · 3 comments
Closed

Allow R2dbcReactiveOAuth2AuthorizedClientService to save scope when JWT has custom attribute for scopes #13258

tvogel8570 opened this issue Jun 1, 2023 · 3 comments
Assignees
@sjohnr
Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

Comments

@tvogel8570
Copy link

tvogel8570 commented Jun 1, 2023
edited

Expected Behavior
When an Authorization Server returns an access token with a custom attribute for scope, the value stored in the database column oauth2_authorized_client.access_token_scopes contains the scope(s) in the access token.

Current Behavior
When an Authorization Server returns an access token with a custom attribute for scope (e.g. "scp": "read_notifications.v1"), the value stored in the database column oauth2_authorized_client.access_token_scopes is null.

Context
The application I am developing has different scopes based on the features enabled. I need to be able to query oauth2_authorized_client on the access_token_scopes column to find a match so I use the proper access token. However that column is empty because the 3rd party Authorization Server returns an access token with the attribute "scp": for scopes.

The Spring ResourceServer DSL has jwtAuthenticationConverter(). Something similar would be ideal as it happens upstream from all Oauth2AuthorizedClient behavior.

The only alternative I have thought of to date is to modify the schema for oauth2_authorized_client to include a generated primary key and then create a separate table with the scopes with a link to the generated primary key. I would have to figure out how to call the logic to populate this table.
I considered GrantedAuthoritiesMapper but I "think" it is too late in the flow, i.e. the row has already been written by the time it would be called.

A workaround might be to subclass R2dbcReactiveOAuth2AuthorizedClientService with a custom OAuth2AuthorizedClientParametersMapper.
@tvogel8570 tvogel8570 added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 1, 2023
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jul 3, 2023
@sjohnr
Copy link
Member

sjohnr commented Jul 5, 2023

Hi @tvogel8570, thanks for reaching out! I see two things in your issue:

  1. A question about how to properly configure OAuth2 Client support to parse and save the scp attribute in an OAuth2 Access Token Response.
  2. An enhancement suggestion of a way to easily configure handling the scp attribute for all clients.

Regarding 1, please see Customizing the Access Token Response and the existing OAuth2BodyExtractors class. Note that this has little to do with R2dbcReactiveOAuth2AuthorizedClientService which is only used for persisting the result.

For 2, we're currently working on gh-11783 (and more specifically gh-13288) which I'm hoping will provide an easy way of customizing the entire chain of components required to make and handle token requests. While it is currently possible today (see docs), an easier way to customize the access token response (via a BodyExtractor) will be part of that solution.

Does that help? Does it feel like I've understood your request(s) correctly?

@sjohnr sjohnr added the status: waiting-for-feedback We need additional information before we can continue label Jul 5, 2023
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Jul 12, 2023
@spring-projects-issues
Copy link

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

@spring-projects-issues spring-projects-issues closed this as not planned Won't fix, can't repro, duplicate, stale Jul 19, 2023
@spring-projects-issues spring-projects-issues removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Jul 19, 2023
@sjohnr sjohnr added for: stackoverflow A question that's better suited to stackoverflow.com and removed type: enhancement A general enhancement labels Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
Spring Security Team
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jzheaux @sjohnr @tvogel8570 @spring-projects-issues