Issue
I have a spring-boot resource-server configured with opaque-token introspection.
It works, but I'm now trying to opt-out BearerTokenAuthentication
which is the type of Authentication
build by OpaqueTokenAuthenticationProvider
.
I implemented an OpaqueTokenIntrospector
which turns introspection result into an OAuth2AuthenticatedPrincipal
of my choice (implementation that is an Authentication
too), but this is later turned into BearerTokenAuthentication
byOpaqueTokenAuthenticationProvider
and I could not find how to change this behavior.
Any clue?
edit
Opened a ticket for that: https://github.com/spring-projects/spring-security/issues/11661
Solution
The feature was merged on spring-security 5.8 branch.
All that is required now is to provide the resource-server opaque-token configurer with an OpaqueTokenAuthenticationConverter
(or ReactiveOpaqueTokenAuthenticationConverter
in webflux apps):
@Bean
SecurityFilterChain filterChain(
HttpSecurity http,
OpaqueTokenAuthenticationConverter authenticationConverter) throws Exception {
http.oauth2ResourceServer().opaqueToken()
.authenticationConverter(authenticationConverter);
return http.build();
Answered By - ch4mp
Answer Checked By - Senaida (JavaFixing Volunteer)