Closed silvia-giordano closed 3 years ago
liga-oz
commented
3 years ago Hi @silvia-giordano,
If I understood you correctly, your question is how to access xs.user.attribute value from decoded token. What cloud-security-xsuaa-integration modules you're using?
XsuaaToken class offers out of the box method getXSUserAttribute to do that.
Here you can read up about some use cases of spring-xsuaa module.
Kind Regards, Liga
silvia-giordano
commented
3 years ago Hello @liga-oz , thank you for your quick answer. We have dependency in our pom (inside the general parent pom): com.sap.cloud.security.xsuaa:token-client:jar:2.8.3:compile com.sap.cloud.security.xsuaa:api:jar:1.2.0:compile com.sap.cloud.security.xsuaa:java-container-security-api:jar:2.16.4:provided com.sap.cloud.security.xsuaa:api:jar:1.2.0:compile
But, in fact, we don't use the method provided from XSUAA directly. Are you able to see this configuration class?
In our configuration we have never the token available. So we thought: is it possible to retrieve the information in the token via a REST call at some point?
Thank you again
Kind Regards
Silvia
liga-oz
commented
3 years ago Hi @silvia-giordano ,
Firstly, I would highly recommend to upgrade the com.sap.cloud.security.xsuaa versions, latest one is 2.8.8 and migrate java-container-security-api as it is deprecated, you can find migration guides here: java-security. spring-xsuaa, I'm presuming you're not using SAPJavaBuildpack.
I can access your configuration class, but the question here is, if you're saying you do not have tokens in your application, how do you validate then incoming requests, how they are authenticated? Could you describe your application's authentication and authorization flow setup?
If you have encoded bearer token value, you can create object of Token class, that would decode the token and you could then have access to various methods, see here.
Best Regards, Liga
silvia-giordano
commented
3 years ago Hello @liga-oz, I think we found it how to do: we created a custom User Service in our configuration class, in this way we are able to do oauth2UserRequest.getAccessToken and retrieve finally everything from the token. As you suggested, we will update com.sap.cloud.security.xsuaa versions as soon as possible. Thank you anyway BR
Silvia
liga-oz
commented
3 years ago Thanks @silvia-giordano for the update, closing this now. If you have any further questions please open a new issue.
Hello colleagues, we want to use Xsuaa authentication to access our UI / controller. We created our custom template for the token that contains an attribute we need in our code, something like:
We use for the security configuration spring security / spring security oauth2 (here and here the config classes)
At some point of the code in the security config, we want to manipulate the authorities to create custom roles based on the attribute from the token. How we can retrieve the information from the authorization token? Is it possible with this configuration?
Thanks in advance BR
Silvia