ServerBearerTokenAuthenticationConverter does not offer too many options for customization: - All its methods are private, so not overridable - Only customization options are setAllowUriQueryParameter and setBearerTokenHeaderName - It would be great if authorizationPattern could be configurable, or at least the "Bearer" part ignorable; as well as parameterToken - It would be great if allowed for looking the jwt from a cookie, or at least easy to extend in order to embed this behavior - It would be great if this could be autconfigured by simlpy exposing it as @Bean, like servlet's BearerTokenResolver counterpart I know some are not oauth2 compliant, but it can serve similar systems and they don't hurt if not used as defaults anyway
Thanks!
Comment From: sjohnr
Hi @nightswimmings, thanks for the enhancement suggestion.
I wonder if you could be more specific with details of your use case? There are quite a few suggestions in your description but not many details on what you're trying to do. Would implementing the ServerAuthenticationConverter interface directly be achievable to solve your use case? Are there any challenges with implementing it yourself?
Comment From: jzheaux
It would be great if allowed for looking the jwt from a cookie, or at least easy to extend in order to embed this behavior
Note a related ticket https://github.com/spring-projects/spring-security/issues/9230
Comment From: nightswimmings
Hi @sjohnr. I had to inherit ServerAuthenticationConverter , yes, but I thought there was no reason to avoid proposing having flexibility once we have ServerBearerTokenAuthenticationConverter. Frankly, the cookie part is the biggest miss in my use case @jzheaux
Comment From: sjohnr
Ok, great. Thanks @nightswimmings! So for now, I'm going to close this as a duplicate of #9230, thanks @jzheaux. If there's anything else from this issue you'd like to discuss, we can reopen and do that.