Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Configure Spring Security 5 Oauth 2 to use access_token uri parameter

Tags:

spring

spring-boot

spring-security

spring-security-oauth2

spring-webflux

I am creating an application based on this example -

Background -

https://github.com/spring-projects/spring-security/tree/master/samples/boot/oauth2resourceserver-webflux

It works perfectly fine of the OAuth2 token is in the Header.

Problem -

However I would like to change it to use an OAuth 2 token in the url. I am trying to create a OAuth2 resource server.

Analysis-

It seems Spring Security supports getting the token from access_token parameter -

https://github.com/spring-projects/spring-security/blob/e3eaa99ad06769cf44ad3e1249f6398077b90834/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java#L57

However it seems to be disabled by default -

https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/server/ServerBearerTokenAuthenticationConverter.java#L48

Now this class is not accessible outside the spring hierarchy is directly created here -

https://github.com/spring-projects/spring-security/blob/master/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java#L955

Question?

Is there a to set this allowUriQueryParameter to true in my code?

Update

I am creating a OAuth2 resource server. Unfortunately the OAuth2ResourceServerSpec does not allow authenticationConverter to be set.

like image 254
Pushkar Avatar asked Sep 10 '25 13:09

Pushkar

2 Answers

The Pushkar answer didn't work for me but helped me to find the solution, the following code did the trick:

DefaultBearerTokenResolver resolver = new DefaultBearerTokenResolver();
resolver.setAllowUriQueryParameter(true);

http.authorizeRequests()
        .anyRequest().authenticated()
        .and().oauth2ResourceServer().bearerTokenResolver(resolver)
        .jwt();

Thanks.

like image 157
João Durante Avatar answered Sep 13 '25 06:09

João Durante

Now with Spring Security 5.1.5 we can do this -

ServerBearerTokenAuthenticationConverter 
authenticationConverter = new ServerBearerTokenAuthenticationConverter();
authenticationConverter.setAllowUriQueryParameter(true);

http.oauth2ResourceServer().bearerTokenConverter(authenticationConverter).jwt();
like image 45
Pushkar Avatar answered Sep 13 '25 06:09

Pushkar
Sign in to Comment

Related questions

Hibernate/Spring - Rollback a transaction within a transaction
Setting up Spring Native Experimental (id 'org.springframework.experimental.aot' version '0.10.3' was not found in any of the following sources)
How do I express a list or array of objects in yaml via a Spring placeholder?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!