Identify end user from bearer token

[samuel_coutinho]

I have a webservice that is secured using OAuth 2.0. I have a website client where users log in. Upon logging the user in the website uses the password grant to obtain an access token from the webservice.
Subsequent requests are made to the webservice with the access token.

The webservice needs to know some end user id to be able to carry out some of the requests. So my questions are:
1. Does the bearer access token have any such information that would enable the webservice to find out who the end user is that the website is acting on behalf of?


2. If not, what is the best way to add/store additional end user information into the bearer token when it is issued by the webservice. This way the webservice can use it when servicing resource requests. In terms of the oauth configuration where would this be done?


Please provide as much info as possible as I'm finding Spring OAuth support/configuration a huge learning curve.

[samuel_coutinho]

I understand one option is to add the additional info in the access token value. This makes sense to me. How do I do this?

The following is the token store config I am using

Code:

<bean id="tokenStore" class="org.springframework.security.oauth2.provider.token.InMemoryTokenStore" />
    <bean id="tokenServices" class="org.springframework.security.oauth2.provider.token.DefaultTokenServices">
        <property name="tokenStore" ref="tokenStore" />
        <property name="supportRefreshToken" value="true" />
        <property name="clientDetailsService" ref="clientDetails" />
    </bean>

How do I plug in my custom info to the generated token values?

[Dave Syer]

The spec doesn't say what information is in a token. Normally you will find an OAuth2Authentication the Spring SecurityContext if you use the <resource-server/> filter and that would contain the user's authentication details. Because the spec is intentionally open you can expect to find plenty of other information in tokens if your auth server decides to put it there. As your second post suggests, additional information can be added by the auth server (e.g. using a TokenEnhancer).

[samuel_coutinho]

Where is the TokenEnhancer plugged in? In other words where does it belong in the oauth config?

[samuel_coutinho]

Got it! DefaultTokenServices

Thanks

[samuel_coutinho]

Hi, This appears to be a liitle more complex then initially anticipated. I have implemented my own TokenEnhancer but there arent any modifiers on the OAuth2AccessToken so I cant do anything! I just want to modify the access token that has been created and add a little extra info through whatever means.

What is the simplest way to do this?

[Dave Syer]

You can do anything you want. Just create a new token, modify it and return it. DefaultOAuth2AccessToken has a copy constructor and setters for all its properties.