(window.webpackJsonp=window.webpackJsonp||[]).push([[206],{638:function(e,t,n){"use strict";n.r(t);var a=n(56),r=Object(a.a)({},(function(){var e=this,t=e.$createElement,n=e._self._c||t;return n("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[n("h1",{attrs:{id:"oauth-2-0-resource-server-opaque-token"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#oauth-2-0-resource-server-opaque-token"}},[e._v("#")]),e._v(" OAuth 2.0 Resource Server Opaque Token")]),e._v(" "),n("h2",{attrs:{id:"minimal-dependencies-for-introspection"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#minimal-dependencies-for-introspection"}},[e._v("#")]),e._v(" Minimal Dependencies for Introspection")]),e._v(" "),n("p",[e._v("As described in "),n("RouterLink",{attrs:{to:"/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-minimaldependencies"}},[e._v("Minimal Dependencies for JWT")]),e._v(" most of Resource Server support is collected in "),n("code",[e._v("spring-security-oauth2-resource-server")]),e._v(".\nHowever unless a custom "),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-introspector-bean"}},[n("code",[e._v("ReactiveOpaqueTokenIntrospector")])]),e._v(" is provided, the Resource Server will fallback to ReactiveOpaqueTokenIntrospector.\nMeaning that both "),n("code",[e._v("spring-security-oauth2-resource-server")]),e._v(" and "),n("code",[e._v("oauth2-oidc-sdk")]),e._v(" are necessary in order to have a working minimal Resource Server that supports opaque Bearer Tokens.\nPlease refer to "),n("code",[e._v("spring-security-oauth2-resource-server")]),e._v(" in order to determin the correct version for "),n("code",[e._v("oauth2-oidc-sdk")]),e._v(".")],1),e._v(" "),n("h2",{attrs:{id:"minimal-configuration-for-introspection"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#minimal-configuration-for-introspection"}},[e._v("#")]),e._v(" Minimal Configuration for Introspection")]),e._v(" "),n("p",[e._v("Typically, an opaque token can be verified via an "),n("a",{attrs:{href:"https://tools.ietf.org/html/rfc7662",target:"_blank",rel:"noopener noreferrer"}},[e._v("OAuth 2.0 Introspection Endpoint"),n("OutboundLink")],1),e._v(", hosted by the authorization server.\nThis can be handy when revocation is a requirement.")]),e._v(" "),n("p",[e._v("When using "),n("a",{attrs:{href:"https://spring.io/projects/spring-boot",target:"_blank",rel:"noopener noreferrer"}},[e._v("Spring Boot"),n("OutboundLink")],1),e._v(", configuring an application as a resource server that uses introspection consists of two basic steps.\nFirst, include the needed dependencies and second, indicate the introspection endpoint details.")]),e._v(" "),n("h3",{attrs:{id:"specifying-the-authorization-server"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#specifying-the-authorization-server"}},[e._v("#")]),e._v(" Specifying the Authorization Server")]),e._v(" "),n("p",[e._v("To specify where the introspection endpoint is, simply do:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("security:\n oauth2:\n resourceserver:\n opaque-token:\n introspection-uri: https://idp.example.com/introspect\n client-id: client\n client-secret: secret\n")])])]),n("p",[e._v("Where "),n("code",[e._v("[https://idp.example.com/introspect](https://idp.example.com/introspect)")]),e._v(" is the introspection endpoint hosted by your authorization server and "),n("code",[e._v("client-id")]),e._v(" and "),n("code",[e._v("client-secret")]),e._v(" are the credentials needed to hit that endpoint.")]),e._v(" "),n("p",[e._v("Resource Server will use these properties to further self-configure and subsequently validate incoming JWTs.")]),e._v(" "),n("table",[n("thead",[n("tr",[n("th"),e._v(" "),n("th",[e._v("When using introspection, the authorization server’s word is the law."),n("br"),e._v("If the authorization server responses that the token is valid, then it is.")])])]),e._v(" "),n("tbody")]),e._v(" "),n("p",[e._v("And that’s it!")]),e._v(" "),n("h3",{attrs:{id:"startup-expectations"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#startup-expectations"}},[e._v("#")]),e._v(" Startup