Home/ Questions/Q 8046397
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T05:46:24+00:00

I am trying to handle a situation when after an successful authentication with openId

  • 0

I am trying to handle a situation when after an successful authentication with openId provider I discover that there is no account in my db associated with user openId identifier.

Can you tell me how should I handle the situation. Now, I am displaying register form and ask a user for creating an account. However, I have a problem with user authentication status, he is now being seen as authenticated by spring SecurityContext class.

How do I deauthenticate user in my controller action before redirecting to ”register new user page”? Is this approach a good one or should I do it in some other way?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Ok, so separating authentication from authorization as was mentioned in Samuel’s post was really helpful. However there are still many gotchas and I found deauthentication still a must because there is no easy way in spring to add to user new roles. So the easiest way is to force user to login again and let spring handle role assignment during login.

    In order to deauthenticate user in spring security you have to invoke:

    SecurityContextHolder.clearContext();

    as an alternative you can throw an exception in your UserDetailsService implementation (see below). It has the downside that you would deauthenticate user and lose user context data so it would be impossible to match new user accout with openid account during process of creating new local account. And you have to match those account after user login with traditional username and password. My solution was to deauthenticate user just after creating new account.

    In order to grant user roles(privileges) you have to override UserDetailsService, in case someone find this useful here is my implementation:

    public final class MyUserDetailsService implements UserDetailsService {
    private final UsersDao usersDao;

    @Autowired
    public UserDetailsServiceImpl(final UsersDao usersDao) {
        this.usersDao = usersDao;
    }

    @Override
    public UserDetails loadUserByUsername(final String username) {      
            UserEntity user = usersDao.getUserByOpenIdIdentifier(username);
            if (user == null) {
                    // there is no such user in our db, we could here throw
                    // an Exception instead then the user would also be deuthenticated 
                    return new User(username, "", new ArrayList<GrantedAuthority>());
            }

            //here we are granting to users roles based on values from db
            final Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            authorities.add(new SimpleGrantedAuthority(user.getUserType().toString()));

            final UserDetails result = new User(username, "", authorities);

            return result;
    }
}
    • 0