[mitreid-connect] Token Introspection example usage

Duc Nguyen nguyen.d.duc at gmail.com
Wed May 28 10:40:48 EDT 2014


Thanks for the pointers. I'm still trying to get it working but can I ask
about the use-case that the Token Introspecting Client Filter is meant for?
We're trying to implement sso as follows:

   1. User logs into portal (portal web app authenticates with
   Authorization Server)
   2. User credentials determine the list of applications (all web apps)
   the user has access to
   3. Clicking on an app automatically single-sign-ons the user (no
   confirmation)

I thought that we could use Token Introspecting Client Filter in step 3?

Here's my spring config, but no luck in getting the filter to kick-in. I'm
new to all this so thanks for the patience.

    <security:http pattern="/introspect"
                   create-session="stateless"
                   entry-point-ref="oauthAuthenticationEntryPoint"
                   use-expressions="true">
        <security:intercept-url pattern="/introspect" access="permitAll" />
        <security:custom-filter before="PRE_AUTH_FILTER"
ref="resourceServerFilter" />
    </security:http>
    <oauth2:resource-server id="resourceServerFilter"
token-services-ref="introspectingService" />
    <bean id="introspectingService"
class="org.mitre.oauth2.introspectingfilter.IntrospectingTokenService">
        <property name="introspectionConfigurationService"
ref="defaultIntrospectionConfigurationService"/>
        <property name="introspectionAuthorityGranter"
ref="defaultIntrospectionAuthorityGranter"/>
    </bean>
    <bean
class="org.mitre.oauth2.introspectingfilter.service.impl.StaticIntrospectionConfigurationService"
id="defaultIntrospectionConfigurationService">
        <property name="introspectionUrl" value="
http://localhost:8080/openid-connect-server-webapp/introspect" />
        <property name="clientConfiguration">
            <bean class="org.mitre.oauth2.model.RegisteredClient">
                <property name="clientId" value="client"/>
                <property name="clientSecret" value="secret"/>
            </bean>
        </property>
    </bean>
    <bean
class="org.mitre.oauth2.introspectingfilter.service.impl.SimpleIntrospectionAuthorityGranter"
id="defaultIntrospectionAuthorityGranter"/>




On Tue, May 27, 2014 at 6:36 PM, Justin Richer <jricher at mit.edu> wrote:

> No, there isn’t one at this time, but that’s not a bad idea to have
> something like that in the future.
>
> In the absence of that, you just need to set up an OAuth 2 resource server
> from Spring Security OAuth. You can find examples within that project — the
> bean creates a filter that you then add to your “http” block. Then wire in
> the “token services” of that filter bean with a copy of the
> “IntrospectingTokenServices” class, configured to talk to your
> authorization server. This will effectively act as a stand-in for the usual
> database-backed token services. From that point, it’s pretty much just
> using Spring Security and Spring Security OAuth like normal.
>
> The documentation on the wiki page really should have the most
> comprehensive information:
>
>
> https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Token-Introspecting-Client-Config
>
>  — Justin
>
> On May 27, 2014, at 6:27 PM, Duc Nguyen <nguyen.d.duc at gmail.com> wrote:
>
> > Hello, is there an example (similar to simple-web-app) of how to use
> Token Introspection? I've read the source & documentation and been at this
> the last couple of days so any help would be greatly appreciated. Thanks,
> -Duc
> > _______________________________________________
> > mitreid-connect mailing list
> > mitreid-connect at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20140528/e5911156/attachment.htm


More information about the mitreid-connect mailing list