Jul 13th, 2012, 04:11 AM
Additional info in authentication details
First of all , congratulations for this great framework (spring-security-oauth2)
I'm starting to play with it and my first approach is to protect a rest API implemented with Spring MVC. I'd like to attach additional info to the authentication provided by the OAuth authentication server in order to read that info from some methods in the MVC controller. I'm thinking to extend OAuth2AuthenticationDetailsSource in order to include the additional data in authentication details and provide this implementation to OAuth2AuthenticationProcessingFilter.
Please confirm me if this approach is right and please, provide a minimal example for configuring it.
Jul 16th, 2012, 01:16 AM
I don't think that's wrong, necessarily, but AuthenticationDetails are supposed to be information about the authentication attempt (so available before any authentication checks are made). If that fits your use case then it sounds sensible. Otherwise you should probably use the Authentication itself somehow.
What is the additional information, and why do you need it in a controller?
Jul 17th, 2012, 10:48 AM
Thanks for your answer. Our API clients have an account id which I need when they call the API. So, my approach is to include that account id after they are authenticated and I thought the proper place was in the details. When working with Spring Security if I needed to include custom data to the authentication, I was using the Details attribute.
Please, let me know if I'm wrong.
Jul 17th, 2012, 11:43 AM
I can't say it's wrong, but it's not what I would do, and it's not what the Authentication details is supposed to be for. You should be able to add the API ID to your user Authentication. It's up to you how you do that (e.g. maybe a custom UserDetails).