0

After updating a gateway service to Spring Boot 3.x (from Spring Boot 2.5.2), I discovered that the DefaultAccessTokenConverter, OAuth2Authentication, OAuth2AuthenticationManager, and RemoteTokenServices are removed or otherwise moved to a different library.

This is what the build.gradle dependencies were before the update:

implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.cloud:spring-cloud-starter-gateway'
implementation 'org.springframework.cloud:spring-cloud-starter-security'
implementation 'org.springframework.cloud:spring-cloud-starter-oauth2'
implementation 'org.springframework.security:spring-security-oauth2-resource-server'
implementation 'org.springframework.security:spring-security-oauth2-jose'
implementation 'org.springframework.security:spring-security-config'
implementation 'org.springframework.cloud:spring-cloud-starter-oauth2:2.2.5.RELEASE'

And after:

implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-validation'
implementation 'org.springframework.cloud:spring-cloud-starter-gateway'
implementation 'org.springframework.security:spring-security-oauth2-authorization-server:1.0.0'

As far as I can tell, I have the correct libraries for OAuth2 in Spring Security 6.x/Spring Boot 3.x, and I see no mention of the above classes in the Spring Security 6.x migration guide.

There was also an answered question about migrating from OAuth2 to Spring Security 5. This may be relevant in my case, but I don't have enough experience with authentication services to be sure.

The aforementioned classes are used extensively throughout my gateway service and I'm not sure how to replace them.

One such example of OAuth2Authentication usage:

    @Override
    public OAuth2Authentication extractAuthentication(final Map<String, ?> map) {
        OAuth2Authentication authentication = super.extractAuthentication(map);

        authentication.getOAuth2Request().getExtensions().computeIfAbsent(GIVEN_NAME,
            v -> map.get(GIVEN_NAME) != null ? map.get(GIVEN_NAME).toString() : "");
        authentication.getOAuth2Request().getExtensions().computeIfAbsent(PREFERRED_NAME,
            v -> map.get(PREFERRED_NAME) != null ? map.get(PREFERRED_NAME).toString() : "");
        authentication.getOAuth2Request().getExtensions().computeIfAbsent(CLIENT_NAME,
            v -> map.get(CLIENT_NAME) != null ? map.get(CLIENT_NAME).toString() : "");
        authentication.getOAuth2Request().getExtensions().computeIfAbsent(FEATURES,
                v -> map.get(FEATURES) != null ? String.join(DELIMITER,
                        (List<String>) map.get(FEATURES)) : "");
        authentication.getOAuth2Request().getExtensions().computeIfAbsent(PARTITION_ROLES,
                v -> map.get(PARTITION_ROLES) != null ? String.join(DELIMITER,
                        (List<String>) map.get(PARTITION_ROLES)) : "");
        return authentication;
    }

Any help would be great, thanks!

kwarter
  • 1
  • 2

1 Answers1

0

Depending on your resource-server using a JWT decoder or access-token introspection (opaqueToken), you can customize the authentication converter with either:

  • http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(authenticationConverter);
  • http.oauth2ResourceServer().opaqueToken().authenticationConverter(introspectionAuthenticationConverter)

Default Authentication implementations are respectively JwtAuthenticationToken token and BearerTokenAuthentication for respectively JWT decoding and introspection, but you may return any type of Authentication you like.

ch4mp
  • 6,622
  • 6
  • 29
  • 49