Authorities Extraction #37
Comments
jzheaux
added
enhancement
|
I'd prefer to make this a bit more generic. Accepting an Authentication and returning an Authentication would be ideal. This allows for more powerful transformations. We can always provide an abstract class that supports extracting the authorities only. |
|
Yes, I like that. Actually, I had that originally, but was a bit worried about it being too generic. I'll play with that a bit more and see what comes out. Also, I experienced some heartburn over which Authentication to send in the case of something like JwtAccessTokenAuthenticationProvider. This works: public Authentication authenticate(Authentication auth) {
// ... verify JWT, etc.
Collection<? extends GrantedAuthority> authorities =
this.authoritiesExtractor.extractAuthorities(new JwtAuthenticationToken(jwt));
return new JwtAuthenticationToken(jwt, authorities);
}But the above code feels a bit icky since I end up constructing an authentication for the sole purpose of calling extractAuthorities. Not really a problem, but an indication that maybe there is another way to look at it. |
A need that has come up multiple times now is to extract the roles (or scopes) from an OAuth2 token in some custom way. This isn't authority mapping since we aren't taking a list of GrantedAuthorities and converting them into another list. So, this commit introduces the concept of authority extraction into the resource server. Issue: gh-37
This sample is an enhancement of a sample from Thomas Darimont to which I've simply added new Resource Server configuration. Also, I made an attempt at reducing some of the code necessary to extract authorities from the Keycloak token, but will need to do some more searching. Truthfully, I didn't test the OAuth Client piece just yet, just the resource server integration, but will. Issue: gh-37
Playing around with having the AuthoritiesExtractor take an Authentication instead of an AbstractOAuth2Token. Also, renamed to AuthoritiesExtractor since it is now a bit more generic. Issue: gh-37
Playing around with having the AuthoritiesExtractor take an Authentication instead of an AbstractOAuth2Token. Also, renamed to AuthoritiesExtractor since it is now a bit more generic. Issue: gh-37
|
Ah, I just reread your comment, and I missed that you prefer a contract that returns an Authentication as well. Will take a look. |
There are myriad ways to represent authorities in OAuth2 that go beyond
scope. We need a hook so code can transform any custom representation of roles in access tokens into Spring Security roles:The text was updated successfully, but these errors were encountered: