Spring OAuth (OAuth2): How can I get the client credentials in a Spring MVC controller?
-
02-07-2021 - |
题
In this snippet:
@RequestMapping(method = GET)
public List<Place> read(Principal principal) {
principal.getName();
}
principal.getName()
gives me the user identification but I need a way to receive the client credentials (client => the app who is using my API). How can I do this?
解决方案 2
I found a reasonable solution based on @luke-taylor answer.
@RequestMapping(method = GET)
public List<Place> read(OAuth2Authentication auth) {
auth.getOAuth2Request().getClientId()
}
其他提示
The client identity is available from the Authentication
object which you can either cast the principal to, or get directly from the thread-local security context. Something like
Authentication a = SecurityContextHolder.getContext().getAuthentication();
String clientId = ((OAuth2Authentication) a).getAuthorizationRequest().getClientId();
If you don't want to put that code directly into your controller, you can implement a separate context accessor as described in this answer and inject that into it instead.
Fleshing out the HandlerMethodArgumentResolver
option a bit more. In order to support the following:
@RequestMapping(
value = WEB_HOOKS,
method = RequestMethod.GET,
produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseStatus(HttpStatus.OK)
public List<SomeDTO> getThoseDTOs(@CurrentClientId String clientId)
{
// Do something with clientId - it will be null if there was no authentication
}
We'll need the HandlerMethodArgumentResolver
registered with our Application Context (for me this was inside a WebMvcConfigurerAdapter
). My HandlerMethodArgumentResolver
looks like this:
public class OAuth2ClientIdArgumentResolver implements HandlerMethodArgumentResolver {
@Override
public boolean supportsParameter(MethodParameter parameter) {
return parameter.getParameterAnnotation(CurrentClientId.class) != null
&& parameter.getParameterType().equals(String.class);
}
@Override
public Object resolveArgument(
MethodParameter parameter,
ModelAndViewContainer mavContainer,
NativeWebRequest webRequest,
WebDataBinderFactory binderFactory)
throws Exception
{
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(authentication == null) {
return null;
}
String clientId = null;
if (authentication.getClass().isAssignableFrom(OAuth2Authentication.class)) {
clientId = ((OAuth2Authentication) authentication).getOAuth2Request().getClientId();
}
return clientId;
}
}
And the @interface
definition:
@Target({ElementType.PARAMETER, ElementType.TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
public @interface CurrentClientId {
}
A simple way to retrieve the clientId
is loading the currently authenticated principal
. The principal
can be defined directly as a method argument and it will be correctly resolved by the framework.
Here is an example:
@RequestMapping(method = RequestMethod.GET)
public Map<String, String> getUserInfo(Principal principal) {
OAuth2Authentication oauth = (OAuth2Authentication) principal;
Map<String, String> userInfo = new LinkedHashMap<>();
userInfo.put("username", principal.getName());
userInfo.put("clientId", oauth.getOAuth2Request().getClientId());
return userInfo;
}
It's also possible to obtain declaring a org.springframework.security.oauth2.jwt.Jwt
object with org.springframework.security.core.annotation.AuthenticationPrincipal
annotation.
@GetMapping
public String showClientId(@AuthenticationPrincipal Jwt principal) {
return principal.getClaimAsString("clientId");
}