I have a default Spring authorization Server implementation. i want to modify it as per my project requirements. I want to implement customized introspection endpoint in new spring authorization server. I will be having different kinds of tokens, based on token type I want to validate them differently. So I found out by default spring authorization server uses 'OAuth2TokenIntrospectionEndpointFilter', is there a way to use this class or we have to write a new class and add it to server configuration? Thank you.
I tried doing the following.
authorizationServerConfigurer.tokenIntrospectionEndpoint(
t -> t.authenticationProvider(customTokenAuthProvider)
.introspectionResponseHandler(successHandler));
I want to know if this the right way to do or any other method exists.
It seems you have two goals:
There is actually nothing to code for on the authorization server side to achieve #2, as the introspection endpoint returns all claims for a jwt by default. I’m not clear on what you mean by “validate” here, so I’m assuming you mean validate the token and then obtain claims from it. This is what the introspection endpoint does, no customization required. Do note however that the introspection endpoint is not usually called if the resource server is decoding the jwt locally. This would only happen if the resource server is treating the token as opaque.
In order to achieve #1, simply provide an
OAuth2TokenCustomizer@Beanas demonstrated in the reference documentation.Note: I don’t see a need for a custom
AuthenticationProvider. If you feel you do have a need for one, then I think some details of your use case are missing.