I have following Spring Security configuration:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: ${issuer-uri-of-identity}
client:
registration:
some-app:
client-id: ${qwerty.server.client.client-id}
client-secret: ${qwerty.server.client.client-secret}
scope: ${qwerty.server.client.some-app-scope}
authorization-grant-type: client_credentials
provider: qwerty
qwerty:
server:
max-clock-skew: 60
url: ....
scope: my-scope
client:
client-id: ...
client-secret: ....
some-app-scope: my-ticket-scope
And following configuration is used:
private static final Authentication ANONYMOUS_AUTHENTICATION = new AnonymousAuthenticationToken(
"anonymous", "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
...
@Bean("someAppRestTemplate")
@Autowired
public RestTemplate buildRestTemplateForSomeApp(RestTemplateBuilder builder) {
return builder
.messageConverters(converter)
.additionalInterceptors(Arrays.asList(contentTypeInterceptor(), oauthInterceptor("some-app")))
.build();
}
...
private ClientHttpRequestInterceptor oauthInterceptor(String id) {
return (r, b, e) -> {
OAuth2AuthorizedClient client = manager.authorize(
OAuth2AuthorizeRequest
.withClientRegistrationId(id)
.principal(ANONYMOUS_AUTHENTICATION)
.build()
);
Assert.notNull(client, "Can not access File Storage Service");
r.getHeaders().setBearerAuth(client.getAccessToken().getTokenValue());
return e.execute(r, b);
};
}
Now I need to do impersonation. So I need to pretend as some user. I need it because of "current user" logic inside some-app application.
How can I reconfigure to achieve it ?
P.S. I tried to google it but I haven't found anything relevant.
CodePudding user response:
RFC 8693 Token Exchange was released jan 2020 and covers this feature. Spring security as of now does not support this fetaure yet, but should be released soon.
you can follow the open issue in Spring Security here:
Provide support for OAuth 2.0 Token Exchange for client
you can read more about the flow in general here on behalf of flow