I’m implemeting a secure login feature with Spring Security.
I decided to go down the opaque token route (rather than JWT route)
- I didn’t want to expose sensitive security information in the tokens
- I wanted the ability to revoke tokens.
I have some things up and running
- The client sends the authorisation code to the auth server
- The auth server sends back a simple much shorter access token
- The client sends that access token to the resource server (by calling any resource server endpoint)
- The resource server then sends that access token to the auth server
- The auth server then validates that (against some in-memory cache storing tokens, I’m guessing)
- After validating, the auth server then returns either active = false, or active = true, with some other information (e.g. username, expiry date, issuance date, client scopes) back to the resourc server
Now, I want to be able to:
Point 1
- When the auth server tries to validate the access token, to return extra information (such as the sensitive information I didn’t want to send in the opaque access token – such as the user’s authorisations, whether their account is expired, locked, enabled etc.)
- Is there a way therefore of configuring the introspection end point response, such that on a successful validation, it makes another call to my database (via userDetailsService), to get these attributes, and embeds them in the response sent back to the resource server, so the resource server can then create it’s authentication object?
Point 2
- Secondly, to reduce the number of calls between the auth server and resource server (as I think with introspection, a call is made on every http request), can I implement some kind of local caching system, so that when the resource server gets the opaque access token from the client, it first checks the cache for whether it had created an authentication object and uses that, rather than making an introspection call to the auth server. (The cache can have a short lifetime and be not more than the expiry date of the access token)
- I can understand this might have small issues with token revokation since the auth server won’t introspect until the cache timing for that item has expired…unless there is a way to bypass that specifically for revokation?
Point 3
- Should one bother trying to get the extra details in the auth server and sending them back through the introspection endpoint to the resource server, and just let the resource server get the extra details (with another duplicate userDetailsService), and let it create it’s own authenticaiton object from there…?
Here is the relevant part of auth server configuration code:
The resource server is the back-end registered client. It calls the auth server via the introspection end point
I don’t know how to though customise the introspection endpoint response though to include extra information obtained about the front end client, (via another database call):
<code>@Bean
/* registeredClientRepository (defines: authorization grants, OIDC scopes, etc.) */
fun registeredClientRepository(): InMemoryRegisteredClientRepository {
// front-end client
val oidcClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("oidc-client")
.clientSecret(passwordEncoder.encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("https://www.aaa.com/authorized")
.postLogoutRedirectUri("https://www.aaa.com/authorized")
.tokenSettings(
TokenSettings.builder()
.accessTokenFormat(OAuth2TokenFormat.REFERENCE)
.accessTokenTimeToLive(Duration.ofHours(12))
.build())
.scope("OPAQUE")
.scopes { scopes -> scopes.addAll(listOf("read", "write")) }
.scope(OidcScopes.OPENID) // requests an ID token, which is necessary for any OpenID Connect request.
.scope(OidcScopes.PROFILE) // requests access to the user's profile information (e.g., name, date of birth)
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build()
// back-end client
val resourceServer = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("resource_server")
.clientSecret(passwordEncoder.encode("resource_server_secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.build()
return InMemoryRegisteredClientRepository(oidcClient, resourceServer)
}
</code>
<code>@Bean
/* registeredClientRepository (defines: authorization grants, OIDC scopes, etc.) */
fun registeredClientRepository(): InMemoryRegisteredClientRepository {
// front-end client
val oidcClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("oidc-client")
.clientSecret(passwordEncoder.encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("https://www.aaa.com/authorized")
.postLogoutRedirectUri("https://www.aaa.com/authorized")
.tokenSettings(
TokenSettings.builder()
.accessTokenFormat(OAuth2TokenFormat.REFERENCE)
.accessTokenTimeToLive(Duration.ofHours(12))
.build())
.scope("OPAQUE")
.scopes { scopes -> scopes.addAll(listOf("read", "write")) }
.scope(OidcScopes.OPENID) // requests an ID token, which is necessary for any OpenID Connect request.
.scope(OidcScopes.PROFILE) // requests access to the user's profile information (e.g., name, date of birth)
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build()
// back-end client
val resourceServer = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("resource_server")
.clientSecret(passwordEncoder.encode("resource_server_secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.build()
return InMemoryRegisteredClientRepository(oidcClient, resourceServer)
}
</code>
@Bean
/* registeredClientRepository (defines: authorization grants, OIDC scopes, etc.) */
fun registeredClientRepository(): InMemoryRegisteredClientRepository {
// front-end client
val oidcClient = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("oidc-client")
.clientSecret(passwordEncoder.encode("secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
.redirectUri("https://www.aaa.com/authorized")
.postLogoutRedirectUri("https://www.aaa.com/authorized")
.tokenSettings(
TokenSettings.builder()
.accessTokenFormat(OAuth2TokenFormat.REFERENCE)
.accessTokenTimeToLive(Duration.ofHours(12))
.build())
.scope("OPAQUE")
.scopes { scopes -> scopes.addAll(listOf("read", "write")) }
.scope(OidcScopes.OPENID) // requests an ID token, which is necessary for any OpenID Connect request.
.scope(OidcScopes.PROFILE) // requests access to the user's profile information (e.g., name, date of birth)
.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
.build()
// back-end client
val resourceServer = RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("resource_server")
.clientSecret(passwordEncoder.encode("resource_server_secret"))
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.build()
return InMemoryRegisteredClientRepository(oidcClient, resourceServer)
}