Comments (6)
Additional context: We need an OpaqueTokenIntrospector
that iterates over multiple OpaqueTokenIntrospector
and returns the first successful result.
from spring-security.
Hi @CrazyParanoid, thanks for the suggestion.
There are cases where support for multiple
OpaqueTokenIntrospectors
in anOpaqueTokenAuthenticationProvider
is needed. This is easier than adding another provider toProviderManager
, becauseOpaqueTokenAuthenticationConverter
is often the same for different cases.
It is unclear to me whether the delegating implementation is truly needed, because there are likely other cases where both the OpaqueTokenIntrospector
and OpaqueTokenAuthenticationConverter
need to be customized and as you implied this is already supported. I feel that the need would be clearer if the framework itself had use for a delegating implementation, but it does not.
Additional context: We need an
OpaqueTokenIntrospector
that iterates over multipleOpaqueTokenIntrospector
and returns the first successful result.
It seems that the contract for OpaqueTokenIntrospector
does not explicitly allow for null return values. I think it would be better to leave this to the consuming application to provide.
Having said that, I think we can leave this issue open for a while and see if anyone else has a need for it before proceeding, at which time we can evaluate options.
from spring-security.
Hi @sjohnr thanks for your feedback!
It is unclear to me whether the delegating implementation is truly needed, because there are likely other cases where both the OpaqueTokenIntrospector and OpaqueTokenAuthenticationConverter need to be customized and as you implied this is already supported.
At the same time, there are many cases where the result of introspection is the same, especially if the identity provider does not strongly contradict the specification. I could be wrong, but setting up an OpaqueTokenIntrospector
seems like a simpler solution in such cases.
I look at the JwtAuthenticationProvider
and I see that the framework allows me to customize it for almost any use case without having to add a new JwtAuthenticationProvider
to the ProviderManager
. Is it possible to do the same for OpaqueTokenAuthenticationProvider
? For me the answer is quite clear.
from spring-security.
Thanks @CrazyParanoid.
At the same time, there are many cases where the result of introspection is the same, especially if the identity provider does not strongly contradict the specification. I could be wrong, but setting up an
OpaqueTokenIntrospector
seems like a simpler solution in such cases.
My concern is providing too many ways to do the same thing. Spring Security has often received feedback that there many ways to do the same thing, and that it's confusing. If there's already a way to do something, providing a more convenient way is not necessarily best option in all cases. Make sense?
I look at the
JwtAuthenticationProvider
and I see that the framework allows me to customize it for almost any use case without having to add a newJwtAuthenticationProvider
to theProviderManager
.
I agree that adding an authentication provider is a more advanced option. Can you clarify, is it possible to configure Spring Security for your use case (if slightly inconvenient)? Or is it not possible?
from spring-security.
Spring Security has often received feedback that there many ways to do the same thing, and that it's confusing.
It always seemed to me that this is a big plus of the framework. The more flexibility and the ability to customize everything, the more opportunities for developers to find the best solution for their case.
Can you clarify, is it possible to configure Spring Security for your use case (if slightly inconvenient)?
Yes it is possible, at the moment I am adding another OpaqueTokenAuthenticationProvider
to the configuration.
from spring-security.
Thanks @CrazyParanoid. I am not necessarily in favor of introducing a class like this for the sake of convenience only, when it's not clear whether it will be useful to many users. I think my preference at this point would be to leave this issue open and see if other users have feedback on whether this is needed by upvoting the issue.
from spring-security.
Related Issues (20)
- Webservice returns invalid response containing Empty Headers (":") HOT 1
- Horizontal Scaling Issue with XorCsrfTokenRequestAttributeHandler
- Use Javadoc macro
- Support of OIDC backchannel logout using XML security config
- Add repository for returing Asserting Party Metadata
- Add expiry-aware refreshing asserting party repository
- OAuth2AuthorizationCodeGrantFilter erroneously consumes POST request body with multipart/form-data
- Improve documentation about `CredentialsContainer`
- Configure Build to Confirm UnboundId 7 Compatibility
- Introduce `UserAuthorities`
- Support doing a Token Exchange of access token from OIDC login HOT 1
- OIDC Backchannel Logout should allow logout tokens having `typ` header of `logout+jwt`
- Cannot get Stateless Authorisation Server to work
- Dynamic register SecurityFilterChain HOT 2
- Spring do not support 401 unauthorized responce by default
- Documentation for ServletBearerExchangeFilterFunction incomplete or incorrect
- Consider removing generics from `AuthorizationRequestRepository` HOT 2
- Adding a method to set decoder in OidcIdTokenDecoderFactory for specific client registrations HOT 4
- Spring Security OAuth2 Client "user-name-attribute" property is being ignored HOT 1
- Method Annotations Should Support @AliasFor
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-security.