-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configurable authentication converter for resource-servers with token introspection #11665
Conversation
@sjohnr and @marcusdacoregio I believe this PR to be ready for review. |
Thanks @ch4mpy! As we're working through some priority tasks for 5.8 and 6.0, it may be a slight delay before I'm able to take a look at this. |
@sjohnr I understand. Just put it together right now because I had a little time and the idea was fresh in my mind. I couldn't find the issue / PR I'm duplicating. Could you please point me to it? |
Thanks for taking the time! We use the duplicate label for book-keeping so only one issue (either the issue or the PR) goes into the release notes, and so whoever did the work gets credit. Since you opened the issue AND the PR, I just marked this PR as the duplicate. |
@sjohnr I added a separate commit for 5.8 XSD and doc, just in case you have some time to review any time soon. The commit is easy to remove otherwise. There is no breaking change with this PR, default behavior should remain the same. |
Thanks @ch4mpy. Apologies, I haven't been able to review it thoroughly yet, as I'm still heads down. However, glancing at it, I wanted to mention one thing to think about. You may want to consider the I'll let you know when I have a bit more time to review. |
Actually, I had considered using the
I'll update the PR with:
Please confirm that |
I'll spend some time thinking about that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR @ch4mpy! I'm excited about this one. As I mentioned, I'm still a little behind on tasks, but I wanted to give this a bit of attention. See below comments for some suggestions to get you moving forward.
Also, I mention this below but putting it at the top so you can focus on it first:
At the moment, I'm re-thinking my position on using a Converter here. Would you mind reverting the changes to switch to this interface, so we have an OpaqueTokenAuthenticationConverter again? (Sorry for being indecisive!)
.../org/springframework/security/oauth2/server/resource/authentication/IntrospectionResult.java
Outdated
Show resolved
Hide resolved
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
...security/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManager.java
Outdated
Show resolved
Hide resolved
...security/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManager.java
Show resolved
Hide resolved
docs/modules/ROOT/pages/servlet/oauth2/resource-server/opaque-token.adoc
Outdated
Show resolved
Hide resolved
Or, if you're not using Spring Boot at all, then both of these components - the filter chain and a <<oauth2resourceserver-opaque-architecture-introspector,`OpaqueTokenIntrospector`>> can be specified in XML. | ||
If the application doesn't expose an `OpaqueTokenAuthenticationConverter` bean, then Spring Boot will expose a `BearerTokenAuthenticationConverter`. | ||
|
||
Or, if you're not using Spring Boot at all, then all of these components - the filter chain, an <<oauth2resourceserver-opaque-architecture-introspector,`OpaqueTokenIntrospector`>> and an `OpaqueTokenAuthenticationConverter` can be specified in XML. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, no changes in Spring Boot should be required, so I think this should be made a separate (standalone) paragraph that just describes the new configuration option with no mention of Spring Boot or other components.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to rephrase, but I'm not native English speaker. Please provide me with what you want if it still not what you expect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok. Will do!
...ava/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java
Outdated
Show resolved
Hide resolved
config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
Outdated
Show resolved
Hide resolved
...ework/security/config/annotation/web/configurers/AbstractAuthenticationFilterConfigurer.java
Outdated
Show resolved
Hide resolved
@sjohnr I:
|
6d19f16
to
f32af34
Compare
Rebased on main after #11773 was merged and squashed again. |
@sjohnr, do you expect more changes from me? Also, what about |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is definitely developing nicely @ch4mpy! Let's leave the existing interface name for now.
I have more suggestions to some specific areas of the PR, see below. Once we work through this round, any additional (small) changes could be applied as polish by the team when we're ready to merge. Please note that we will pause at that point and wait on this PR until after November (after the 5.8/6.0 release).
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
...security/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManager.java
Outdated
Show resolved
Hide resolved
...ity/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManagerTests.java
Outdated
Show resolved
Hide resolved
...ity/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManagerTests.java
Outdated
Show resolved
Hide resolved
...ity/oauth2/server/resource/authentication/OpaqueTokenReactiveAuthenticationManagerTests.java
Outdated
Show resolved
Hide resolved
...k/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java
Outdated
Show resolved
Hide resolved
...k/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java
Outdated
Show resolved
Hide resolved
So I should remove modifications to 5.8 xsd and rnc too, maybe? And also modify |
@sjohnr I think I fixed everything as you requested, but |
We can wait on that, but thanks for asking! I'll try and keep you updated if anything changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's looking really good @ch4mpy! I did find a few small things below. Sorry for missing them earlier!
...mework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
Show resolved
Hide resolved
...ecurity/oauth2/server/resource/introspection/ReactiveOpaqueTokenAuthenticationConverter.java
Show resolved
Hide resolved
...mework/security/oauth2/server/resource/introspection/OpaqueTokenAuthenticationConverter.java
Show resolved
Hide resolved
Thanks for the updates @ch4mpy. After discussing with the team, I think we're good to merge PRs from the community into 5.8. As I mentioned, we've switched to merge-forward as a strategy, so we ultimately want to target 5.8 for this PR. If you happen to have a bit more time, you could squash commits and move the commit to the |
dbb003e
to
b436143
Compare
Adds configurable authentication converter for resource-servers with token introspection (something very similar to what JwtAuthenticationConverter does for resource-servers with JWT decoder). The new (Reactive)OpaqueTokenAuthenticationConverter is given responsibility for converting successful token introspection result into an Authentication instance (which is currently done by a private methods of OpaqueTokenAuthenticationProvider and OpaqueTokenReactiveAuthenticationManager). The default (Reactive)OpaqueTokenAuthenticationConverter, behave the same as current private convert(OAuth2AuthenticatedPrincipal principal, String token) methods: map authorities from scope attribute and build a BearerTokenAuthentication.
@sjohnr squashed and rebased on Of course, 6.0 xsd and rnc modifications where lost in the process. |
* Add authentication-converter-ref to 6.0 * Add @configuration to test configs
This could close #11661
It adds configurable authentication converter for resource-servers with token introspection (something very similar to what
JwtAuthenticationConverter
does for resource-servers with JWT decoder).The new
(Reactive)OpaqueTokenAuthenticationConverter
is given responsibility for converting successful token introspection result into anAuthentication
instance (which is currently done by private methods ofOpaqueTokenAuthenticationProvider
andOpaqueTokenReactiveAuthenticationManager
).(Reactive)BearerTokenAuthenticationConverter
, the default(Reactive)OpaqueTokenAuthenticationConverter
, behave the same as current privateconvert(OAuth2AuthenticatedPrincipal principal, String token)
methods: map authorities fromscope
attribute and return aBearerTokenAuthentication
.New unit test classes are created for default authentication converters and tests related to authorities mapping are moved there.
Existing tests for
OpaqueTokenAuthenticationProvider
andOpaqueTokenReactiveAuthenticationManager
are modified to simply assert that introspector and authenticationConverter are called and that resulting Authentication is propagated.P.S.
I set 6.0 as target but can of course modify this to 5.8 or whatever depending on how you schedule the feature (additional XSDs could need an update depending on the branch this is merged to).