Getting resource from another resource in Oauth2

1
votes

So here is a case: I have identity server, client application and resource(API). Identity server provides user info on the endpoint http://identityserver:8080/connect/userinfo. If you send a request with valid access token you will get additional information about user. If I need this information on the resource how would I get it. I have two ideas:

  1. Get the user info with client. (Client send request on userinfo endpoint and obtain information and then send it with request calling API.)
  2. Resource API create a request on userinfo endpoint itself with access token. Problem here is that if I want to get token value from token store it is not supported information (Java Spring), so basically I do not have access token on resurce server.

I understand that userinfo endpoint is basically resource so my question is how to proceed if I want to get resource from another resource with keeping all best practice around OAuth2 and OpenID connect.

2
spring-securityoauthidentityserver4spring-security-oauth2openid-connect
Out of curiously you need this information on what resource exactly?DaImTo
I need email address. In API I generate pdf and I want to send it to the logged user.Mário Jaroš
So you just want a way for your API to call the userinfo endpoint?DaImTo
Yes, but for that I need access token and add it to the header and call it for example with resttemplate but I cannot access to token in token store in spring. When I call getValue on accesstoken a I will get org.springframework.security.oauth2.provider.token.store.jwk.JwkException: This operation is not supportedMário Jaroš
On this question I found maybe this one stackoverflow.com/questions/19556039/… I can get Authorization header, but still I would like to know which approach is better and if it is secure do it this way, or if it would be better send email in request from client ?Mário Jaroš

2 Answers

1
votes

The solution is to use a different grant type. The most suitable is the Client Credentials. An identity server is needed to register a new client id and secret which can be used to exchange access token for API.

0
votes

The access token is (I assume) available to your API so you can simply pass it on to other APIs (e.g. the userinfo endpoint) assuming the token contains the correct scope.

I'd recommend creating your own abstraction that makes it possible to get the raw ambient token used in the current request so you can then use it to call other APIs.