Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo #14672

Closed
sjohnr opened this issue Mar 1, 2024 · 0 comments
Closed

Customize mapping the OidcUser from OidcUserRequest and OidcUserInfo #14672

sjohnr opened this issue Mar 1, 2024 · 0 comments
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
6.3.0-M3

Comments

@sjohnr
Copy link
Member

sjohnr commented Mar 1, 2024

When logging a user in with OpenID Connect 1.0, there are cases where authority information is included in the access token returned by the IdP. Currently, the only way to map authorities to the user based on the access token is to use delegation with OidcUserService (docs) or OidcReactiveOAuth2UserService (docs). As mentioned in the docs, this is a more advanced option.

It would be nice to be able to directly customize the mapping of the OidcUser, with the added benefit of being able to map the authorities based on the access token without the need for delegation. For example:

@Configuration
public class SecurityConfiguration {

	// ...

	@Bean
  	public OidcUserService oidcUserService() {
  		var userService = new OidcUserService();
  		userService.setOidcUserMapper(oidcUserMapper());
  		return userService;
  	}
 
  	private static BiFunction<OidcUserRequest, OidcUserInfo, OidcUser> oidcUserMapper() {
  		return (userRequest, userInfo) -> {
  			var accessToken = userRequest.getAccessToken();
  			var grantedAuthorities = new HashSet<GrantedAuthority>();
  			// TODO: Map authorities from the access token
  			var userNameAttributeName = "preferred_username";
  			return new DefaultOidcUser(
  				grantedAuthorities,
  				userRequest.getIdToken(),
  				userInfo,
  				userNameAttributeName
  			);
  		};
  	}

}

Related gh-12275
@sjohnr sjohnr added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Mar 1, 2024
@sjohnr sjohnr added this to the 6.3.0-M3 milestone Mar 1, 2024
@sjohnr sjohnr self-assigned this Mar 1, 2024
sjohnr added a commit to sjohnr/spring-security that referenced this issue Mar 1, 2024
@sjohnr
Customize mapping the OidcUser
1ae0e4e 
Issue spring-projectsgh-14672
@sjohnr sjohnr closed this as completed in e52dd81 Mar 7, 2024
sjohnr pushed a commit that referenced this issue Mar 7, 2024
@daniel-shuy @sjohnr
Fix Delegation-based Strategy examples
488901d 
Fix examples not copying userNameAttributeName

Issue gh-12275
Issue gh-12282
Issue gh-14672
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.3.0-M3
Development

No branches or pull requests
1 participant
@sjohnr