Grant Individual Authorities From Claims #7351
Conversation
| new OidcUserAuthority(userRequest.getIdToken(), userInfo)); | ||
| Set<GrantedAuthority> authorities = new LinkedHashSet<>(); | ||
| authorities.add(new OidcUserAuthority(userRequest.getIdToken(), userInfo)); | ||
| authorities.addAll(oauth2UserAuthorities); |
There was a problem hiding this comment.
This doesn't seem right as authorities will now contain OAuth2UserAuthority and OidcUserAuthority instances - it should only contain OidcUserAuthority. Please add a test to enforce this.
There was a problem hiding this comment.
The tests already enforce this -- see that they check the size of the returned authorities as well as the types and ordering of the elements.
Because of the DefaultOAuth2User#sortAuthorities method, the duplicate is eliminated.
Is there anything additional you'd like to see to handle this?
| Set<GrantedAuthority> authorities = new LinkedHashSet<>(); | ||
| authorities.add(new OAuth2UserAuthority(userAttributes)); | ||
| for (String authority : getAuthorities(() -> userAttributes)) { | ||
| authorities.add(new SimpleGrantedAuthority("SCOPE_" + authority)); |
There was a problem hiding this comment.
I don't think the logic from JwtGrantedAuthoritiesConverter should be replicated here. I believe the additional default authorities can be simplified like this:
Current authority: OAuth2UserAuthority -> ROLE_USER
Additional authorities: OAuth2UserRequest.OAuth2AccessToken.scopes e.g. SCOPE_profile, SCOPE_email
** The assumption is that OAuth2UserRequest.OAuth2AccessToken.scopes contains profile and email, meaning the user authorized the client to access those scopes during the authorization approval step. NOTE: These scopes would be initially configured with the ClientRegistration.scopes.
jzheaux
added
in: oauth2
Fixes gh-7339