Hi,
Using Spring boot, I am creating a user from the JWT token using a NimbusJwtDecoder on the REST request. That all works well and I have the SCOPE authorities from my setup in AuthO. I would now like to decorate the user with further details and authorities from my database. Any hints or examples where it is best to do this?
Kind regards
Malcolm .
Hello,
I solved this issue, and I am pasting the code here in case anyone else needs it.
I created a filter that is configured after the BearerTokenAuthenticationFilter in the FilterChain. This filter loads the user details from the database using the “sub” claim as the username.
A new JwtAuthenticationToken is then built using the data stored in the database and the data in the JWT.
@AllArgsConstructor
public class AuthorisationFilter implements Filter {
UserDetailsServiceImpl userDetailsService;
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
if (SecurityContextHolder.getContext().getAuthentication() != null &&
SecurityContextHolder.getContext().getAuthentication() instanceof JwtAuthenticationToken) {
Jwt token = ((JwtAuthenticationToken)SecurityContextHolder. getContext().getAuthentication()).getToken();
List<GrantedAuthority> authorities = new ArrayList<>();
UserDetails userDetails = userDetailsService.loadUserByUsername(token.getClaims().get("sub").toString());
userDetails.getAuthorities().forEach(authority -> authorities.add(authority));
((JwtAuthenticationToken)SecurityContextHolder.getContext().getAuthentication()).getAuthorities()
.forEach(ga -> authorities.add(ga));
Jwt newToken = new Jwt(token.getTokenValue(),
(Instant)token.getClaims().get("iat"),
(Instant)token.getClaims().get("exp"),
token.getHeaders(), token.getClaims());
JwtAuthenticationToken jwtAuthenticationToken = new JwtAuthenticationToken(newToken, authorities);
SecurityContextHolder.getContext().setAuthentication(jwtAuthenticationToken);
}
filterChain.doFilter(servletRequest, servletResponse);
}
}
If anyone has any suggestions or improvements or needs further clarification, feel free to contact me.
Kind regards
Malcolm
Hi @jj.mmallia
Thank you for the code. One question: who is the issuer for the new JWT?
What are you using the JWT for? Is it an ID token or an Access Token?
John
Hello John,
I have an Angular SPA which authenticates, then obtains an access token to call my Spring boot API.
This code is of the filter on the API, where I wanted to add my own roles and authorities and other information which I retrieve from my DB. I use the new JWT just to rebuild the token stored in the SecurityContext as it is immutable.
Kind regards
Malcolm