Spring oauth2, Use access token to retrieve user data?

Question

I'm using spring security oauth2 and authorization_code type.

Oauth2 client succefully retrieved access_token for a user.

Now, the client needs to retrieve user info such as email using the access_token.

However I'm not able to find tutorial, example to illustrate how I can do that..

Which type of token are you using?? JWT?? You can implement your own TokenEnhancer to add custom data to that token. — Afridi, Jan 24 '18 at 04:50
You can usually get metadata about an access token at the [introspection endpoint](https://tools.ietf.org/html/rfc7662). — Ján Halaša, Jan 24 '18 at 05:17
There is another endpoint exposed by oauth2 at oauth/check_token. — maverick, Mar 06 '18 at 12:46

score 0 · Answer 1 · answered Mar 02 '18 at 10:20

You have two choices.

Add the user info in the token response by adding the extra claims, see can I include user information while issuing an access token?
Implement an userinfo endpoint

Such as

@RestController
@ProcessingController
@RequestMapping("/identity/userinfo")
public class UserInfoController {

    @RequestMapping(value = "", method = RequestMethod.GET)
    public ResponseEntity<?> userInfo(Principal principal,
                                      HttpServletRequest request) {
        return ResponseEntity.ok(principal);
    }

}

And make sure you have a resourceServer that is configured to use oauth2 at that endpoint

@Configuration
public class ResourceServerConfig {

    @Autowired
    private ResourceServerTokenServices defaultTokenServices;

    @Bean
    protected ResourceServerConfiguration identityResources() {

        ResourceServerConfiguration resource = new ResourceServerConfiguration() {
            // Switch off the Spring Boot @Autowired configurers
            public void setConfigurers(List<ResourceServerConfigurer> configurers) {
                super.setConfigurers(configurers);
            }
        };

        resource.setConfigurers(Arrays.asList(new ResourceServerConfigurerAdapter() {

            @Override
            public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
                resources.resourceId(ResourceId.IDENTITY_API.getName())
                        .tokenServices(defaultTokenServices);
            }

            @Override
            public void configure(HttpSecurity http) throws Exception {
                http
                        .requestMatchers()
                        .antMatchers("/identity/**")
                        .and()
                        .authorizeRequests()
                        .antMatchers("/identity/userinfo/**").hasAnyAuthority("ROLE_USER_INFO")
                        .anyRequest().authenticated();
            }
        }));
        resource.setOrder(3);
        return resource;
    }

}

Spring oauth2, Use access token to retrieve user data?

1 Answers1