Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JwtAuthenticationConverter should allow for configuring the principal claim #8186

Closed
jzheaux opened this issue Mar 24, 2020 · 2 comments · Fixed by #8318
Closed

JwtAuthenticationConverter should allow for configuring the principal claim #8186

jzheaux opened this issue Mar 24, 2020 · 2 comments · Fixed by #8318
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.4.0-M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Mar 24, 2020

Related to #6865 and #7834

It's quite common for authorization servers to use the sub claim to refer to an internal user id. An example of this is Amazon Cognito. As such, it can be useful to introduce a custom claim to refer to a user id that resource servers will understand.

Configuring Resource Server to use a custom principal claim name currently looks like:

public class CustomPrincipalClaimName extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) {
        http
            .authorizeRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt
                    .jwtAuthenticationConverter(jwtAuthenticationConverter())
                )
            );
    }

    Converter<Jwt, JwtAuthenticationToken> jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter authoritiesConverter =
                new JwtGrantedAuthoritiesConverter();
        return jwt -> {
            Collection<GrantedAuthority> authorities = authoritiesConverter.convert(jwt);
            String name = jwt.getClaim("user_id");
            return new JwtAuthenticationToken(jwt, authorities, name);
        }
    }
}

By introducing something like setPrincipalClaimName, it could become:

// .. configure method as before

JwtAuthenticationConverter jwtAuthenticationConverter() {
    JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
    converter.setPrincipalClaimName("user_id");
    return converter;
}
@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: first-timers-only An issue that can only be worked on by brand new contributors labels Mar 24, 2020
@jzheaux jzheaux self-assigned this Mar 24, 2020
@evgeniycheban
Copy link
Contributor

Can I work on this issue?

@jzheaux
Copy link
Contributor Author

jzheaux commented Apr 1, 2020

It's yours, @evgeniycheban! Feel free to ask any questions here on the ticket.

@jzheaux jzheaux removed the status: first-timers-only An issue that can only be worked on by brand new contributors label Apr 1, 2020
@evgeniycheban evgeniycheban mentioned this issue Apr 3, 2020
Merged
evgeniycheban added a commit to evgeniycheban/spring-security that referenced this issue Apr 7, 2020
@evgeniycheban
Added setPrincipalClaimName to JwtAuthenticationConverter
037163f 
Fixes spring-projectsgh-8186
jzheaux pushed a commit that referenced this issue Apr 7, 2020
@evgeniycheban @jzheaux
Added setPrincipalClaimName to JwtAuthenticationConverter
25fb1f4 
Fixes gh-8186
@jzheaux jzheaux added this to the 5.4.0-M1 milestone Aug 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.4.0-M1
Development

Successfully merging a pull request may close this issue.

Added setPrincipalClaimName to JwtAuthenticationConverter evgeniycheban/spring-security
2 participants
@jzheaux @evgeniycheban