1

I have a spring boot resource server that authenticates the user by the accessToken extracted from a cookie. The accessToken is retrieved from Cognito UserPool in a react FE and written to a cookie. It seems spring managed to authenticate the user and I can see username in SecurityContextHolder.getContext().authentication.name. I need to retrieve the rest of user attributes, like email. Most of the solutions I looked up say the SecurityContextHolder.getContext().authentication.principal should contain all attributes I need. Its a string in my case and I can't cast it to any User object. Even SecurityContextHolder.getContext().authentication.details is null. I have user-info-uri defined in my application-properties security.oauth2.resource.user-info-uri. I feel I missing something that causes user attributes to be missing from the authentication context.

This is my resource server security configuration:

@Configuration
@EnableResourceServer
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SpringSecurityConfig extends ResourceServerConfigurerAdapter {

    private final ResourceServerProperties resource;

    public SpringSecurityConfig(ResourceServerProperties resource) {
        this.resource = resource;
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenExtractor(new CustomExtractor());
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
                .csrf().disable()
                .authorizeRequests();
    }

    // Enabling Cognito Converter
    @Bean
    public TokenStore jwkTokenStore() {
        return new JwkTokenStore(
                Collections.singletonList(resource.getJwk().getKeySetUri()),
                new CognitoAccessTokenConverter(),
                null);
    }

}
Karim Ibrahim
  • 61
  • 1
  • 7
  • Does this answer your question? [can I include user information while issuing an access token?](https://stackoverflow.com/questions/28492116/can-i-include-user-information-while-issuing-an-access-token) – PaianganuOm Apr 08 '20 at 07:45
  • I wanna achieve the same, but in my case, I don't own the authorization server. I'm using Cognito UserPools as my authorization server and don't have control on the accessToken generation. All I control here is my resource server. – Karim Ibrahim Apr 08 '20 at 16:43
  • @KarimKenawyIbrahim have you found a solution? – Malena T Oct 30 '20 at 21:18
  • 1
    @MalenaT I had to retrieve the user info by the access token using [getUser](https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/cognitoidp/AWSCognitoIdentityProvider.html#getUser-com.amazonaws.services.cognitoidp.model.GetUserRequest-). Our backend runs on EC2 and I added a role in Cognito to allow our EC2s to access the Admin APIs in Cognito which gave us access to more control over the users accounts. – Karim Ibrahim Nov 04 '20 at 18:18
  • @MalenaT `getUser` might not need the role though, I believe the app key should be enough. – Karim Ibrahim Nov 04 '20 at 19:40

0 Answers0