OAuth2LoginAuthenticationProvider with UserDetailsChecker to verify if user is disabled
up vote
0
down vote
favorite
My security configuration has 3 authentication providers:
DaoAuthenticationProvider (for username and password authentication)
OidcAuthorizationCodeAuthenticationProvider (for oidc clients)
OAuth2LoginAuthenticationProvider (for oauth2 clients)
DaoAuthenticationProvider is using simple implementation of UserDetailsService which queries the user from the database and returns org.springframework.security.core.userdetails.User object. I am also using the enabled boolean flag on the User object which is determined by database status - if the is account is disabled or not. This provider by default uses implementation of UserDetailsChecker which checks the boolean flags on the user and throws exceptions if any of them are false. Everything works perfectly.
Problem
However when I am using Oauth2 to login using Google for example, then the OAuth2LoginAuthenticationProvider by default does not use UserDetailsChecker to verify these flags. So I have injected the checker into my custom implementation of OAuth2UserService.
!! Now when the exception is thrown, then ProviderManager first handles the thrown exception and stores it as lastException, but following THIS CODE, as OAuth2LoginAuthenticationProvider has parent ProviderManager set (which is the DaoAuthenticationProvider), then the code continues executing and tries to run Oauth2 authentication via Dao provider and fails, which eventually sets the lastException to be "No AuthenticationProvider found for OAuth2LoginAuthenticationProvider" and the authentication fails.
Question
How can properly check if user found from database is disabled or not through Oauth/Oidc providers. According to the ProviderManager code this is not possible unless I make my own implementation of it and break the loop there as described in THIS old similar issue.
I am using the latest and greatest Spring Boot, Spring Security and Spring Security Oauth2 libraries.
spring spring-security oauth-2.0
asked Nov 9 at 20:53
Vaelyr
1,4581820
add a comment |
up vote
0
down vote
favorite
My security configuration has 3 authentication providers:
DaoAuthenticationProvider (for username and password authentication)
OidcAuthorizationCodeAuthenticationProvider (for oidc clients)
OAuth2LoginAuthenticationProvider (for oauth2 clients)
DaoAuthenticationProvider is using simple implementation of UserDetailsService which queries the user from the database and returns org.springframework.security.core.userdetails.User object. I am also using the enabled boolean flag on the User object which is determined by database status - if the is account is disabled or not. This provider by default uses implementation of UserDetailsChecker which checks the boolean flags on the user and throws exceptions if any of them are false. Everything works perfectly.
Problem
However when I am using Oauth2 to login using Google for example, then the OAuth2LoginAuthenticationProvider by default does not use UserDetailsChecker to verify these flags. So I have injected the checker into my custom implementation of OAuth2UserService.
!! Now when the exception is thrown, then ProviderManager first handles the thrown exception and stores it as lastException, but following THIS CODE, as OAuth2LoginAuthenticationProvider has parent ProviderManager set (which is the DaoAuthenticationProvider), then the code continues executing and tries to run Oauth2 authentication via Dao provider and fails, which eventually sets the lastException to be "No AuthenticationProvider found for OAuth2LoginAuthenticationProvider" and the authentication fails.
Question
How can properly check if user found from database is disabled or not through Oauth/Oidc providers. According to the ProviderManager code this is not possible unless I make my own implementation of it and break the loop there as described in THIS old similar issue.
I am using the latest and greatest Spring Boot, Spring Security and Spring Security Oauth2 libraries.
spring spring-security oauth-2.0
asked Nov 9 at 20:53
Vaelyr
1,4581820
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
My security configuration has 3 authentication providers:
DaoAuthenticationProvider (for username and password authentication)
OidcAuthorizationCodeAuthenticationProvider (for oidc clients)
OAuth2LoginAuthenticationProvider (for oauth2 clients)
DaoAuthenticationProvider is using simple implementation of UserDetailsService which queries the user from the database and returns org.springframework.security.core.userdetails.User object. I am also using the enabled boolean flag on the User object which is determined by database status - if the is account is disabled or not. This provider by default uses implementation of UserDetailsChecker which checks the boolean flags on the user and throws exceptions if any of them are false. Everything works perfectly.
Problem
However when I am using Oauth2 to login using Google for example, then the OAuth2LoginAuthenticationProvider by default does not use UserDetailsChecker to verify these flags. So I have injected the checker into my custom implementation of OAuth2UserService.
!! Now when the exception is thrown, then ProviderManager first handles the thrown exception and stores it as lastException, but following THIS CODE, as OAuth2LoginAuthenticationProvider has parent ProviderManager set (which is the DaoAuthenticationProvider), then the code continues executing and tries to run Oauth2 authentication via Dao provider and fails, which eventually sets the lastException to be "No AuthenticationProvider found for OAuth2LoginAuthenticationProvider" and the authentication fails.
Question
How can properly check if user found from database is disabled or not through Oauth/Oidc providers. According to the ProviderManager code this is not possible unless I make my own implementation of it and break the loop there as described in THIS old similar issue.
I am using the latest and greatest Spring Boot, Spring Security and Spring Security Oauth2 libraries.
spring spring-security oauth-2.0
asked Nov 9 at 20:53
Vaelyr
1,4581820
My security configuration has 3 authentication providers:
DaoAuthenticationProvider (for username and password authentication)
OidcAuthorizationCodeAuthenticationProvider (for oidc clients)
OAuth2LoginAuthenticationProvider (for oauth2 clients)
DaoAuthenticationProvider is using simple implementation of UserDetailsService which queries the user from the database and returns org.springframework.security.core.userdetails.User object. I am also using the enabled boolean flag on the User object which is determined by database status - if the is account is disabled or not. This provider by default uses implementation of UserDetailsChecker which checks the boolean flags on the user and throws exceptions if any of them are false. Everything works perfectly.
Problem
However when I am using Oauth2 to login using Google for example, then the OAuth2LoginAuthenticationProvider by default does not use UserDetailsChecker to verify these flags. So I have injected the checker into my custom implementation of OAuth2UserService.
!! Now when the exception is thrown, then ProviderManager first handles the thrown exception and stores it as lastException, but following THIS CODE, as OAuth2LoginAuthenticationProvider has parent ProviderManager set (which is the DaoAuthenticationProvider), then the code continues executing and tries to run Oauth2 authentication via Dao provider and fails, which eventually sets the lastException to be "No AuthenticationProvider found for OAuth2LoginAuthenticationProvider" and the authentication fails.
Question
How can properly check if user found from database is disabled or not through Oauth/Oidc providers. According to the ProviderManager code this is not possible unless I make my own implementation of it and break the loop there as described in THIS old similar issue.
I am using the latest and greatest Spring Boot, Spring Security and Spring Security Oauth2 libraries.
spring spring-security oauth-2.0
spring spring-security oauth-2.0
asked Nov 9 at 20:53
Vaelyr
1,4581820
asked Nov 9 at 20:53
Vaelyr
1,4581820
asked Nov 9 at 20:53
Vaelyr
1,4581820
asked Nov 9 at 20:53
Vaelyr
1,4581820
asked Nov 9 at 20:53
Vaelyr
1,4581820
1,4581820
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53233134%2foauth2loginauthenticationprovider-with-userdetailschecker-to-verify-if-user-is-d%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
