Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security - override default TokenEndpoint method (/oauth/token)

I am planning to implement oauth2 & JWT in my new project. Apart from username, password & grant_type, I am having a few another fields to validate before granting the access_token and refresh_token. So I am planning to override the default TokenEndpoint's postAccessToken method's implementation. Would it be possible, if yes, what are all the things I should take care? And is it a right idea to override the default implementation? For example, below is TokenEndpoint's postAccessToken signature.

public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
....
}

Here before reaching the postAccessToken method only spring-security had constructed the Principal object.

My endpoint would look like this, where there is no Principal object(Not sure what issue this will introduce in future).

@PostMapping("/token")
public ResponseEntity token(@Valid @RequestBody LoginModel loginModel, @RequestParam Map<String, String> parameters) {
....
}

And few other things spring-security is taking care by itself, so if I override this /token endpoints what all things I should take care of?

like image 401
Suganthan Madhavan Pillai Avatar asked Jul 14 '26 17:07

Suganthan Madhavan Pillai


1 Answers

In my case, using SpringBoot 3.0, the token path was changed from /oauth/token to /oauth2/token breaking existing consumers. All I had to do was the following:

    @Bean
    public AuthorizationServerSettings authorizationServerSettings() {
        return AuthorizationServerSettings.builder()
                .tokenEndpoint("/oauth/token")
                .build();
    }

To change other attributes as well:

@Bean
public AuthorizationServerSettings authorizationServerSettings() {
    return AuthorizationServerSettings.builder()
        .issuer("https://example.com")
        .authorizationEndpoint("/oauth2/v1/authorize")
        .tokenEndpoint("/oauth2/v1/token")
        .tokenIntrospectionEndpoint("/oauth2/v1/introspect")
        .tokenRevocationEndpoint("/oauth2/v1/revoke")
        .jwkSetEndpoint("/oauth2/v1/jwks")
        .oidcUserInfoEndpoint("/connect/v1/userinfo")
        .oidcClientRegistrationEndpoint("/connect/v1/register")
        .build();
}

See documentation.

like image 96
tom Avatar answered Jul 17 '26 19:07

tom



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!