28.3 Customizing the User Info RestTemplate
If you have a user-info-uri
, the resource server features use an OAuth2RestTemplate
internally to fetch user details for authentication. This is provided as a qualified @Bean
with id userInfoRestTemplate
, but you shouldn’t need to know that to just use it. The default should be fine for most providers, but occasionally you might need to add additional interceptors, or change the request authenticator (which is how the token gets attached to outgoing requests). To add a customization just create a bean of type UserInfoRestTemplateCustomizer
- it has a single method that will be called after the bean is created but before it is initialized. The rest template that is being customized here is only used internally to carry out authentication.
Tip | |
---|---|
To set an RSA key value in YAML use the “pipe” continuation marker to split it over multiple lines (“ | ”) and remember to indent the key value (it’s a standard YAML language feature). Example: |
28.3.1 Client
To make your web-app into an OAuth2 client you can simply add @EnableOAuth2Client
and Spring Boot will create a OAuth2ClientContext
and OAuth2ProtectedResourceDetails
that are necessary to create an OAuth2RestOperations
. Spring Boot does not automatically create such bean but you can easily create your own:
_@Bean_ public OAuth2RestTemplate oauth2RestTemplate(OAuth2ClientContext oauth2ClientContext, OAuth2ProtectedResourceDetails details) { return new OAuth2RestTemplate(details, oauth2ClientContext); }
Note | |
---|---|
You may want to add a qualifier and review your configuration as more than one RestTemplate may be defined in your application. |
This configuration uses security.oauth2.client.*
as credentials (the same as you might be using in the Authorization Server), but in addition it will need to know the authorization and token URIs in the Authorization Server. For example:
application.yml.
security: oauth2: client: clientId: bd1c0a783ccdd1c9b9e4 clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1 accessTokenUri: https://github.com/login/oauth/access_token userAuthorizationUri: https://github.com/login/oauth/authorize clientAuthenticationScheme: form
An application with this configuration will redirect to Github for authorization when you attempt to use the OAuth2RestTemplate
. If you are already signed into Github you won’t even notice that it has authenticated. These specific credentials will only work if your application is running on port 8080 (register your own client app in Github or other provider for more flexibility).
To limit the scope that the client asks for when it obtains an access token you can set security.oauth2.client.scope
(comma separated or an array in YAML). By default the scope is empty and it is up to Authorization Server to decide what the defaults should be, usually depending on the settings in the client registration that it holds.
Note | |
---|---|
There is also a setting for security.oauth2.client.client-authentication-scheme which defaults to “header” (but you might need to set it to “form” if, like Github for instance, your OAuth2 provider doesn’t like header authentication). In fact, the security.oauth2.client.* properties are bound to an instance of AuthorizationCodeResourceDetails so all its properties can be specified. |
Tip | |
---|---|
In a non-web application you can still create an OAuth2RestOperations and it is still wired into the security.oauth2.client.* configuration. In this case it is a “client credentials token grant” you will be asking for if you use it (and there is no need to use @EnableOAuth2Client or @EnableOAuth2Sso ). To prevent that infrastructure to be defined, just remove the security.oauth2.client.client-id from your configuration (or make it the empty string). |
28.3.2 Single Sign On
An OAuth2 Client can be used to fetch user details from the provider (if such features are available) and then convert them into an Authentication
token for Spring Security. The Resource Server above support this via the user-info-uri
property This is the basis for a Single Sign On (SSO) protocol based on OAuth2, and Spring Boot makes it easy to participate by providing an annotation @EnableOAuth2Sso
. The Github client above can protect all its resources and authenticate using the Github /user/
endpoint, by adding that annotation and declaring where to find the endpoint (in addition to the security.oauth2.client.*
configuration already listed above):
application.yml.
security: oauth2: ... resource: userInfoUri: https://api.github.com/user preferTokenInfo: false
Since all paths are secure by default, there is no “home” page that you can show to unauthenticated users and invite them to login (by visiting the /login
path, or the path specified by security.oauth2.sso.login-path
).
To customize the access rules or paths to protect, so you can add a “home” page for instance, @EnableOAuth2Sso
can be added to a WebSecurityConfigurerAdapter
and the annotation will cause it to be decorated and enhanced with the necessary pieces to get the /login
path working. For example, here we simply allow unauthenticated access to the home page at "/" and keep the default for everything else:
_@Configuration_ public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { _@Override_ public void init(WebSecurity web) { web.ignore("/"); } _@Override_ protected void configure(HttpSecurity http) throws Exception { http.antMatcher("/**").authorizeRequests().anyRequest().authenticated(); } }