Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring OAuth (OAuth2): How can I get the client credentials in a Spring MVC controller?

In this snippet:

@RequestMapping(method = GET)
public List<Place> read(Principal principal) {
  principal.getName(); 
}

principal.getName() gives me the user identification but I need a way to receive the client credentials (client => the app who is using my API). How can I do this?

like image 546
wandi.darko Avatar asked Sep 17 '12 17:09

wandi.darko


3 Answers

The client identity is available from the Authentication object which you can either cast the principal to, or get directly from the thread-local security context. Something like

Authentication a = SecurityContextHolder.getContext().getAuthentication();

String clientId = ((OAuth2Authentication) a).getAuthorizationRequest().getClientId();

If you don't want to put that code directly into your controller, you can implement a separate context accessor as described in this answer and inject that into it instead.

like image 58
Shaun the Sheep Avatar answered Oct 23 '22 15:10

Shaun the Sheep


I found a reasonable solution based on @luke-taylor answer.

@RequestMapping(method = GET)
public List<Place> read(OAuth2Authentication auth) {
  auth.getOAuth2Request().getClientId()
}
like image 41
wandi.darko Avatar answered Oct 23 '22 15:10

wandi.darko


Fleshing out the HandlerMethodArgumentResolver option a bit more. In order to support the following:

@RequestMapping(
    value = WEB_HOOKS, 
    method = RequestMethod.GET, 
    produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(HttpStatus.OK)
public List<SomeDTO> getThoseDTOs(@CurrentClientId String clientId) 
{
    // Do something with clientId - it will be null if there was no authentication
}

We'll need the HandlerMethodArgumentResolver registered with our Application Context (for me this was inside a WebMvcConfigurerAdapter). My HandlerMethodArgumentResolver looks like this:

public class OAuth2ClientIdArgumentResolver implements HandlerMethodArgumentResolver {

    @Override
    public boolean supportsParameter(MethodParameter parameter) {
        return parameter.getParameterAnnotation(CurrentClientId.class) != null
                && parameter.getParameterType().equals(String.class);
    }

    @Override
    public Object resolveArgument(
            MethodParameter parameter,
            ModelAndViewContainer mavContainer, 
            NativeWebRequest webRequest,
            WebDataBinderFactory binderFactory) 
        throws Exception 
    {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if(authentication == null) {
            return null;
        }
        String clientId = null;

        if (authentication.getClass().isAssignableFrom(OAuth2Authentication.class)) {
            clientId = ((OAuth2Authentication) authentication).getOAuth2Request().getClientId();
        }

        return clientId;
    }

}

And the @interface definition:

@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CurrentClientId {

}
like image 5
Michael Ressler Avatar answered Oct 23 '22 14:10

Michael Ressler