AuthenticationPrincipal is null only with Postman request

Questions
1

I am trying run below application in my local(with necessary config changes related to OKTA) https://github.com/oktadeveloper/okta-spring-security-authentication-example/tree/master/oauth-okta

All is working fine when application is accessed by browser. authentication is working fine at OKTA and redirected to application correctly.

but when i tried the same API using postman, OidcUser is coming as null. I generated accessToken from postman with grant_type client_credentials

@AuthenticationPrincipal OidcUser oidcUser

any clues?

-R

2

My guess is this is how Spring Security works. It will populate this parameter if you login with a browser, but not if you send an access token. You could use the access token to call the /userinfo endpoint and get the user’s information that way. Or you could use Jwt instead of OidcUser, like this example shows.

@GetMapping("/")
public String index(@AuthenticationPrincipal Jwt jwt) {
    return String.format("Hello, %s!", jwt.getSubject());
}
1 Like
3

Thank you so much @mraible

4

What could we do to make Spring provide the OidcUser (or any Principal for that matter) directly in controller methods when using only an access_token for auth?

5

I could be wrong, but I don’t think there would be a way to do this without some fundamental changes to Spring Security. I suppose it depends on your goal, but maybe switching out OidcUser for Jwt would work, since providing the JWT in an Authorization header will allow you to get necessary claims and the user id / sub claim.

6

I get the same behavior, the user is null but I am a bit confused because according to the example here:

The user should not be null using curl (so I suppose using postman either).

7

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.