I'm developing a Spring Boot Web Application. Quickstarted the project using maven and Spring Initializer.
I configured Spring Security so that the user must login via OAuth2 authorization code grant flow using a client registration named "A" (real name omitted for security reasons).
Everything is working fine, unauthenticated users can only access a welcome page. All other requests are configured as "authenticated" using antmatchers and need the user to complete the authorization flow in order to be able to access them.
Now... I have a subset of endpoints that will match with the antmatcher string "trv/**" that will need another level of authentication which is represented by ANOTHER OAuth2 Client registration named "B". Unfortunately this server only offers authorization code grant flow, so I need to trigger that when a user tries to access any uri matching "trv/--".
I can not figure out what should I do in order to achieve this behaviour using the Spring Security documentation alone. Can someone guide me through the process?
Do I have to implement some custom component that intercepts the requests?
The only thing I found until now is that I could protect the endpoints behind an Authority like ROLE_TRV_USER or something similar and give that authority to the SecurityContext when the user successfully logs in with the "B" client registration, but this will only happen AFTER the login is successful and that is the thing I need to figure out how to do.
I tried to implement a custom request resolver but with no idea where to use it or to put it in order to make it work.