Spring Security WebFlux Security Context issue (Authentication is missing user details)

High level Summary

When using the WebFlux security configuration, the user details scope populated inside the Authentication object during the "ReactiveUserDetailsService" call is missing in the AuthorizationManager.

Actual Behavior

The Authentication object inside our custom "ReactiveAuthorizationManager" does not have the user details that is populated in our custom "ReactiveUserDetailsService".

Expected Behavior

The Authentication object inside "ReactiveAuthorizationManager" should have the user details populated up the chain in the "ReactiveUserDetailsService"

Step By Step flow

Below is our flow and Detail Summary.

1. AuthenticationWebFilter (we create our own instance of AuthenticationWebFilter and register respective managers, handlers, entry points etc..).
2. CustomReactiveAuthenticationManager (our own) is registered with the AuthenticationWebFilter
3. CustomReactiveUserDetailsService (our own) is registered with the ReactiveAuthenticationManager
4. Once the ReactiveUserDetailsService calls remote server and authenticates the request successfully, a Scope (User Details) is populated inside the Authentication.
5. The rest is all security framework flow: The Success handler is called.
6. Then the "SecurityContextServerWebExchangeWebFilter" is called.
7. At last the AuthorizationWebFilter is executed and the registered "AuthorizationManager" is invoked.
8. CustomAuthorizationManager (our own) is registered in the "authorizeExchange.pathMatchers.access"
9. We find that the UserDetails is missing inside the Authentication object when it reaches the custom AuthorizationManager.

Configuration

We are using "NoOpServerSecurityContextRepository" not sure if this is the issue. We are a stateless service API and hence can not use "WebSessionServerSecurityContextRepository". More over this is per request execution that we are trying to get the context.

Version

Sample

I have created the below git repository for reference. Call the GET /v1/context API which invokes the "RbsAuthorizationManager" and note that the Authorization there is missing the "userDetails".

https://github.com/psathesh/auth-client-java-reactive

Comment From: psathesh

I have updated the above sample, did few clean up to slim down and also updated the ReadMe file with instructions.

https://stackoverflow.com/questions/49783878/webflux-security-context-issue-authentication-is-missing-user-details-5225

Comment From: eleftherias

Thanks for getting in touch, I have responded to your question on Stack Overflow.