StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSpring security oauth2 - getting custom data from OAuth2 principal
primarykey
Id
16174987
data
AcceptedAnswerId
16264461
AnswerCount
3
ClosedDate
CommentCount
1
CommunityOwnedDate
CreationDate
2013-04-23T16:55:03.290
FavoriteCount
5
LastActivityDate
2015-10-07T07:14:19.183
LastEditDate
2013-05-01T18:09:52.730
LastEditorUserId
1337127
OwnerUserId
1337127
ParentId
0
PostTypeId
1
Score
8
ViewCount
15319
LastEditorDisplayName
text
Body
I have a site that uses Spring security and has users (username & password) and standard form authentication. I allow users to generate a client Id and client secret linked to their account for use with an OAuth2 secured rest API. I use a separate client id & client secret for the API and not username and password so the user can change their password etc without breaking the API credentials, set specific scopes, disable API access etc. I use spring-security-oauth2 (provider) to secure the rest API and I have allowed a client credentials flow. I have setup client authentication for the api so that client id and secret are checked. From a separate application I use the client id and client secret to retreive an access token and start to use it with the api. For the most part I use simple @PreAuthorize expressions typically based on client roles and scope and these appear to work correctly. All above appears to work fine However... I have a few API endpoints now however where I need to implement some more complex rules based on some details from the underlying user - in this case the user that generated the client id and secret. As a simple example consider a messaging application where I have an endpoint that allows users to post a new "message" of a specific type that can vary. I have a table of allowed recipients for each user and each type and I want to check that the recipients of the posted message match the allowed recipient for the type. (User allowed recipients data is typically not large, and rarely changes so I'm happy to store a copy of it when generating an access token) I get the principal at these endpoints and I see it is an instance of OAuth2Authentication containing: <ul> <li>userAuthentication - null - This seems expectable for client credentials flow.</li> <li>clientAuthentication is populated and authorizationParameters contains the grant type and client_id</li> </ul> I suppose I could use the client id from clientAuthentication.authorizationParameters to lookup the user and the details I require, but that would be a few queries each api call which doesn't seem to make sense. I would guess there's a nice place/way in Spring OAuth2 libs that while granting the access token that I could add some extra details so that later I could get them from the OAuth2Authentication (principal) object (or something that extends it?) Alternatively is there a better approach entirely to such issue? Thx!
Tags
<java><spring><rest><spring-security><oauth-2.0>
Title
Spring security oauth2 - getting custom data from OAuth2 principal
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USMark Doyle
UserOwnerUserId
1. USMark Doyle
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POSpring security oauth2 - getting custom data from OAuth2 principal
 UserUserId
 USMark Doyle
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POSpring security oauth2 - getting custom data from OAuth2 principal
 UserUserId
 USMark Doyle
 VoteTypeVoteTypeId
 VTBountyStart
3. VO
 singulars
 PostPostId
 POSpring security oauth2 - getting custom data from OAuth2 principal
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.