spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Dedicated API for extracting roles from Oidc User flow

Open jzheaux opened this issue 7 years ago • 2 comments

Summary

Today, in order to extract Spring Security roles from custom role representations in the Oidc User flow, code needs to fall back to implementing an OAuth2UserService:

public MyRoleExtractingOidcUserService implements OAuth2UserService<OidcUserRequest, OidcUser> {
    private final OidcUserService delegate;

    // ...

    public OidcUser loadUser(OidcUserRequest request) {
        OidcUser user = delegate.loadUser(reqest);

        Collection<? extends GrantedAuthority> authorities = 
        // extract authorities using request and user objects

        return  new DefaultOidcUser(authorities, ...);
}

This follows from the reference documentation [1].

Would be nice to have a dedicated authorities extractor:

interface OAuth2UserAuthoritiesExtractor<R extends OAuth2UserRequest, U extends OAuth2User> {
    Collection<? extends GrantedAuthority> extractAuthorities(R request, U user);
}

[1] - https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#oauth2login-advanced-map-authorities-oauth2userservice

Additional Info

This is born out of some observations from @thomasdarimont in a OAuth github sample.

jzheaux avatar May 15 '18 15:05 jzheaux

Any updates on this? Noticed the okta lib does the same currently: https://github.com/okta/okta-spring-boot/blob/master/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOidcUserService.java

where User objects are decorated by logic in their UserUtil through a list of AuthoritiesProviders, similar to the description above.

I'm currently working on integrating a different IdP and after days of investigation/debugging landed on this and came to the same conclusion as @jzheaux, would be great to have this :).

If it already exists, can someone share details on it? #7339 doesn't seem to address this in particular.

husam-e avatar May 13 '22 22:05 husam-e

I created issue #11780, because we also need a similar functionality. In there I've outlined what is happening now and the classes where this would need changing

  • OAuth2LoginAuthenticationProvider
  • OAuth2LoginReactiveAuthenticationManager
  • OidcAuthorizationCodeAuthenticationProvider
  • OidcAuthorizationCodeReactiveAuthenticationManager

I did a small prototype (https://github.com/filiphr/spring-security/commit/7d4b3bf9f7a3ce084071da8fc904a21cae79ef58) which is slightly different then the one proposed in this issue. It would be good if the Spring Security team has a look at my proposal and lets me know whether you think that it would be an acceptable solution for this issue. If yes I can go ahead and work on a proper PR with all the bells and whistles for a review.

filiphr avatar Sep 06 '22 13:09 filiphr