Expectations")]),e._v(" "),n("p",[e._v("When this property and these dependencies are used, Resource Server will automatically configure itself to validate Opaque Bearer Tokens.")]),e._v(" "),n("p",[e._v("This startup process is quite a bit simpler than for JWTs since no endpoints need to be discovered and no additional validation rules get added.")]),e._v(" "),n("h3",{attrs:{id:"runtime-expectations"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#runtime-expectations"}},[e._v("#")]),e._v(" Runtime Expectations")]),e._v(" "),n("p",[e._v("Once the application is started up, Resource Server will attempt to process any request containing an "),n("code",[e._v("Authorization: Bearer")]),e._v(" header:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("GET / HTTP/1.1\nAuthorization: Bearer some-token-value # Resource Server will process this\n")])])]),n("p",[e._v("So long as this scheme is indicated, Resource Server will attempt to process the request according to the Bearer Token specification.")]),e._v(" "),n("p",[e._v("Given an Opaque Token, Resource Server will")]),e._v(" "),n("ol",[n("li",[n("p",[e._v("Query the provided introspection endpoint using the provided credentials and the token")])]),e._v(" "),n("li",[n("p",[e._v("Inspect the response for an "),n("code",[e._v("{ 'active' : true }")]),e._v(" attribute")])]),e._v(" "),n("li",[n("p",[e._v("Map each scope to an authority with the prefix "),n("code",[e._v("SCOPE_")])])])]),e._v(" "),n("p",[e._v("The resulting "),n("code",[e._v("Authentication#getPrincipal")]),e._v(", by default, is a Spring Security "),n("code",[e._v("[OAuth2AuthenticatedPrincipal](https://docs.spring.io/spring-security/site/docs/5.6.2/api/org/springframework/security/oauth2/core/OAuth2AuthenticatedPrincipal.html)")]),e._v(" object, and "),n("code",[e._v("Authentication#getName")]),e._v(" maps to the token’s "),n("code",[e._v("sub")]),e._v(" property, if one is present.")]),e._v(" "),n("p",[e._v("From here, you may want to jump to:")]),e._v(" "),n("ul",[n("li",[n("p",[n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-attributes"}},[e._v("Looking Up Attributes Post-Authentication")])])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-authorization-extraction"}},[e._v("Extracting Authorities Manually")])])]),e._v(" "),n("li",[n("p",[n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-jwt-introspector"}},[e._v("Using Introspection with JWTs")])])])]),e._v(" "),n("h2",{attrs:{id:"looking-up-attributes-post-authentication"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#looking-up-attributes-post-authentication"}},[e._v("#")]),e._v(" Looking Up Attributes Post-Authentication")]),e._v(" "),n("p",[e._v("Once a token is authenticated, an instance of "),n("code",[e._v("BearerTokenAuthentication")]),e._v(" is set in the "),n("code",[e._v("SecurityContext")]),e._v(".")]),e._v(" "),n("p",[e._v("This means that it’s available in "),n("code",[e._v("@Controller")]),e._v(" methods when using "),n("code",[e._v("@EnableWebFlux")]),e._v(" in your configuration:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\npublic Mono foo(BearerTokenAuthentication authentication) {\n return Mono.just(authentication.getTokenAttributes().get("sub") + " is the subject");\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\nfun foo(authentication: BearerTokenAuthentication): Mono {\n return Mono.just(authentication.tokenAttributes["sub"].toString() + " is the subject")\n}\n')])])]),n("p",[e._v("Since "),n("code",[e._v("BearerTokenAuthentication")]),e._v(" holds an "),n("code",[e._v("OAuth2AuthenticatedPrincipal")]),e._v(", that also means that it’s available to controller methods, too:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\npublic Mono foo(@AuthenticationPrincipal OAuth2AuthenticatedPrincipal principal) {\n return Mono.just(principal.getAttribute("sub") + " is the subject");\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@GetMapping("/foo")\nfun foo(@AuthenticationPrincipal principal: OAuth2AuthenticatedPrincipal): Mono {\n return