Announcement Announcement Module
No announcement yet.
Oauth 2 - How to Capture Custom User Parameters During Authorization Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Oauth 2 - How to Capture Custom User Parameters During Authorization

    I am trying to capture custom user parameters provided by the user during the user authentication during the authorization code grant process.

    Basically, when the user provides their authentication details (username/password), they also provide some additional custom properties (eg. transaction limits) which need to be associated with and stored with the access token generated.

    It appears to me that the way to do this is for these additional parameters to be stored as authorization parameters in the generated AuthorizationRequest which will then get persisted as part of the access token created.

    I have traced the process to where the authorization request is created in DefaultAuthorizationRequestManager.createAuthoriza tionRequest(Map<String, String> parameters), but cannot find a way to add my custom parameters to the parameter map above, as this is called by the AuthorizationEndpoint controller authorize() method, which is generated by the framework and is redirected to from the SavedRequestAwareAuthenticationSuccessHandler upon a successful authentication, not taking in any parameters provided in the authentication form.

    I may be heading down the wrong path. Ultimately, my goal is to find a way for my custom parameters, provided by the user during authentication, to be stored with the AccessToken for use in authorizing future requests with that token.


  • #2
    An AuthorizationRequest represents parameters coming from the authorization step, not authentication per se (the user has to be authenticated already). Why would the user parameters need to be provided during authentication? Would a custom authorization page not work the same?


    • #3
      Thanks for your response.

      Yes, I realized that it would be easier to get the custom parameters during the authorization (using a custom authorization page), but unfortunately the design/flow I'm required to implement solicits those parameters form the user prior to authentication.

      I finally solved the problem by implementing a custom AuthenticationToken which extends UsernamePasswordAuthenticationToken and a custom AuthenticationFilter which extends the standard UsernamePasswordAuthenticationFilter and replacing the default UsernamePasswordAuthenticationFilter with my custom filter in the authentication security flow configuration.

      My custom AuthenticationToken has a Map<String,String> of parameters which are acquired from the request by the custom AuthenticationFilter and populated upon successful authentication. Since the user authentication token is included in the OAuth2Authentication object which is passed all the way down to the TokenStore, I have access to this parameter map store in the user authentication token from within my TokenStore.storeAccessToken() method.

      It might be useful to add to the framework, an OAuth2UserAuthenticationToken and corresponding filter which extends UsernamePasswordAuthentication (and corresponding filter), to provide for this capability, and potentially other OAuth-specific authentication requirements (though I can't think of any at the moment).



      • #4
        Your solution makes sense. It's just a vanilla authentication issue though, so if you need anything from the framework you should be looking in Spring Security (Core).