I don't know if I worded this question correctly, Spring Security is something I'm not very familiar with.
In my spring boot application the login is done with OAuth 2.0 and gluu. So far it works well and without issue. However, after the user logs in I check whether a user with the ID provided by the gluu server exists in our database because I need additional information on the user. Now, this is done after the login when checking things like permissions and fetching user-specific properties like settings. If the user does not exist on our end I get a NullPointerException. This case should (in an ideal world) not happen but I'd still like to handle it properly.
I'd like to make that check happen as part of the authorization process, so the login fails if we don't have any information on the user instead of checking it after the login has completed.
Does that make sense? I'm having a hard time wording it properly so I couldn't find any useful results on google. A link to some tutorial or docs would be greatly appreciated!
If you want to do it in spring-security, you can provide a
Converter<Jwt, AbstractAuthenticationToken>@Bean (to replace defaultJwtAuthenticationConverter).This bean would call your user repo (maybe on a @Cachable method) and could even return an
Authenticationof your own with all user data you need for your security rules (maybe either create missing user record in databse or returnAnonymousAuthenticationTokenwhen user is not known in your system).I have something a bit like that in this tutorial (extra user data is retrieved from token private claims and not from a database, but you get the idea).