Take Authentication in extractor

Playing around with having the AuthoritiesExtractor take an
Authentication instead of an AbstractOAuth2Token.

Also, renamed to AuthoritiesExtractor since it is now a bit more
generic.

Issue: gh-37

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/resourceserver/ResourceServerConfigurer.java

@@ -27,7 +27,7 @@
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.annotation.web.configurers.SessionManagementConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
-import org.springframework.security.oauth2.core.ClaimAccessorAuthoritiesExtractor;
+import org.springframework.security.oauth2.core.AuthoritiesExtractor;
 import org.springframework.security.oauth2.core.OAuth2TokenVerifier;
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -108,15 +108,15 @@ public JwtAccessTokenFormatConfigurer jwt(JwtDecoder decoder) {
 	public class JwtAccessTokenFormatConfigurer {
 		protected JwtDecoderConfigurer jwtDecoder = new JwtDecoderConfigurer();
 		private Collection<OAuth2TokenVerifier<Jwt>> verifiers = new ArrayList<>();
-		private ClaimAccessorAuthoritiesExtractor extractor = (jwt) -> Collections.emptyList();
+		private AuthoritiesExtractor extractor = (authentication) -> Collections.emptyList();
 
 		public JwtAccessTokenFormatConfigurer() {}
 
 		public JwtAccessTokenFormatConfigurer(JwtDecoder decoder) {
 			this.jwtDecoder.decoder(decoder);
 		}
 
-		public JwtAccessTokenFormatConfigurer authoritiesExtractor(ClaimAccessorAuthoritiesExtractor extractor) {
+		public JwtAccessTokenFormatConfigurer authoritiesExtractor(AuthoritiesExtractor extractor) {
 			this.extractor = extractor;
 			return this;
 		}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/core/ClaimAccessorAuthoritiesExtractor.java → oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/core/AuthoritiesExtractor.java

@@ -16,10 +16,11 @@
 
 package org.springframework.security.oauth2.core;
 
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 
 import java.util.Collection;
 
-public interface ClaimAccessorAuthoritiesExtractor {
-	Collection<? extends GrantedAuthority> extractAuthorities(ClaimAccessor accessor);
+public interface AuthoritiesExtractor {
+	Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication);
 }

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/resourceserver/authentication/JwtAccessTokenAuthenticationProvider.java

@@ -22,7 +22,7 @@
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
-import org.springframework.security.oauth2.core.ClaimAccessorAuthoritiesExtractor;
+import org.springframework.security.oauth2.core.AuthoritiesExtractor;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.JwtException;
@@ -50,7 +50,7 @@ public class JwtAccessTokenAuthenticationProvider implements AuthenticationProvi
 	private final JwtDecoder jwtDecoder;
 	private final JwtAccessTokenVerifier jwtVerifier;
 
-	private ClaimAccessorAuthoritiesExtractor authoritiesExtractor = (jwt) -> Collections.emptyList();
+	private AuthoritiesExtractor authoritiesExtractor = (authentication) -> Collections.emptyList();
 
 	public JwtAccessTokenAuthenticationProvider(JwtDecoder jwtDecoder) {
 		this(jwtDecoder, new JwtAccessTokenVerifier());
@@ -86,7 +86,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		this.jwtVerifier.verify(jwt);
 
 		Collection<? extends GrantedAuthority> authorities =
-				this.authoritiesExtractor.extractAuthorities(jwt);
+				this.authoritiesExtractor.extractAuthorities(new JwtAccessTokenAuthenticationToken(jwt));
 
 		JwtAccessTokenAuthenticationToken token =
 				new JwtAccessTokenAuthenticationToken(jwt, authorities);
@@ -103,7 +103,7 @@ public boolean supports(Class<?> authentication) {
 		return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
 	}
 
-	public void setAuthoritiesExtractor(ClaimAccessorAuthoritiesExtractor authoritiesExtractor) {
+	public void setAuthoritiesExtractor(AuthoritiesExtractor authoritiesExtractor) {
 		Assert.notNull(authoritiesExtractor, "authoritiesExtractor cannot be null");
 		this.authoritiesExtractor = authoritiesExtractor;
 	}

samples/boot/oauth2/resource-server/keycloak-with-client/spring-security-oauth2-resource-server-keycloak-with-client.gradle

