javaspringspring-securityspring-security-oauth2token-exchange

Token exchange in Spring OAuth2 client credentials flow


I have following Spring Security configuration:

  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: ${issuer-uri-of-identity}
      client:
        registration:
          some-app:
            client-id: ${qwerty.server.client.client-id}
            client-secret: ${qwerty.server.client.client-secret}
            scope: ${qwerty.server.client.some-app-scope}
            authorization-grant-type: client_credentials
            provider: qwerty

qwerty:
  server:
    max-clock-skew: 60
    url: ....
    scope: my-scope
    client:
      client-id: ...
      client-secret: ....
      some-app-scope: my-ticket-scope

And following configuration is used:

    private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken(
            "anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
    ...
    @Bean("someAppRestTemplate")
    @Autowired
    public RestTemplate buildRestTemplateForSomeApp(RestTemplateBuilder builder) {
        return builder
                .messageConverters(converter)
                .additionalInterceptors(Arrays.asList(contentTypeInterceptor(), oauthInterceptor("some-app")))
                .build();
    }
   ...
   private ClientHttpRequestInterceptor oauthInterceptor(String id) {
        return (r, b, e) -> {
            OAuth2AuthorizedClient client = manager.authorize(
                    OAuth2AuthorizeRequest
                            .withClientRegistrationId(id)
                            .principal(ANONYMOUS_AUTHENTICATION)
                            .build()
            );
            Assert.notNull(client, "Can not access File Storage Service");
            r.getHeaders().setBearerAuth(client.getAccessToken().getTokenValue());
            return e.execute(r, b);
        };
    }

Now I need to do impersonation(https://datatracker.ietf.org/doc/html/rfc8693). So I need to pretend as some user. I need it because of "current user" logic inside some-app application.

How can I reconfigure to achieve it ?

P.S. I tried to google it but I haven't found anything relevant.


Solution

  • RFC 8693 Token Exchange was released jan 2020 and covers this feature. Spring security as of now does not support this fetaure yet, but should be released soon.

    you can follow the open issue in Spring Security here:

    Provide support for OAuth 2.0 Token Exchange for client

    you can read more about the flow in general here on behalf of flow