Spring-security: OAuth2 Resource Server Support

Hi,
we have implemented a AuthenticationWebFilter including a Oauth2AuthenticationConverter and a Oauth2AuthorizationManager which utilizes the JwtDecoder to process a JWT and setup the security context.

We tried to implement our code into the spring-security project to get rid of this wrapper but unfortunately we struggled around finding the right place for it.

Anyway, we are able to do something like this:

    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        ServerHttpSecurityOAuth2Support httpSecurity = new ServerHttpSecurityOAuth2Support(http,
                jwtAuthenticationManager(),
                serverOauth2AuthenticationConverter());

        return httpSecurity
                .oauth2()
                .authorizeWithScope("/secure", "RESOURCE_READ")
                .serverHttpSecurity()
                .authorizeExchange()
                .pathMatchers("/actuator/**").permitAll()
                .and()
                .csrf()
                .disable()
                .build();
    }

On this wrapper we add the filter in the oauth2() method

        delegate.addFilterAt(oauth2AuthenticationWebFilter, SecurityWebFiltersOrder.AUTHORIZATION);

and provide a authorizeWithScope() method

    public ServerHttpSecurityOAuth2Support authorizeWithScope(String path, String scope) {
        delegate
                .authorizeExchange()
                .pathMatchers(path).access(hasScope(scope));

        return this;
    }

    private ReactiveAuthorizationManager<AuthorizationContext> hasScope(String scope) {
        return (Mono<Authentication> authentication, AuthorizationContext context) -> authentication
                .filter(Authentication::isAuthenticated)
                .cast(Oauth2AuthenticationToken.class)
                .flatMapIterable(a -> a.getScopes())
                .hasElement(scope)
                .map(granted -> new AuthorizationDecision(granted));
    }

I know, this work is not very 'sexy' and it is still in progress but if you think you can use it to get this feature done faster we would be very happy to contribute.

Cheers,
A

@doernbrackandre Thank you for the offer and we definitely can use the help with contributions as we are quite limited on resources now especially for the Resource Server side of things.

Looking at your sample, our plan is to build out Servlet support first and than focus on a Reactive implementation.

I'm currently focused on building out more support for the client side as we target toward 5.1. Resource Server support will need to wait until some of these higher priority tasks are completed first.

Keep an eye out on this issue and when we start Resource Server work than any contributions would be greatly appreciated. Thanks!

@doernbrackandre Thanks for the workaround. It would be great if you can provide the complete sample code ?

@ksinghbora if you still need it I would move the code from our private repo to our organization repository the next days. Please keep in mind that this code will not be production ready. It is more a reference implementation which need to be improved

@doernbrackandre I implemented the same using ServerHttpSecurity.access() and provide custom ReactiveAuthorizationManager.
I am curious to see your implementation. It would be great if you can share.

@rwinch is there a way we can support in the realization of this feature?

@danielrohe Resource Server features are currently in the works and we're planning on providing initial support for 5.1 release. You can track this issue for progress.

Closing as Resource Server support has been added in 5.1