3

I'm using "client-credentials" grant type for the rest calls that I make from front-end service to other back-end services. Client-credentials grant type is being used among other back-end services as well. By doing so, I am not able to get who is the actual invoker (currently logged in user) of a request. Is there a way to inject authentication and authorization info of the principal to the token that is being issued in the client-credentials grant? (user info means the id or details of the user who has the client credentials). I can add some custom data to the token by using a custom token enhancer. But I couldn't find out how we can get it in the principal(SpringSecurityPrincipal springSecurityPrincipal = (SpringSecurityPrincipal)oAuth2Authentication.getPrincipal();), normally in the password flow we can achieve this by using custom AuthenticationProvider implementation like that is there any class that I can implement and use to add custom principal?

Thanks for the help.

Sharun Thomas
  • 31
  • 2

1 Answers1

0

You could create a custom UserDetailsService and create a custom Principal according to your requirements. You might pick some ideas from here: Authentication with a Database-backed UserDetailsService

Mario Varchmin
  • 3,704
  • 4
  • 18
  • 33
  • That will only work for the password grant type, right? I already have that implementation, the client credentials flow is not passing through that implementation. Since some grant types do not require user authentication(our case - client credentials ) – Sharun Thomas Mar 25 '21 at 09:44