Mono.just(principal.getAttribute("sub").toString() + " is the subject")\n}\n')])])]),n("h3",{attrs:{id:"looking-up-attributes-via-spel"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#looking-up-attributes-via-spel"}},[e._v("#")]),e._v(" Looking Up Attributes Via SpEL")]),e._v(" "),n("p",[e._v("Of course, this also means that attributes can be accessed via SpEL.")]),e._v(" "),n("p",[e._v("For example, if using "),n("code",[e._v("@EnableReactiveMethodSecurity")]),e._v(" so that you can use "),n("code",[e._v("@PreAuthorize")]),e._v(" annotations, you can do:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"principal?.attributes['sub'] = 'foo'\")\npublic Mono forFoosEyesOnly() {\n return Mono.just(\"foo\");\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"principal.attributes['sub'] = 'foo'\")\nfun forFoosEyesOnly(): Mono {\n return Mono.just(\"foo\")\n}\n")])])]),n("h2",{attrs:{id:"overriding-or-replacing-boot-auto-configuration"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#overriding-or-replacing-boot-auto-configuration"}},[e._v("#")]),e._v(" Overriding or Replacing Boot Auto Configuration")]),e._v(" "),n("p",[e._v("There are two "),n("code",[e._v("@Bean")]),e._v("s that Spring Boot generates on Resource Server’s behalf.")]),e._v(" "),n("p",[e._v("The first is a "),n("code",[e._v("SecurityWebFilterChain")]),e._v(" that configures the app as a resource server.\nWhen use Opaque Token, this "),n("code",[e._v("SecurityWebFilterChain")]),e._v(" looks like:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nSecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n\thttp\n\t\t.authorizeExchange(exchanges -> exchanges\n\t\t\t.anyExchange().authenticated()\n\t\t)\n\t\t.oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken)\n\treturn http.build();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken { }\n }\n }\n}\n")])])]),n("p",[e._v("If the application doesn’t expose a "),n("code",[e._v("SecurityWebFilterChain")]),e._v(" bean, then Spring Boot will expose the above default one.")]),e._v(" "),n("p",[e._v("Replacing this is as simple as exposing the bean within the application:")]),e._v(" "),n("p",[e._v("Example 1. Replacing SecurityWebFilterChain")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@EnableWebFluxSecurity\npublic class MyCustomSecurityConfiguration {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .pathMatchers("/messages/**").hasAuthority("SCOPE_message:read")\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(oauth2 -> oauth2\n .opaqueToken(opaqueToken -> opaqueToken\n .introspector(myIntrospector())\n )\n );\n return http.build();\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize("/messages/**", hasAuthority("SCOPE_message:read"))\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken {\n introspector = myIntrospector()\n }\n }\n }\n}\n')])])]),n("p",[e._v("The above requires the scope of "),n("code",[e._v("message:read")]),e._v(" for any URL that starts with "),n("code",[e._v("/messages/")]),e._v(".")]),e._v(" "),n("p",[e._v("Methods on the "),n("code",[e._v("oauth2ResourceServer")]),e._v(" DSL will also override or replace auto configuration.")]),e._v(" "),n("p",[e._v("For example, the second "),n("code",[e._v("@Bean")]),e._v(" Spring Boot creates is a "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(", which decodes "),n("code",[e._v("String")]),e._v(" tokens into validated instances of "),n("code",[e._v("OAuth2AuthenticatedPrincipal")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)\n}\n")])])]),n("p",[e._v("If the application doesn’t expose a "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(" bean, then Spring Boot will expose the above default one.")]),e._v(" "),n("p",[e._v("And its configuration can be overridden using "),n("code",[e._v("introspectionUri()")]),e._v(" and "),n("code",[e._v("introspectionClientCredentials()")]),e._v(" or replaced using "),n("code",[e._v("introspector()")]),e._v(".")]),e._v(" "),n("h3",{attrs:{id:""}},[n("a",{staticClass:"header-anchor",attrs:{href:"#"}},[e._v("#")]),e._v(" `")]),e._v(" "),n("p",[e._v("An authorization