spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Consider adding authentication hooks in OAuth2AuthenticationProvider implementations

Open gnom7 opened this issue 2 years ago • 4 comments

Hey 👋 Currently there is no way to hook into the OAuth2[..]AuthenticationProvider. I would like to customize spring implementations of OAuth2[..]AuthenticationProvider with some pre/post auth checks by implementing some general interface as opposed to implementing every grant from scratch. At the check time it would be nice to have access to client's and/or user's identity and perform some additional checks just before saving/updating authorization record, maybe something similar to UserDetailsChecker here org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider#preAuthenticationChecks and here org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider#postAuthenticationChecks ideally not only with access to user details, but to auth token (converted request) as well.

Please let me know your thoughts on this

gnom7 avatar Jun 04 '22 08:06 gnom7

@gnom7 Can you provide more concrete details on your use case? What specific pre/post check are you looking to perform?

jgrandja avatar Jun 14 '22 19:06 jgrandja

@jgrandja I’d like this feature to be able to implement IP check on per user / user’s organization and client basis, thus I need access to this info after request conversion and before allowing request to proceed with auth. I’d like to be able to implement it for refresh grant and few custom (e.g. password) and I’d like to hook this check into existing auth provider (similarly to UserDetailsChecker) or right before provider rather than implement provider from scratch.

gnom7 avatar Jun 14 '22 21:06 gnom7

Thanks for the feedback @gnom7.

Let me give this some thought and we'll see what we can come up with.

jgrandja avatar Jul 11 '22 18:07 jgrandja

@jgrandja another example would be creation of the user session entity before OAuth2AuthorizationCodeAuthenticationProvider or OAuth2RefreshTokenAuthenticationProvider. such that you would be able to include created sessionId to the accessToken claims

Yneth avatar Aug 15 '22 10:08 Yneth

@gnom7 I'm finally circling back to this now.

I’d like this feature to be able to implement IP check on per user / user’s organization and client basis, thus I need access to this info after request conversion and before allowing request to proceed with auth. I’d like to be able to implement it for refresh grant...

The extension point to implement an IP check would be the AuthenticationConverter. A custom implementation of an AuthenticationConverter would allow you to perform the IP check since you have access to HttpServletRequest and it's the main component that is called before AuthenticationProvider.authenticate().

Take a look at the reference documentation for OAuth2 Authorization Endpoint and the authorizationRequestConverter() configuration, as well as, OAuth2 Token Endpoint and the accessTokenRequestConverter() configuration.

A custom AuthenticationConverter could be plugged in via authorizationRequestConverter() and/or accessTokenRequestConverter() that implements IP check before authorization proceeds.

I'm going to close this as the AuthenticationConverter extension point will allow you to implement a custom IP check.

jgrandja avatar Sep 13 '22 16:09 jgrandja

@jgrandja I guess it would be better to have explicit hooks for specific parts of authentication flow. Check auth0 for example.

Yneth avatar Sep 16 '22 10:09 Yneth