Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security OAuth2 with custom TokenGranter in version 2.0.+

In previous versions of OAuth2 it was possible to add a custom token granter by adding it to the xml configuration in the <authorization-server> element.

I wonder how I could extend the authorization server with Java Config using a AuthorizationServerConfigurerAdapter, without losing the default configuration, which contains the implicit, client credentials, refresh token and authorization code grant types.

First attempt was using creating the TokenGranter with @Component:

@Component("customTokenGranter")
public class CustomTokenGranter {
     //implementation
}

This leads to a dependency resolution exception because the tokenServices needed to construct the Granter cannot be autowired.

Second attempt was using the configure method

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception
{
    endpoints
        .tokenGranter(new CustomTokenGranter(endpoints.getTokenServices(),
                endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory()));

}

Using this, the default grant types will not be registered.

I also tried a second configuration with a lower order, but without success. What else could I do to add my custom grant type?

like image 905
Christian Metzler Avatar asked Aug 12 '14 12:08

Christian Metzler


4 Answers

Here is another way. Copied from here.

In this example, a new custom TokenGranter, named CustomTokenGranter, is added to a CompositeTokenGranter with the default TokenGranters. I like this example because it uses the AuthorizationServerEndpointsConfigurer's public method getTokenGranter() to retrieve the default TokenGranter's.

@Configuration
@EnableAuthorizationServer
protected static class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
        endpoints.tokenGranter(tokenGranter(endpoints));
    }

    private TokenGranter tokenGranter(final AuthorizationServerEndpointsConfigurer endpoints) {
        List<TokenGranter> granters = new ArrayList<TokenGranter>(Arrays.asList(endpoints.getTokenGranter()));
        granters.add(new CustomTokenGranter(endpoints.getTokenServices(), endpoints.getClientDetailsService(), endpoints.getOAuth2RequestFactory(), "custom"));
        return new CompositeTokenGranter(granters);
    }
like image 188
Jose Martinez Avatar answered Nov 19 '22 07:11

Jose Martinez


According to the documentation, we have :

Grant Types

The grant types supported by the AuthorizationEndpoint can be configured via the AuthorizationServerEndpointsConfigurer. By default all grant types are supported except password (see below for details of how to switch it on). The following properties affect grant types:

authenticationManager: password grants are switched on by injecting an AuthenticationManager. ......

See documentation. So you can inject the AuthenticationManager like this :

    @Configuration
    @EnableAuthorizationServer
    public class AuthorizationServerConfigurer extends AuthorizationServerConfigurerAdapter {

        @Autowired
        private AuthenticationManager authenticationManager;

        @Override
        public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
            endpoints
                    .authenticationManager(authenticationManager)
........
like image 31
Abdelhafid Avatar answered Nov 19 '22 08:11

Abdelhafid


You need to add the default ones too, e.g. using a CompositeTokenGranter:

        List<TokenGranter> tokenGranters = getTokenGranters(); // implementation up to you
        tokenGranter = new CompositeTokenGranter(tokenGranters);
        endpoints.tokenGranter(tokenGranter);
like image 11
Dave Syer Avatar answered Nov 19 '22 08:11

Dave Syer


I couldn't find a way to do it because of the dependency on ClientDetailService making it difficult to get the default granters from the getTokenGranter method. I copied over the code from AuthorizationServerEndpointsConfigurer#tokenGranter() and passed in my clientDetailService and other beans directly to the constructors. Note that I add to create a DefaultOAuth2RequestFactory to pass to the granters and to the endpoints:

public TokenGranter tokenGranter() {

            ClientDetailsService clientDetails = clientDetailsService;
            AuthorizationServerTokenServices tokenServices = tokenServices();
            AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
            OAuth2RequestFactory requestFactory = requestFactory();

            List<TokenGranter> tokenGranters = new ArrayList<TokenGranter>();

            tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices,
                    clientDetails, requestFactory));
            tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetails, requestFactory));
            tokenGranters.add(new ImplicitTokenGranter(tokenServices, clientDetails, requestFactory));
            tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetails, requestFactory));
            tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices,
                        clientDetails, requestFactory));
            tokenGranters.add(new CustomTokenGranter(authenticationManager, tokenServices(), clientDetailsService,
                    requestFactory));

            return new CompositeTokenGranter(tokenGranters);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {

        endpoints
                .tokenServices(tokenServices())
                .tokenStore(tokenStore())
                .tokenEnhancer(tokenEnhancer())
                .authorizationCodeServices(authorizationCodeServices())
                .userApprovalHandler(userApprovalHandler())
                .authenticationManager(authenticationManager)
                .requestFactory(requestFactory())
                .tokenGranter(tokenGranter());
    }

That being said, I ended up removing that code and simply added another AuthenticationProvider instead because my new grant type was using a subclass of UsernamePasswordAuthenticationToken anyway, which is the Authentication type used by the password grant by default.

like image 5
lordm2k Avatar answered Nov 19 '22 07:11

lordm2k