server’s Introspection Uri can be configured "),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-introspectionuri"}},[e._v("as a configuration property")]),e._v(" or it can be supplied in the DSL:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@EnableWebFluxSecurity\npublic class DirectlyConfiguredIntrospectionUri {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(oauth2 -> oauth2\n .opaqueToken(opaqueToken -> opaqueToken\n .introspectionUri("https://idp.example.com/introspect")\n .introspectionClientCredentials("client", "secret")\n )\n );\n return http.build();\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken {\n introspectionUri = "https://idp.example.com/introspect"\n introspectionClientCredentials("client", "secret")\n }\n }\n }\n}\n')])])]),n("p",[e._v("Using "),n("code",[e._v("introspectionUri()")]),e._v(" takes precedence over any configuration property.")]),e._v(" "),n("h3",{attrs:{id:"-2"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#-2"}},[e._v("#")]),e._v(" `")]),e._v(" "),n("p",[e._v("More powerful than "),n("code",[e._v("introspectionUri()")]),e._v(" is "),n("code",[e._v("introspector()")]),e._v(", which will completely replace any Boot auto configuration of "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@EnableWebFluxSecurity\npublic class DirectlyConfiguredIntrospector {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchanges -> exchanges\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(oauth2 -> oauth2\n .opaqueToken(opaqueToken -> opaqueToken\n .introspector(myCustomIntrospector())\n )\n );\n return http.build();\n }\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken {\n introspector = myCustomIntrospector()\n }\n }\n }\n}\n")])])]),n("p",[e._v("This is handy when deeper configuration, like "),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-authorization-extraction"}},[e._v("authority mapping")]),e._v("or "),n("a",{attrs:{href:"#webflux-oauth2resourceserver-opaque-jwt-introspector"}},[e._v("JWT revocation")]),e._v(" is necessary.")]),e._v(" "),n("h3",{attrs:{id:"exposing-a-reactiveopaquetokenintrospector-bean"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#exposing-a-reactiveopaquetokenintrospector-bean"}},[e._v("#")]),e._v(" Exposing a "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(" "),n("code",[e._v("@Bean")])]),e._v(" "),n("p",[e._v("Or, exposing a "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(" "),n("code",[e._v("@Bean")]),e._v(" has the same effect as "),n("code",[e._v("introspector()")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret);\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return NimbusReactiveOpaqueTokenIntrospector(introspectionUri, clientId, clientSecret)\n}\n")])])]),n("h2",{attrs:{id:"configuring-authorization"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#configuring-authorization"}},[e._v("#")]),e._v(" Configuring Authorization")]),e._v(" "),n("p",[e._v("An OAuth 2.0 Introspection endpoint will typically return a "),n("code",[e._v("scope")]),e._v(" attribute, indicating the scopes (or authorities) it’s been granted, for example:")]),e._v(" "),n("p",[n("code",[e._v('{ …, "scope" : "messages contacts"}')])]),e._v(" "),n("p",[e._v('When this is the case, Resource Server will attempt to coerce these scopes into a list of granted authorities, prefixing each scope with the string "SCOPE_".')]),e._v(" "),n("p",[e._v("This means that to protect an endpoint or method with a scope derived from an Opaque Token, the corresponding expressions should include this prefix:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@EnableWebFluxSecurity\npublic class MappedAuthorities {\n @Bean\n SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {\n http\n .authorizeExchange(exchange -> exchange\n .pathMatchers("/contacts/**").hasAuthority("SCOPE_contacts")\n .pathMatchers("/messages/**").hasAuthority("SCOPE_messages")\n .anyExchange().authenticated()\n )\n .