Context - Spring + OAuth2
...
Retrieve the appropriate claim from the token to be matched with the username in the profile service
Verify the user exists, and retrieve the user’s roles and principles for authorization
Set the calling service’s security context with the retrieved authorities (do we want to do this?)#
A high level idea of this can be seen below:
...
SharedAuthencticationSuccessHandler
(implements AuthenticationSuccessHandler
) (needs new name)Instantiated with following dependencies/params:
SecurityContext
(is this bad?) - for setting granted authoritiesJwtUtil
(another shared component, see below) - for decoding token to retrieve user detailsUserDetailsService
- for retrieving user details
Does the following in its
onAuthenticationSuccess
method:Decodes token to find username (email) using
JwtUtil
Fetches user details from
UserDetailsService
Extracts granted authorities from
UserInfo
and sets them inSecurityContext
Authorization can now be performed on controllers etc within the calling service
JwtUtil
class (again, needs a better name)Instantiated with the following dependencies/params:
jwkSetUri
String configured as an application propertyjwtIssuer
String configured as an application propertyusernameClaim
String configured as an application property (this is because we use email as the username)creates a
NimbusJwtDecoder
Bean fromjwkSetUri
andjwtIssuer
Does the following:
Method to retrieve the username from the token
UserDetailsService
- Already exists, fetches user infor by user name
...
One Ticket to implement the new Shared Components (enough of a vertical slice?)
One Ticket per service to switch over configuration (possibly with different subtasks depending on authorization/redirect requirements of each service)
Tech Sharing 12/12/24
Questions:
how are subsequent requests from a UI application handled?
How would this work?
Login to cognito and grab a token somehow (browser, service logs/ whatever)
Close InCognito Browsers
Start User Management on your working branch
Open Postman
Send a request with the token in the
Authorization
header.Does it redirect you to Cognito?