OAUTH2 + OpenID Connect what endpoint to use for adding some scopes for the user?

0
votes

I have:

  1. Spring boot client application with some public endpoints and private endpoints which require @PreAuthorize("#oauth2.hasScope('resource.read')") for example
  2. I have a external authorization server: Cloudfoundry UAA
  3. I have a external OIDC provider linked to UAA I can use that to authenticate a person, I receive a Person_ID from the ID_Token from that external OIDC provider
  4. Now I need to change UAA core code to implement my logic of using that Person_ID and searching for equivalent user from LDAP which shares the same Person_ID and then I will need to add it's usergroups to the token for the client. (I have done it currently in the /userinfo endpoint)

So I have done this logic in the /userinfo endpoint, when client receives a access token (From client, redirected to UAA, from UAA to OIDC for AUTH, then back again for the token and then this token is sent to client, now client can take the token and ask for the /userinfo which will then have it's user roles)

Is this bad logic? Should I add the LDAP implementation(step4) inside the access token already somehow?

1
oauth-2.0spring-security-oauth2openid-connect

1 Answers

0
votes

Really, as is often the case with design questions, it depends.

The key to remember is that OIDC and its associated id_token are for authentication. It's common for the /userinfo response to state claims about who the user is. Part of the user's identity might be their role.

OAuth and its associated access_token, on the other hand, are for authorization. It's common for the access token to state claims about what the client is authorized to do. What a client might be able to do may be different than the user's role.

Think about what decisions this client will need to make. It may be able to make choices like which of its pages it can show, based on the roles that it inferred from the /userinfo response.

Think about what this client will communicate with. Maybe it will communicate with a resource server. If the client passes the access_token obtained during login, then that token should indicate what the client is authorized to do.