问题
I have a Authorization server and a resource server implemented using spring boot with oauth2. In the resource server I have configured the check_token endpoint and relevant information to validate the requests from authorization server.
security:
oauth2:
resource:
token-info-uri: http://localhost:9191/auth-service/oauth/check_token
client:
client-id: mobile
client-secret: secret
So now when a request is comes with a bearer token it allows to access the resource server. But if a token is stolen and try to update a record of a another user it is still possible since he/she has a valid token. To reduce this risk i wanted to add a filter in the resource server and check with the unique id which comes with the request header against the id field that i have added to token when a token is generated. But the authentication object only returns the username of the owner of the token.
final OAuth2Authentication authentication = (OAuth2Authentication) SecurityContextHolder
.getContext().getAuthentication();
// this principal object returns the user name.
Object principal = authentication.getUserAuthentication().getPrincipal();
I want this principal object or another property to send me the userid which i set to the token.This is my check_token response, as you can see it has the userid field in the response.
{
"aud": [
"oauth2-resource"
],
"data": {
"userId": "uid-0c51148d-162a-4fa4-95c5-asd3434",
},
"user_name": "test",
"scope": [
"READ",
"WRITE",
"UPDATE"
],
"active": true,
"client_id": "mobile",
}
Please help me to sort this out.
来源:https://stackoverflow.com/questions/60239249/validate-the-user-in-the-resource-server-spring-security