OidcUserInfoAuthenticationProvider doesn't support for opaque token bearer authorization

[malvinpatrick]

I have pull your sample project "demo-authorization server", and I tried to use registered client with opaque token. After I input username and password, BFF spring security tries to call "/userinfo" on DefaultOAuth2UserService. But I got JWT malformat exception on authorization server. So I tried to debug which code generates an error. And I got the error was raised from JwtAuthenticationProvider.

I've seen your response on Issue 1330, you said that OidcUserInfoAuthenticationProvider can handle bearer token with opaque token.

I have debug list of provider for ProviderManager

On OidcUserInfoAuthenticationProvider, there's a code for check supports

@Override
	public boolean supports(Class<?> authentication) {
		return OidcUserInfoAuthenticationToken.class.isAssignableFrom(authentication);
	}

which always return false because authentication class is a sub class of BearerTokenAuthenticationToken, construct by BearerTokenAuthenticationFilter-doFilterInternal

My question is how to call /userinfo by using Opaque Token Bearer Authorization?

[malvinpatrick]

Hello @jgrandja, I got stuck on /userinfo endpoint which needs Bearer token handling. In my case, my acceess_token, using REFERENCE token type (Opaque Token).

I got error when BearerTokenAuthenticationFilter need to validate access_token, which no provider support except JWTAuthenticationProvider, which is always invalid, because my access token isn't a JWT but opaque token instead.

At other side, when I readOidcUserInfoAuthenticationProvider, it expect receive token OidcUserInfoAuthenticationToken which initialized by org.springframework.security.oauth2.server.authorization.oidc.web.OidcUserInfoEndpointFilter.createAuthentication(HttpServletRequest).

So I don't know what is the best way to handling it. I tried to add authenticationProvider like this

public class CustomOidcUserIinfoAuthenticationProvider implements AuthenticationProvider {

	private final Log logger = LogFactory.getLog(getClass());

	private final OAuth2AuthorizationService authorizationService;


	public ChameleonOidcUserIinfoAuthenticationProvider(OAuth2AuthorizationService authorizationService) {
		Assert.notNull(authorizationService, "authorizationService cannot be null");
		this.authorizationService = authorizationService;
	}
	
	@Override
	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
		BearerTokenAuthenticationToken userInfoAuthentication = (BearerTokenAuthenticationToken) authentication;

		if (userInfoAuthentication == null) {
			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
		}

		// Force set to true
		userInfoAuthentication.setAuthenticated(true);

		String accessTokenValue = userInfoAuthentication.getToken();

		OAuth2Authorization authorization = this.authorizationService.findByToken(accessTokenValue,
				OAuth2TokenType.ACCESS_TOKEN);
		if (authorization == null) {
			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.INVALID_TOKEN);
		}

		if (this.logger.isTraceEnabled()) {
			this.logger.trace("Retrieved authorization with access token");
		}

		OAuth2Authorization.Token<OAuth2AccessToken> authorizedAccessToken = authorization.getAccessToken();

		DefaultOAuth2AuthenticatedPrincipal authenticatedPrincipal = new DefaultOAuth2AuthenticatedPrincipal(
				authorization.getPrincipalName(), authorizedAccessToken.getClaims(), Collections.emptyList()
		);

		Instant iat = authenticatedPrincipal.getAttribute(OAuth2TokenIntrospectionClaimNames.IAT);
		Instant exp = authenticatedPrincipal.getAttribute(OAuth2TokenIntrospectionClaimNames.EXP);
		OAuth2AccessToken accessToken = new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, accessTokenValue, iat,
				exp);

		return new BearerTokenAuthentication(authenticatedPrincipal, accessToken, Collections.emptyList());
	}

	@Override
	public boolean supports(Class<?> authentication) {
		return BearerTokenAuthenticationToken.class.isAssignableFrom(authentication);
	}
}

then I register on authorizationOidc condiguration

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(
    HttpSecurity http,
) throws Exception {

    OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = OAuth2AuthorizationServerConfigurer.authorizationServer();

    // @formatter:off
    http
        .securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
        .with(authorizationServerConfigurer, (authorizationServer) ->
            authorizationServer
                .oidc(
                    oidc -> oidc
                        .userInfoEndpoint(userInfoEndpoint -> userInfoEndpoint
                        .authenticationProvider(new CustomOidcUserIinfoAuthenticationProvider(getAuthorizationService(http)))
                        )
                )
        );

    // @formatter:on
    return http.build();
}

Is it true to implement like my code above ? Or there's better way to handle this ?

[jgrandja]

@malvinpatrick Questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

I got error when BearerTokenAuthenticationFilter need to validate access_token, which no provider support except JWTAuthenticationProvider, which is always invalid, because my access token isn't a JWT but opaque token instead.

You need to configure oauth2ResourceServer() with an AuthenticationProvider that is able to authenticate an (opaque) Bearer token.

Take a look at this sample configuration that supports JWT and Opaque Token Bearer authentication.

[roar-skinderviken]

@jgrandja I've looked into this in connection with a StackOverflow-question, and done some testing.

I believe

.oauth2ResourceServer(
     (oauth2ResourceServer) -> oauth2ResourceServer.jwt(Customizer.withDefaults()));

here:
OAuth2AuthorizationServerConfigurer

blocks any possibility to configure OIDC-endpoints for opaque tokens.

Attempt 1

.oauth2ResourceServer(oauth2 ->
        oauth2.authenticationManagerResolver(<custom resolver>)
)

fails with an error about that a custom resolver will override existing settings from the above code.

Attempt 2

.oauth2ResourceServer(resourceServer -> resourceServer
     .opaqueToken(Customizer.withDefaults()));

fails with error about that either JWT or opaque has to be configured, not both.

[malvinpatrick]

Hello @jgrandja,

I've created sample project Github Project. I have tried to create authenticationManagerResolver, but it will raise an error, you can try to run my demo project.

Instead, to temporary handle opaque bearer token, I create CustomOidcUserInfoAuthenticationBearerProvider to handle opaque bearer token.

[jgrandja]

@roar-skinderviken @malvinpatrick I see the issue now. I've logged spring-security#16406 to track this.

I'll keep this issue closed for now as I believe the fix needs to be applied in Spring Security.