Situation. We are using Spring OAuth to validate a security token (JWT). The token has an aud claim for a particular resource ID. The following code correctly validates any JWT tokens signed with an aud claim containing the client ID resourceId-123:
class ResourceServerConfig {
@Bean
protected ResourceServerConfiguration adminResources2() {
ResourceServerConfiguration resource = new ResourceServerConfiguration() {
void setConfigurers(List<ResourceServerConfigurer> configurers) {
super.setConfigurers(configurers)
}
}
resource.setConfigurers(Collections.<ResourceServerConfigurer>singletonList(new ResourceServerConfigurerAdapter() {
@Override
void configure(ResourceServerSecurityConfigurer resources) throws Exception {
resources.resourceId("resourceId-123")
}
@Override
void configure(HttpSecurity http) throws Exception {
http.antMatcher("/path")
.authorizeRequests()
.anyRequest().authenticated()
}
}))
resource.setOrder(3)
return resource
}
}
Question. How can we support multiple Client IDs for the same path (in this example above, /path)? I have seen examples of how to configure multiple Beans with different client IDs for different API paths, but I want to protect this resource with 2+ client IDs. Any examples or documentation of how this could be done? Or are we trying to do something fundamentally incorrect?
I think you're going about it the wrong way.
The client ID isn't the same as the audience in Spring Security, rather a client is allowed one or more resource Ids and the JWT may contain multiple audiences.
So I think you should follow the example where you have different resource Ids for different paths, create a new resource ID for the shared paths and add to all the clients that are allowed to access it.
Example:
Paths:
|----------------+-------------|
| Path | Resource ID |
|----------------+-------------|
| /client1/info | client1 |
| /client2/info | client2 |
| /shared/status | all-clients |
|----------------+-------------|
Clients:
|---------+----------------------|
| Client | Resource IDs |
|---------+----------------------|
| client1 | client1, all-clients |
| client2 | client2, all-clients |
|---------+----------------------|
It'd be easier to show something if you could provide a runnable example I could tinker with, but with the limited amount of code you have posted this is the best I can do.
Another way to go about it is to use different scopes instead of different audiences. That would remove the need for mulitple resource server configurations and you could instead use an expression like #oauth2.hasScope('admin') in .access() or in @PreAuthorize.