How can I inject my own UserDetails or AbstractAuthenticationToken post Authentication?

[virtex-br]

I have a filter chain set up for API keys which does something like this:

ApiKeyAuthenticationToken authentication = new ApiKeyAuthenticationToken(myDomainUserObject);
SecurityContextHolder.getContext().setAuthentication(authentication);
filterChain.doFilter(request, response);

I'd like to do something similar when I'm using the JwtAuthenticationToken provided by the spring-addons-starter-oidc plugin.

Is there a simple way to provide a UserDetails service or similar?

Thanks in advance

[ch4mpy]

With OAuth2, the "user-service" is the authorization server: that's it which is responsible for providing user data as OAuth2 claims (inside a JWT access token or as introspection response payload for resource servers, and as ID token payload or userinfo response payload for clients). On resource servers and clients, you shouldn't be looping to the DB to get user details & authorities and, more importantly, you should not duplicate this authorization server data in your resource server's DB.

With oauth2ResourceServer and a JWT decoder, the Authentication instance is returned by a Converter<Jwt, AbstractAuthenticationToken>. The default implementation is JwtAuthenticationConverter which builds a JwtAuthenticationToken. It can be replaced with http.oauth2ResourceServer(oauth2 -> oauth2.jwt(jwt -> jwt.jwtAuthenticationConverter(...))), which configures the default authentication manager.

As stated in the doc, spring-addons-starter-oidc exposes a default Converter<Jwt, AbstractAuthenticationToken> as a @ConditionalOnMissingBean and uses it to configure the authentication manager. So all you have to do is exposing a Converter<Jwt, AbstractAuthenticationToken> as a bean (a @Bean, @Componenent, or alike). As a bonus, if using @WithJwt in your tests, this bean will be picked by the test authentication factory and you'll have your custom Authentication implementation in tests too.

Note that spring-addons-starter-oidc exposes a default authorities converter too, and it is pretty convenient. So you can ignore or override it, but the best option is probably to inject the default authorities converter in your authentication converter factory.

You can find demos of that in the resource-server_with_oauthentication and resource-server_with_specialized_oauthentication tutorials.

As a side note, you might find the OAuthentication<OpenIdClaimSet> interesting as a base-class for your custom Authentication implementation, as done in the second tutorial (have a look at the API with your IDE auto-completion).

[virtex-br]

As always, a fantastic answer - thank you