Update oauth2Login sample doc -> user authority mapping
Fixes gh-4373
This commit is contained in:
Joe Grandja
parent
c42b9a68b1
commit
67f80dfadc
|
|
@ -343,6 +343,73 @@ Click through on the Okta link and you'll be redirected to Okta for authenticati
|
|||
After you authenticate using your Okta credentials, the OAuth Client (application) will retrieve your email address and basic profile information from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[*UserInfo Endpoint*]
|
||||
and establish an _authenticated session_. The home page will then be displayed showing the user attributes retrieved from the UserInfo Endpoint, for example, name, email, profile, sub, etc.
|
||||
|
||||
[[user-authority-mapping]]
|
||||
== Mapping User Authorities
|
||||
|
||||
After the user successfully authenticates with the _OAuth 2.0 Provider_, the `OAuth2User.getAuthorities()` may be re-mapped to a new set of `GrantedAuthority`(s), which is then supplied to the `OAuth2AuthenticationToken`.
|
||||
The `GrantedAuthority`(s) associated to the `OAuth2AuthenticationToken` is then used for authorizing requests, such as, `hasRole('USER') or hasRole('ADMIN')`.
|
||||
|
||||
In order to implement custom user authority mapping, you need to provide an implementation of `GrantedAuthoritiesMapper` and configure it using `OAuth2LoginConfigurer`.
|
||||
|
||||
The following is a partial implementation of `GrantedAuthoritiesMapper` that maps an `OidcUserAuthority` or `OAuth2UserAuthority` to a set of `GrantedAuthority`(s):
|
||||
|
||||
[source,java]
|
||||
----
|
||||
public class CustomGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper {
|
||||
|
||||
@Override
|
||||
public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
|
||||
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
|
||||
|
||||
for (GrantedAuthority authority : authorities) {
|
||||
if (OidcUserAuthority.class.isInstance(authority)) {
|
||||
OidcUserAuthority userAuthority = (OidcUserAuthority)authority;
|
||||
|
||||
IdToken idToken = userAuthority.getIdToken();
|
||||
UserInfo userInfo = userAuthority.getUserInfo();
|
||||
|
||||
// TODO
|
||||
// Map the claims found in IdToken and/or UserInfo
|
||||
// to one or more GrantedAuthority's and add to mappedAuthorities
|
||||
|
||||
|
||||
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
|
||||
OAuth2UserAuthority userAuthority = (OAuth2UserAuthority)authority;
|
||||
|
||||
Map<String, Object> userAttributes = userAuthority.getAttributes();
|
||||
|
||||
// TODO
|
||||
// Map the attributes found in userAttributes
|
||||
// to one or more GrantedAuthority's and add to mappedAuthorities
|
||||
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
return mappedAuthorities;
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
The following _security configuration_ configures a custom `GrantedAuthoritiesMapper` for OAuth 2.0 Login:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@EnableWebSecurity
|
||||
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeRequests()
|
||||
.anyRequest().authenticated()
|
||||
.and()
|
||||
.oauth2Login()
|
||||
.userAuthoritiesMapper(new CustomGrantedAuthoritiesMapper());
|
||||
}
|
||||
}
|
||||
----
|
||||
|
||||
[[oauth2-login-auto-configuration]]
|
||||
== OAuth 2.0 Login auto-configuration
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue