Originally, I created an API and followed these two articles to authorize usage of the API on SpringBoot. The work was done/tested, all was well.
Example controller method
@GetMapping(“/users”)
public void getData(
@AuthenticationPrincipal final OidcUser user
)
{
… do stuff with “user” as the source
}
We then moved on to the front end SPA for the app which for security didn’t have a client secret. When the authToken is passed as a bearer token, “user” is null.
I was able to figure out how to receive the accessToken, but since my entire API is written around the OidcUser object…it’s no longer compatible.
Example controller method:
@GetMapping(“/users”)
public void getData(
final JwtAuthenticationToken authentication
)
{
… do stuff with “user” as the source
}
Switching the method in this way gets the information correctly, but the Swagger can no longer interpret the logged in user when hitting the API directly.
I’m assuming I can go through the hoops and construct the OidcUser object and call the methods accordingly, but that feels like a hack job.
So before I do that…or rewrite…can someone give some direction on what is the “proper” way to do this? Users will primarily log in via the SPA, but I’d like the swagger to work as well. Additionally, the backend API needs to authorize based on the groups the user has access to.