Skip to content

Dedicated API for extracting roles from Oidc User flow #5349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jzheaux opened this issue May 15, 2018 · 2 comments
Open

Dedicated API for extracting roles from Oidc User flow #5349

jzheaux opened this issue May 15, 2018 · 2 comments
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented May 15, 2018

Summary

Today, in order to extract Spring Security roles from custom role representations in the Oidc User flow, code needs to fall back to implementing an OAuth2UserService:

public MyRoleExtractingOidcUserService implements OAuth2UserService<OidcUserRequest, OidcUser> {
    private final OidcUserService delegate;

    // ...

    public OidcUser loadUser(OidcUserRequest request) {
        OidcUser user = delegate.loadUser(reqest);

        Collection<? extends GrantedAuthority> authorities = 
        // extract authorities using request and user objects

        return  new DefaultOidcUser(authorities, ...);
}

This follows from the reference documentation [1].

Would be nice to have a dedicated authorities extractor:

interface OAuth2UserAuthoritiesExtractor<R extends OAuth2UserRequest, U extends OAuth2User> {
    Collection<? extends GrantedAuthority> extractAuthorities(R request, U user);
}

[1] - https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#oauth2login-advanced-map-authorities-oauth2userservice

Additional Info

This is born out of some observations from @thomasdarimont in a OAuth github sample.
@jzheaux jzheaux added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels May 15, 2018
@jzheaux jzheaux added this to the 5.1.0.M2 milestone May 15, 2018
@jgrandja jgrandja removed this from the 5.1.0.M2 milestone Jul 24, 2018
@jgrandja jgrandja mentioned this issue Aug 1, 2018
Closed
@jgrandja jgrandja added this to the 5.2.x milestone Oct 19, 2018
@jgrandja jgrandja removed this from the 5.2.x milestone Apr 23, 2019
@rwinch rwinch added type: enhancement A general enhancement and removed New Feature labels May 3, 2019
@jzheaux jzheaux mentioned this issue Sep 3, 2019
Closed
@husam-e
Copy link

husam-e commented May 13, 2022

Any updates on this? Noticed the okta lib does the same currently:
https://github.com/okta/okta-spring-boot/blob/master/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOidcUserService.java

where User objects are decorated by logic in their UserUtil through a list of AuthoritiesProviders, similar to the description above.

I'm currently working on integrating a different IdP and after days of investigation/debugging landed on this and came to the same conclusion as @jzheaux, would be great to have this :).

If it already exists, can someone share details on it? #7339 doesn't seem to address this in particular.

@filiphr filiphr mentioned this issue Sep 1, 2022
Closed
@filiphr
Copy link
Contributor

filiphr commented Sep 6, 2022

I created issue #11780, because we also need a similar functionality. In there I've outlined what is happening now and the classes where this would need changing

  • OAuth2LoginAuthenticationProvider
  • OAuth2LoginReactiveAuthenticationManager
  • OidcAuthorizationCodeAuthenticationProvider
  • OidcAuthorizationCodeReactiveAuthenticationManager

I did a small prototype (filiphr@7d4b3bf) which is slightly different then the one proposed in this issue. It would be good if the Spring Security team has a look at my proposal and lets me know whether you think that it would be an acceptable solution for this issue. If yes I can go ahead and work on a proper PR with all the bells and whistles for a review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rwinch @husam-e @jzheaux @filiphr @jgrandja