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::opaqueToken);\n return http.build();\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('@Bean\nfun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {\n return http {\n authorizeExchange {\n authorize("/contacts/**", hasAuthority("SCOPE_contacts"))\n authorize("/messages/**", hasAuthority("SCOPE_messages"))\n authorize(anyExchange, authenticated)\n }\n oauth2ResourceServer {\n opaqueToken { }\n }\n }\n}\n')])])]),n("p",[e._v("Or similarly with method security:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"hasAuthority('SCOPE_messages')\")\npublic Flux getMessages(...) {}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@PreAuthorize(\"hasAuthority('SCOPE_messages')\")\nfun getMessages(): Flux { }\n")])])]),n("h3",{attrs:{id:"extracting-authorities-manually"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#extracting-authorities-manually"}},[e._v("#")]),e._v(" Extracting Authorities Manually")]),e._v(" "),n("p",[e._v("By default, Opaque Token support will extract the scope claim from an introspection response and parse it into individual "),n("code",[e._v("GrantedAuthority")]),e._v(" instances.")]),e._v(" "),n("p",[e._v("For example, if the introspection response were:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('{\n "active" : true,\n "scope" : "message:read message:write"\n}\n')])])]),n("p",[e._v("Then Resource Server would generate an "),n("code",[e._v("Authentication")]),e._v(" with two authorities, one for "),n("code",[e._v("message:read")]),e._v(" and the other for "),n("code",[e._v("message:write")]),e._v(".")]),e._v(" "),n("p",[e._v("This can, of course, be customized using a custom "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(" that takes a look at the attribute set and converts in its own way:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class CustomAuthoritiesOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n private ReactiveOpaqueTokenIntrospector delegate =\n new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n\n public Mono introspect(String token) {\n return this.delegate.introspect(token)\n .map(principal -> new DefaultOAuth2AuthenticatedPrincipal(\n principal.getName(), principal.getAttributes(), extractAuthorities(principal)));\n }\n\n private Collection extractAuthorities(OAuth2AuthenticatedPrincipal principal) {\n List scopes = principal.getAttribute(OAuth2IntrospectionClaimNames.SCOPE);\n return scopes.stream()\n .map(SimpleGrantedAuthority::new)\n .collect(Collectors.toList());\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class CustomAuthoritiesOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n override fun introspect(token: String): Mono {\n return delegate.introspect(token)\n .map { principal: OAuth2AuthenticatedPrincipal ->\n DefaultOAuth2AuthenticatedPrincipal(\n principal.name, principal.attributes, extractAuthorities(principal))\n }\n }\n\n private fun extractAuthorities(principal: OAuth2AuthenticatedPrincipal): Collection {\n val scopes = principal.getAttribute>(OAuth2IntrospectionClaimNames.SCOPE)\n return scopes\n .map { SimpleGrantedAuthority(it) }\n }\n}\n')])])]),n("p",[e._v("Thereafter, this custom introspector can be configured simply by exposing it as a "),n("code",[e._v("@Bean")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new CustomAuthoritiesOpaqueTokenIntrospector();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return CustomAuthoritiesOpaqueTokenIntrospector()\n}\n")])])]),n("h2",{attrs:{id:"using-introspection-with-jwts"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#using-introspection-with-jwts"}},[e._v("#")]),e._v(" Using Introspection with JWTs")]),e._v(" "),n("p",[e._v("A common question is whether or not introspection is compatible with JWTs.