@@ -18,9 +18,9 @@ dependencies {
 	compile 'org.springframework.boot:spring-boot-starter-thymeleaf'
 	compile 'org.springframework.boot:spring-boot-starter-web'
 
-	compile "org.springframework.security:spring-security-oauth2-client:$version"
-	compile "org.springframework.security:spring-security-oauth2-core:$version"
-	compile "org.springframework.security:spring-security-oauth2-jose:$version"
+	compile "org.springframework.security:spring-security-oauth2-client:5.1.0.M1"
+	compile "org.springframework.security:spring-security-oauth2-core:5.1.0.M1"
+	compile "org.springframework.security:spring-security-oauth2-jose:5.1.0.M1"
 
 	testCompile 'commons-io:commons-io'
 	testCompile 'org.springframework.boot:spring-boot-starter-test'

samples/boot/oauth2/resource-server/keycloak-with-client/src/main/java/sample/KeycloakApplication.java

@@ -59,9 +59,9 @@ KeycloakLogoutHandler keycloakLogoutHandler() {
 	}
 
 	@Bean
-	KeycloakClaimAccessorAuthoritiesExtractor keycloakOAuth2TokenAuthoritiesExtractor() {
-		KeycloakClaimAccessorAuthoritiesExtractor extractor =
-				new KeycloakClaimAccessorAuthoritiesExtractor();
+	KeycloakAuthoritiesExtractor keycloakOAuth2TokenAuthoritiesExtractor() {
+		KeycloakAuthoritiesExtractor extractor =
+				new KeycloakAuthoritiesExtractor();
 
 		extractor.setAuthoritiesMapper(authoritiesMapper());
 

samples/boot/oauth2/resource-server/keycloak-with-client/src/main/java/sample/KeycloakClaimAccessorAuthoritiesExtractor.java → samples/boot/oauth2/resource-server/keycloak-with-client/src/main/java/sample/KeycloakAuthoritiesExtractor.java

@@ -16,11 +16,12 @@
 
 package sample;
 
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
-import org.springframework.security.oauth2.core.ClaimAccessor;
-import org.springframework.security.oauth2.core.ClaimAccessorAuthoritiesExtractor;
+import org.springframework.security.oauth2.core.AuthoritiesExtractor;
+import org.springframework.security.oauth2.resourceserver.authentication.AbstractOAuth2AccessTokenAuthenticationToken;
 import org.springframework.util.Assert;
 
 import java.util.Collection;
@@ -33,23 +34,30 @@
 /**
  * @author Josh Cummings
  */
-public class KeycloakClaimAccessorAuthoritiesExtractor implements ClaimAccessorAuthoritiesExtractor {
+public class KeycloakAuthoritiesExtractor implements AuthoritiesExtractor {
 
 	private GrantedAuthoritiesMapper authoritiesMapper = authorities -> authorities;
 
 	@Override
-	public Collection<? extends GrantedAuthority> extractAuthorities(ClaimAccessor accessor) {
-		Collection<? extends GrantedAuthority> authorities =
-				Optional.ofNullable(
-								(Map<String, Object>) accessor.getClaims().get("realm_access"))
-						.map(realmAccess ->
-								(List<String>) realmAccess.get("roles"))
-						.orElse(Collections.emptyList())
-						.stream()
-						.map(SimpleGrantedAuthority::new)
-						.collect(Collectors.toList());
-
-		return this.authoritiesMapper.mapAuthorities(authorities);
+	public Collection<? extends GrantedAuthority> extractAuthorities(Authentication authentication) {
+		if ( authentication instanceof AbstractOAuth2AccessTokenAuthenticationToken ) {
+			Map<String, Object> attributes =
+					((AbstractOAuth2AccessTokenAuthenticationToken) authentication).getTokenAttributes();
+
+			Collection<? extends GrantedAuthority> authorities =
+					Optional.ofNullable(
+									(Map<String, Object>) attributes.get("realm_access"))
+							.map(realmAccess ->
+									(List<String>) realmAccess.get("roles"))
+							.orElse(Collections.emptyList())
+							.stream()
+							.map(SimpleGrantedAuthority::new)
+							.collect(Collectors.toList());
+
+			return this.authoritiesMapper.mapAuthorities(authorities);
+		}
+
+		return Collections.emptyList();
 	}
 
 	public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {