AuthenticationPrincipal is null only with Postman request

ranadheer.machineni · April 12, 2020, 10:53am

I am trying run below application in my local(with necessary config changes related to OKTA) https://github.com/oktadeveloper/okta-spring-security-authentication-example/tree/master/oauth-okta

All is working fine when application is accessed by browser. authentication is working fine at OKTA and redirected to application correctly.

but when i tried the same API using postman, OidcUser is coming as null. I generated accessToken from postman with grant_type client_credentials

@AuthenticationPrincipal OidcUser oidcUser

any clues?

-R

mraible · April 12, 2020, 5:16pm

My guess is this is how Spring Security works. It will populate this parameter if you login with a browser, but not if you send an access token. You could use the access token to call the /userinfo endpoint and get the user’s information that way. Or you could use Jwt instead of OidcUser, like this example shows.

@GetMapping("/")
public String index(@AuthenticationPrincipal Jwt jwt) {
    return String.format("Hello, %s!", jwt.getSubject());
}

ranadheer.machineni · April 12, 2020, 7:26pm

Thank you so much @mraible

david.arteaga · December 15, 2020, 12:39am

What could we do to make Spring provide the OidcUser (or any Principal for that matter) directly in controller methods when using only an access_token for auth?