\nSpring Security’s Opaque Token support has been designed to not care about the format of the token — it will gladly pass any token to the introspection endpoint provided.")]),e._v(" "),n("p",[e._v("So, let’s say that you’ve got a requirement that requires you to check with the authorization server on each request, in case the JWT has been revoked.")]),e._v(" "),n("p",[e._v("Even though you are using the JWT format for the token, your validation method is introspection, meaning you’d want to do:")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("spring:\n security:\n oauth2:\n resourceserver:\n opaque-token:\n introspection-uri: https://idp.example.org/introspection\n client-id: client\n client-secret: secret\n")])])]),n("p",[e._v("In this case, the resulting "),n("code",[e._v("Authentication")]),e._v(" would be "),n("code",[e._v("BearerTokenAuthentication")]),e._v(".\nAny attributes in the corresponding "),n("code",[e._v("OAuth2AuthenticatedPrincipal")]),e._v(" would be whatever was returned by the introspection endpoint.")]),e._v(" "),n("p",[e._v("But, let’s say that, oddly enough, the introspection endpoint only returns whether or not the token is active.\nNow what?")]),e._v(" "),n("p",[e._v("In this case, you can create a custom "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(" that still hits the endpoint, but then updates the returned principal to have the JWTs claims as the attributes:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class JwtOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n\tprivate ReactiveOpaqueTokenIntrospector delegate =\n\t\t\tnew NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n\tprivate ReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(new ParseOnlyJWTProcessor());\n\n\tpublic Mono introspect(String token) {\n\t\treturn this.delegate.introspect(token)\n\t\t\t\t.flatMap(principal -> this.jwtDecoder.decode(token))\n\t\t\t\t.map(jwt -> new DefaultOAuth2AuthenticatedPrincipal(jwt.getClaims(), NO_AUTHORITIES));\n\t}\n\n\tprivate static class ParseOnlyJWTProcessor implements Converter> {\n\t\tpublic Mono convert(JWT jwt) {\n\t\t\ttry {\n\t\t\t\treturn Mono.just(jwt.getJWTClaimsSet());\n\t\t\t} catch (Exception ex) {\n\t\t\t\treturn Mono.error(ex);\n\t\t\t}\n\t\t}\n\t}\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class JwtOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n private val jwtDecoder: ReactiveJwtDecoder = NimbusReactiveJwtDecoder(ParseOnlyJWTProcessor())\n override fun introspect(token: String): Mono {\n return delegate.introspect(token)\n .flatMap { jwtDecoder.decode(token) }\n .map { jwt: Jwt -> DefaultOAuth2AuthenticatedPrincipal(jwt.claims, NO_AUTHORITIES) }\n }\n\n private class ParseOnlyJWTProcessor : Converter> {\n override fun convert(jwt: JWT): Mono {\n return try {\n Mono.just(jwt.jwtClaimsSet)\n } catch (e: Exception) {\n Mono.error(e)\n }\n }\n }\n}\n')])])]),n("p",[e._v("Thereafter, this custom introspector can be configured simply by exposing it as a "),n("code",[e._v("@Bean")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\npublic ReactiveOpaqueTokenIntrospector introspector() {\n return new JwtOpaqueTokenIntropsector();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return JwtOpaqueTokenIntrospector()\n}\n")])])]),n("h2",{attrs:{id:"calling-a-userinfo-endpoint"}},[n("a",{staticClass:"header-anchor",attrs:{href:"#calling-a-userinfo-endpoint"}},[e._v("#")]),e._v(" Calling a "),n("code",[e._v("/userinfo")]),e._v(" Endpoint")]),e._v(" "),n("p",[e._v("Generally speaking, a Resource Server doesn’t care about the underlying user, but instead about the authorities that have been granted.")]),e._v(" "),n("p",[e._v("That said, at times it can be valuable to tie the authorization statement back to a user.")]),e._v(" "),n("p",[e._v("If an application is also using "),n("code",[e._v("spring-security-oauth2-client")]),e._v(", having set up the appropriate "),n("code",[e._v("ClientRegistrationRepository")]),e._v(", then this is quite simple with a custom "),n("code",[e._v("OpaqueTokenIntrospector")]),e._v(".