Can I retrieve the Access Token from Spring Security Oauth?

Question

context: I'm trying to play with google playlists, just list them now

curl \
  'https://www.googleapis.com/youtube/v3/playlists?part=snippet%2CcontentDetails&maxResults=25&mine=true&key=[YOUR_API_KEY]' \
  --header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
  --header 'Accept: application/json' \
  --compressed

So I've got google login set up with Spring Boot 2.1.6, as follows (it works)

spring.security.oauth2.client.registration.google.client-id=...
spring.security.oauth2.client.registration.google.client-secret=...
spring.security.oauth2.client.registration.google.redirect-uri=http://localhost:8080/login/oauth2/code/google
spring.security.oauth2.client.provider.google.token-uri=https://oauth2.googleapis.com/token
spring.security.oauth2.client.provider.google.authorization-uri=https://accounts.google.com/o/oauth2/v2/auth
spring.security.oauth2.client.provider.google.user-info-uri=https://openidconnect.googleapis.com/v1/userinfo
spring.security.oauth2.client.provider.google.jwk-set-uri=https://www.googleapis.com/oauth2/v3/certs
spring.security.oauth2.client.provider.google.issuer-uri=https://accounts.google.com
spring.security.oauth2.client.registration.google.scope=profile,https://www.googleapis.com/auth/youtube

according to google google docs I should get an access/authorization token back during the requests spring makes. How can I retrieve this token so I can make further calls to API's such as youtube?

Answer 1

from @jgrandja https://github.com/spring-projects/spring-security/issues/7088#issuecomment-511820737

No, it doesn't get wiped out. You can retrieve the OAuth2AuthorizedClient via the OAuth2AuthorizedClientRepository or OAuth2AuthorizedClientService. The OAuth2AuthorizedClient contains the OAuth2AccessToken and optional OAuth2RefreshToken. See the ref doc for further info.

Also, a more convenient way of obtaining the OAuth2AuthorizedClient is via @RegisteredOAuth2AuthorizedClient.

I encourage you to read the ref doc as there is quite a bit of info there that will likely answer your questions.

• OAuth 2.0 Client
• OAuth 2.0 Login

Answer 2

If Spring Security is configured for an OAuth 2.0 Login, the OAuth2LoginAuthenticationFilter uses HttpSessionOAuth2AuthorizedClientRepository (by default) to store the authenticated user in the session. Although the Authentication object (OAuth2AuthenticationToken) unfortunately does not have the raw token, you should be able to extract it from the client that's been saved in the session:

String attributeName = HttpSessionOAuth2AuthorizedClientRepository.class.getName()
                           +  ".AUTHORIZED_CLIENTS";

Map<String, OAuth2AuthorizedClient> authorizedClients = request.getSession()
                                                      .getAttribute(attributeName);

OAuth2AuthorizedClient client = authorizedClients.get("google");

String token = client.getAccessToken().getTokenValue();

Although this should work, it is very brittle. Hopefully there's another solution that doesn't involve swapping in custom implementations into the security framework.