I have a Spring Boot web application using Spring Security, which uses OAuth2 with AWS Cognito. I'm using spring-boot-starter-oauth2-client.
Access to paid areas of the website is determined by the user's group in Cognito.
When a user makes a purchase on my site via Stripe, a webhook listens for the completed purchase, and adds the User to a Group in Cognito.
The question is: how do I refresh the access token to get the user's updated groups, so the user doesn't have to log out and log in again?
Where I've got to...
I'm using the AWS Java SDK to refresh the token:
AdminInitiateAuthResponse response = cognitoClient.adminInitiateAuth(AdminInitiateAuthRequest.builder()
.authFlow(AuthFlowType.REFRESH_TOKEN_AUTH)
.clientId(appClientId)
.userPoolId(userPoolId)
.authParameters(authParams)
.build());
I'm sending the Refresh Token in authParams, and I can get the new Access Token from the response.
But then I don't know how/where to set that new Access Token in Spring Security. The user's group hasn't updated (in Spring - it has updated in Cognito) and the user can't access the content.
- Is this the right way to update the user's groups in Spring (by refreshing the access token)?
- How/where do I manually set the new access token in Spring Security?
Edit: Or alternatively, I could just forget about refreshing the token, and just manually edit the role myself...is that possible? Something like:
@GetMapping("/success")
public String success(@CurrentSecurityContext(expression = "authentication") Authentication auth) {
// I can _read_ the groups (the authorities) here
auth.getAuthorities(); // this lists the Cognito groups
// but can I manually _set_ a new authority somehow?? (there isn't a setter)
}
