SECAUTH-1483

spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java

@@ -41,14 +41,18 @@ public AbstractAuthenticationToken convert(Jwt jwt) {
 	}
 
 	protected Collection<GrantedAuthority> localScopeAuthorities(Jwt jwt) {
-		Collection<GrantedAuthority> localScopeAuthorities = new ArrayList<>();
 		Collection<String> scopes = jwt.getClaimAsStringList(TokenClaims.XSUAA.SCOPES);
 		if (scopes == null) {
 			return Collections.emptySet();
 		}
+		return localScopeAuthorities(jwt, scopes);
+	}
+
+	protected Collection<GrantedAuthority> localScopeAuthorities(Jwt jwt, Collection<String> scopes) {
+		Collection<GrantedAuthority> localScopeAuthorities = new ArrayList<>();
 		for (String scope : scopes) {
 			if (scope.startsWith(appId + ".")) {
-				localScopeAuthorities.add(new SimpleGrantedAuthority(scope.replaceFirst(appId + ".", "")));
+				localScopeAuthorities.add(new SimpleGrantedAuthority(scope.substring(appId.length() + 1)));
 			}
 		}
 		return localScopeAuthorities;

spring-security/src/test/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverterTest.java

@@ -19,7 +19,7 @@
 import static com.sap.cloud.security.config.Service.XSUAA;
 import static org.junit.jupiter.api.Assertions.*;
 
-class XsuaaTokenAuthenticationConverterTest {
+class XsuaaTokenAuthorizationConverterTest {
 	String xsAppName = "my-app-name!400";
 	JwtGenerator jwtGenerator = JwtGenerator.getInstance(XSUAA, "theClientId").withAppId(xsAppName);
 	XsuaaTokenAuthorizationConverter cut = new XsuaaTokenAuthorizationConverter(xsAppName);

spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/LocalAuthoritiesExtractor.java

@@ -43,7 +43,7 @@ protected Set<String> getScopes(XsuaaToken jwt, String appId) {
 		}
 		return scopes.stream()
 				.filter(scope -> scope.startsWith(appId + "."))
-				.map(scope -> scope.replaceFirst(appId + ".", ""))
+				.map(scope -> scope.substring(appId.length() + 1))
 				.collect(Collectors.toSet());
 	}
 

spring-xsuaa/src/test/java/com/sap/cloud/security/xsuaa/token/TokenAuthenticationConverterTest.java

@@ -14,6 +14,7 @@
 import java.util.HashSet;
 import java.util.Set;
 
+import com.sap.cloud.security.xsuaa.extractor.LocalAuthoritiesExtractor;
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
@@ -106,6 +107,21 @@ public void authoritiesHaveLocalScopesWithoutAppIdPrefix() {
 		assertThat(authenticationToken.getAuthorities(), hasItem(new SimpleGrantedAuthority("Read")));
 	}
 
+	@Test
+	public void checkFollowingInstanceScope() {
+		String scopeWithClientId = "7cf2e319-3a7d-4f99-8207-afdc8e8e6d64!b123|trustedclientid!b333.API_OVERVIEW";
+
+		Jwt jwt = new JwtGenerator("sb-7cf2e319-3a7d-4f99-8207-afdc8e8e6d64!b123|trustedclientid!b333")
+				.addScopes(xsAppName + "." + scopeAdmin, scopeRead, scopeWithClientId)
+				.getToken();
+		TokenAuthenticationConverter converter = new TokenAuthenticationConverter(
+				new MyFollowingInstanceAuthoritiesExtractor());
+
+		assertThat(converter.convert(jwt).getAuthorities().size(), is(1));
+		assertThat(converter.convert(jwt).getAuthorities(), hasItem(new SimpleGrantedAuthority("API_OVERVIEW")));
+
+	}
+
 	private static class MyAuthoritiesExtractor implements AuthoritiesExtractor {
 		private String[] xsUserAttributes;
 		private AuthoritiesExtractor authoritiesExtractor;
@@ -141,4 +157,18 @@ private static String getSidForAttributeValue(String attributeName, String attri
 		}
 
 	}
+
+	private static class MyFollowingInstanceAuthoritiesExtractor implements AuthoritiesExtractor {
+
+		@Override
+		public Collection<GrantedAuthority> getAuthorities(XsuaaToken token) {
+			String appId = "";
+			if (token.getClientId().startsWith("sb-")) {
+				appId = token.getClientId().replaceFirst("sb-", "");
+			}
+			AuthoritiesExtractor authoritiesExtractor = new LocalAuthoritiesExtractor(appId);
+			return authoritiesExtractor.getAuthorities(token);
+		}
+
+	}
 }