Spring security WSO2 IS integration - Figure out how to assign authorities/customize wso2 token

0
votes

I am very stuck with this issue for a couple of days.

So what I am trying to do is to assign ROLES with spring security framework. My goal is to decode token that I get from WSO2 Identity Server 5.0 through openid and assign the Role so I can authorize the request based on Roles (AUTHORITIES)

This is my SecurityConfig class in simple spring boot app

@Profile("oauth")
@Configuration
@EnableResourceServer
public class SecurityConfig {

}

So, with this configuration, I am able to decode the token.

However, in debug mode, when I made a request with the id_token to the simple spring boot app, I received an error:

java.lang.ClassCastException
java.lang.String cannot be cast to java.util.Collection

And it happens in DefaultAccessTokenConverter class, particularly in the line of code when the map object is converted to String [] roles

public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
    ...
    if (user==null && map.containsKey(AUTHORITIES)) {
        @SuppressWarnings("unchecked")
        String[] roles = ((Collection<String>)map.get(AUTHORITIES)).toArray(new String[0]);
        authorities = AuthorityUtils.createAuthorityList(roles);
    }
    OAuth2Request request = new OAuth2Request(parameters, clientId, authorities, true, scope, resourceIds, null, null,
            null);
    return new OAuth2Authentication(request, user);
}

This is my WSO2 decoded token

{
"auth_time": 1464819792, "exp": 1464823490,
"azp": "U1PXsuyV_tdBERmZIoHHnqoGkWIa",
"authorities": "[\"ROLE_ADMIN\",\"approver\",\"Internal\/everyone\"]",
"at_hash": "Hh2LUZl3Bp6yDqyZt4r6Gg",
"aud": [
"U1PXsuyV_tdBERmZIoHHnqoGkWIa"
],
"iss": "https://localhost:9443/oauth2/token", "locality": "[\"ROLE_ADMIN\"]", "iat": 1464819890 }

It seems that Spring expects Array of String, not String object (there is a double quote at the beginning and the end of value in authorities.

The aud format seems to be what the spring expects.

So, there are two options I can think o
1. Write some configuration in Spring Oauth2 (I have not figured this out yet)
2. Configure WSO2 Identity Server (This what I've been trying to do).

There are some resources saying that we can implement our own JWTTokenGenerator in WSO2 carbon. From looking at the code, it seems this is where the double quotes are generated in the claim.

org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator

I hope there is someone else who has been going through this.

Thank you very much.

2
authenticationoauth-2.0wso2iswso2carbonspring-security-oauth2

2 Answers

0
votes

Please find the default implementation here [1]. Also it is better if you can go with IS 5.1.0 for 5.1.0 refer [2]. After building custom JWTTokenGenerator copy it to repository/components/lib. Change 

<TokenGeneratorImplClass>

element in identity.xml according to your custom implementation.

[1] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.oauth/4.2.3/src/main/java/org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator

[2]https://github.com/wso2/carbon-identity/tree/master/components/oauth/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authcontext

0
votes

Thank you! That could work too! but for easier implementation, we use 5.2.0 beta version that that produce array of string. T