-
Notifications
You must be signed in to change notification settings - Fork 1.3k
token endpoint: align response with old spring-security-oauth
#1108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
After some more digging around I stumbled upon some similar issues (#1000, #925) and could solve my current issues with the solutions mentioned in the comment(s). I would vote +1 though on an easier way to hook into this part, it felt like there was a lot of code copied for, essentially, just adding two keys to the builder.additionalParameters(
mapOf(
"jti" to decodedAccessToken.id,
"token_type" to accessToken.tokenType.value.lowercase() // because the old project had it lowercase
)
) |
Hi @emilburzo,
Can you share what you did specifically here? I'm not clear if you're asking for an easier way than the |
@sjohnr sure, I'll try
unless I'm missing something, I think that only allows you to customize the jwt object ( what I need though is the ability to customize the actual token endpoint ( $ curl -s -X POST --url http://localhost:8002/oauth/token --user 'XXXX:YYYY' --header 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' --data 'grant_type=client_credentials' --data 'scope=sessions' I was able to achieve that using the solution described here: #925 (comment), specifically: providing a custom Lines 221 to 247 in eae6630
and changing it like so: --- a/OAuth2TokenEndpointFilter.java
+++ b/OAuth2TokenEndpointFilter.java
@@ -226,7 +226,7 @@ public final class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
OAuth2AccessToken accessToken = accessTokenAuthentication.getAccessToken();
OAuth2RefreshToken refreshToken = accessTokenAuthentication.getRefreshToken();
- Map<String, Object> additionalParameters = accessTokenAuthentication.getAdditionalParameters();
+ val decodedAccessToken = jwtDecoder.decode(accessToken.tokenValue)
OAuth2AccessTokenResponse.Builder builder =
OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue())
@@ -238,9 +238,12 @@ public final class OAuth2TokenEndpointFilter extends OncePerRequestFilter {
if (refreshToken != null) {
builder.refreshToken(refreshToken.getTokenValue());
}
- if (!CollectionUtils.isEmpty(additionalParameters)) {
- builder.additionalParameters(additionalParameters);
- }
+ builder.additionalParameters(
+ mapOf(
+ "jti" to decodedAccessToken.id, // must be the same as the access_token jti
+ "token_type" to accessToken.tokenType.value.lowercase() // because the old project had it lowercase
+ )
+ )
OAuth2AccessTokenResponse accessTokenResponse = builder.build();
ServletServerHttpResponse httpResponse = new ServletServerHttpResponse(response);
this.accessTokenHttpResponseConverter.write(accessTokenResponse, null, httpResponse); (sorry for the syntax, it's kotlin) which works, but having something as easy as the I hope that makes it clearer, feel free to ask otherwise |
@emilburzo, thanks for the details. Take a look at gh-925 which may cover your use case. |
Describe the bug
I'm migrating from the EOL spring-security-oauth project and thus need to keep the responses identical.
I've started with the token endpoint and it's working well so far, however there are two differences that I do not know how to address:
For the token endpoint, the differences are:
jti
access_token
bodytoken_type
bearer
(note the case)Bearer
Example
old
new
I feel like I'm missing something obvious but just can't find it in the docs.
To Reproduce
Default sample project
Expected behavior
jti
is included by default, or a way to provide it.token_type
The text was updated successfully, but these errors were encountered: