0

I have a default Spring authorization Server implementation. i want to modify it as per my project requirements. I want to implement customized introspection endpoint in new spring authorization server. I will be having different kinds of tokens, based on token type I want to validate them differently. So I found out by default spring authorization server uses 'OAuth2TokenIntrospectionEndpointFilter', is there a way to use this class or we have to write a new class and add it to server configuration? Thank you.

I tried doing the following.

authorizationServerConfigurer.tokenIntrospectionEndpoint(
        t -> t.authenticationProvider(customTokenAuthProvider)
                .introspectionResponseHandler(successHandler));

I want to know if this the right way to do or any other method exists.

Vinayak Pattar
  • 21
  • 4
  • You have only shared a small portion of your configuration. Please add more details about what you're trying to accomplish, and what isn't working when you use the above configuration. – Steve Riesenberg Dec 13 '22 at 01:22
  • @SteveRiesenberg Sorry for the incomplete picture of what I am trying to achieve. I tried default default Authorization server. I want add some extra fields in payload of the JWTs(access_token) created. 1) how to achieve this? And Later I want resource server to validate these custom JWTs. This validation I can do it in resource server. But I was trying to validate these JWTs on calling /introspection endpoint of auth server. So I have to add extra filter in Authorization server for this. Is is possible to do this? if yes then how? Thank you – Vinayak Pattar Dec 13 '22 at 10:00

1 Answers1

0

It seems you have two goals:

  1. Customize a jwt, by adding custom claims.
  2. Obtain those claims via the introspection endpoint from a resource server.

There is actually nothing to code for on the authorization server side to achieve #2, as the introspection endpoint returns all claims for a jwt by default. I’m not clear on what you mean by “validate” here, so I’m assuming you mean validate the token and then obtain claims from it. This is what the introspection endpoint does, no customization required. Do note however that the introspection endpoint is not usually called if the resource server is decoding the jwt locally. This would only happen if the resource server is treating the token as opaque.

In order to achieve #1, simply provide an OAuth2TokenCustomizer @Bean as demonstrated in the reference documentation.

Note: I don’t see a need for a custom AuthenticationProvider. If you feel you do have a need for one, then I think some details of your use case are missing.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
  • Thank you for the answer.For 1) I will try to customize JWT with `OAuth2TokenCustomizer`. For 2) I have a USER_ROLE and PERMISSIONs in database. Upon login of enduser, I will create a key value pair in Redis with Username as key and His Roles/Permission as value. And what I mean by 'validating token' is that I will be adding this Redis key to the claims of JWT. I want to validate this Role/Permission this user has from Redis. I want to 1)how to do this in Resource server? 2)Upon calling Introspect endpoint, is there a way to check Roles/Permission from Redis in Authorization server? – Vinayak Pattar Dec 14 '22 at 04:25
  • You can do absolutely anything you want in the token customizer, including accessing redis and looking up a user by name. It’s still not clear to me what you want to do with the roles on the resource server but the answer depends heavily on what the access token and/or available claims from the introspection endpoint look like. Once you’ve customized the jwt, ask another question with details related to the resource server and let me know the link and I’ll take a look. – Steve Riesenberg Dec 15 '22 at 03:11