\nThis implementation below does three things:")]),e._v(" "),n("ul",[n("li",[n("p",[e._v("Delegates to the introspection endpoint, to affirm the token’s validity")])]),e._v(" "),n("li",[n("p",[e._v("Looks up the appropriate client registration associated with the "),n("code",[e._v("/userinfo")]),e._v(" endpoint")])]),e._v(" "),n("li",[n("p",[e._v("Invokes and returns the response from the "),n("code",[e._v("/userinfo")]),e._v(" endpoint")])])]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n\tprivate final ReactiveOpaqueTokenIntrospector delegate =\n\t\t\tnew NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n\tprivate final ReactiveOAuth2UserService oauth2UserService =\n\t\t\tnew DefaultReactiveOAuth2UserService();\n\n\tprivate final ReactiveClientRegistrationRepository repository;\n\n\t// ... constructor\n\n\t@Override\n\tpublic Mono introspect(String token) {\n\t\treturn Mono.zip(this.delegate.introspect(token), this.repository.findByRegistrationId("registration-id"))\n\t\t\t\t.map(t -> {\n\t\t\t\t\tOAuth2AuthenticatedPrincipal authorized = t.getT1();\n\t\t\t\t\tClientRegistration clientRegistration = t.getT2();\n\t\t\t\t\tInstant issuedAt = authorized.getAttribute(ISSUED_AT);\n\t\t\t\t\tInstant expiresAt = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT);\n\t\t\t\t\tOAuth2AccessToken accessToken = new OAuth2AccessToken(BEARER, token, issuedAt, expiresAt);\n\t\t\t\t\treturn new OAuth2UserRequest(clientRegistration, accessToken);\n\t\t\t\t})\n\t\t\t\t.flatMap(this.oauth2UserService::loadUser);\n\t}\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n private val oauth2UserService: ReactiveOAuth2UserService = DefaultReactiveOAuth2UserService()\n private val repository: ReactiveClientRegistrationRepository? = null\n\n // ... constructor\n override fun introspect(token: String?): Mono {\n return Mono.zip(delegate.introspect(token), repository!!.findByRegistrationId("registration-id"))\n .map { t: Tuple2 ->\n val authorized = t.t1\n val clientRegistration = t.t2\n val issuedAt: Instant? = authorized.getAttribute(ISSUED_AT)\n val expiresAt: Instant? = authorized.getAttribute(OAuth2IntrospectionClaimNames.EXPIRES_AT)\n val accessToken = OAuth2AccessToken(BEARER, token, issuedAt, expiresAt)\n OAuth2UserRequest(clientRegistration, accessToken)\n }\n .flatMap { userRequest: OAuth2UserRequest -> oauth2UserService.loadUser(userRequest) }\n }\n}\n')])])]),n("p",[e._v("If you aren’t using "),n("code",[e._v("spring-security-oauth2-client")]),e._v(", it’s still quite simple.\nYou will simply need to invoke the "),n("code",[e._v("/userinfo")]),e._v(" with your own instance of "),n("code",[e._v("WebClient")]),e._v(":")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('public class UserInfoOpaqueTokenIntrospector implements ReactiveOpaqueTokenIntrospector {\n private final ReactiveOpaqueTokenIntrospector delegate =\n new NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret");\n private final WebClient rest = WebClient.create();\n\n @Override\n public Mono introspect(String token) {\n return this.delegate.introspect(token)\n\t\t .map(this::makeUserInfoRequest);\n }\n}\n')])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v('class UserInfoOpaqueTokenIntrospector : ReactiveOpaqueTokenIntrospector {\n private val delegate: ReactiveOpaqueTokenIntrospector = NimbusReactiveOpaqueTokenIntrospector("https://idp.example.org/introspect", "client", "secret")\n private val rest: WebClient = WebClient.create()\n\n override fun introspect(token: String): Mono {\n return delegate.introspect(token)\n .map(this::makeUserInfoRequest)\n }\n}\n')])])]),n("p",[e._v("Either way, having created your "),n("code",[e._v("ReactiveOpaqueTokenIntrospector")]),e._v(", you should publish it as a "),n("code",[e._v("@Bean")]),e._v(" to override the defaults:")]),e._v(" "),n("p",[e._v("Java")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nReactiveOpaqueTokenIntrospector introspector() {\n return new UserInfoOpaqueTokenIntrospector();\n}\n")])])]),n("p",[e._v("Kotlin")]),e._v(" "),n("div",{staticClass:"language- extra-class"},[n("pre",{pre:!0,attrs:{class:"language-text"}},[n("code",[e._v("@Bean\nfun introspector(): ReactiveOpaqueTokenIntrospector {\n return UserInfoOpaqueTokenIntrospector()\n}\n")])])]),n("p",[n("RouterLink",{attrs:{to:"/en/spring-security/jwt.html"}},[e._v("JWT")]),n("RouterLink",{attrs:{to:"/en/spring-security/multitenancy.html"}},[e._v("Multitenancy")])],1)])}),[],!1,null,null,null);t.default=r.exports}}]);