Skip to content

Extract Authorities from an OAuth2User #11780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
filiphr opened this issue Sep 1, 2022 · 5 comments
Closed

Extract Authorities from an OAuth2User #11780

filiphr opened this issue Sep 1, 2022 · 5 comments
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@filiphr
Copy link
Contributor

filiphr commented Sep 1, 2022
edited
Loading

Expected Behavior

Extract granted authorities from a given OAuth2User.

Current Behavior

Currently the OAuth2 support uses a GrantedAuthoritiesMapper which allows for expanding the granted authorities for OAuth2. This is done in:

  • OAuth2LoginAuthenticationProvider
  • OAuth2LoginReactiveAuthenticationManager
  • OidcAuthorizationCodeAuthenticationProvider
  • OidcAuthorizationCodeReactiveAuthenticationManager

Currently only the current granted authorities of the OAuth2User can be accessed. There is a way to access OAuth2UserAuthority, but that does not give information such as the name of the principal

Context

We need this because we are providing some functionality that allows extracting various attributes from the OAuth context and remapping them to some specific granted authorities known for us. Recently we've had a request fro integrating all of this with a specific identity provider. This means that Google is used as an OAuth provider, but the information that is available in the token is not enough and we need to fetch things such as group access from a different identity provider. In order to do that fetch we need the ID of the user.

I did a small prototype (filiphr@7d4b3bf) with the OAuth2LoginAuthenticationProvider by adding a new interface OAuth2GrantedAuthoritiesProvider that can be used to pass the OAuth2User to the provider. The naming and package location is TBD, we can make OAuth2GrantedAuthoritiesProvider be a generic with <T extends OAuth2User>, etc.

I would like to hear more whether a solution like this would be something that the team would be willing to look into if I provide a Pull Request.
@filiphr filiphr added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Sep 1, 2022
@filiphr
Copy link
Contributor Author

filiphr commented Sep 1, 2022

I realize now that this is a bit similar to #5349, minus the use of the request.

@marcusdacoregio marcusdacoregio added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 1, 2022
@sjohnr
Copy link
Member

sjohnr commented Sep 6, 2022

Thanks @filiphr. I think we can close this as a duplicate of gh-5349. I'll do that for now, let me know if you disagree.

@sjohnr sjohnr closed this as completed Sep 6, 2022
@sjohnr sjohnr added the status: duplicate A duplicate of another issue label Sep 6, 2022
@filiphr
Copy link
Contributor Author

filiphr commented Sep 6, 2022

Yes indeed @sjohnr. Thanks for checking it. In any case I would like to ask you to let me know what you think about my proposed solution? If that solution is acceptable I can go ahead and implement it in a proper Pull Request with tests and everything.

@sjohnr
Copy link
Member

sjohnr commented Sep 6, 2022

@filiphr, your solution looks slightly different than what was proposed in gh-5349. Having said that, I don't have complete context so it might be best to discuss on that issue prior to submitting a PR.

@sjohnr
Copy link
Member

sjohnr commented Sep 6, 2022
edited
Loading

Note: The scope of 5.8 and 6.0 is fairly dialed in at this point, so keep in mind that there could be some delay in considering the feature at the moment.

@filiphr filiphr mentioned this issue Sep 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sjohnr @filiphr @marcusdacoregio