diff --git a/samples/boot/oauth2login/README.adoc b/samples/boot/oauth2login/README.adoc index f94ff12341..6fd0d739a0 100644 --- a/samples/boot/oauth2login/README.adoc +++ b/samples/boot/oauth2login/README.adoc @@ -343,6 +343,73 @@ Click through on the Okta link and you'll be redirected to Okta for authenticati After you authenticate using your Okta credentials, the OAuth Client (application) will retrieve your email address and basic profile information from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[*UserInfo Endpoint*] and establish an _authenticated session_. The home page will then be displayed showing the user attributes retrieved from the UserInfo Endpoint, for example, name, email, profile, sub, etc. +[[user-authority-mapping]] +== Mapping User Authorities + +After the user successfully authenticates with the _OAuth 2.0 Provider_, the `OAuth2User.getAuthorities()` may be re-mapped to a new set of `GrantedAuthority`(s), which is then supplied to the `OAuth2AuthenticationToken`. +The `GrantedAuthority`(s) associated to the `OAuth2AuthenticationToken` is then used for authorizing requests, such as, `hasRole('USER') or hasRole('ADMIN')`. + +In order to implement custom user authority mapping, you need to provide an implementation of `GrantedAuthoritiesMapper` and configure it using `OAuth2LoginConfigurer`. + +The following is a partial implementation of `GrantedAuthoritiesMapper` that maps an `OidcUserAuthority` or `OAuth2UserAuthority` to a set of `GrantedAuthority`(s): + +[source,java] +---- +public class CustomGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper { + + @Override + public Collection mapAuthorities(Collection authorities) { + Set mappedAuthorities = new HashSet<>(); + + for (GrantedAuthority authority : authorities) { + if (OidcUserAuthority.class.isInstance(authority)) { + OidcUserAuthority userAuthority = (OidcUserAuthority)authority; + + IdToken idToken = userAuthority.getIdToken(); + UserInfo userInfo = userAuthority.getUserInfo(); + + // TODO + // Map the claims found in IdToken and/or UserInfo + // to one or more GrantedAuthority's and add to mappedAuthorities + + + } else if (OAuth2UserAuthority.class.isInstance(authority)) { + OAuth2UserAuthority userAuthority = (OAuth2UserAuthority)authority; + + Map userAttributes = userAuthority.getAttributes(); + + // TODO + // Map the attributes found in userAttributes + // to one or more GrantedAuthority's and add to mappedAuthorities + + + } + } + + return mappedAuthorities; + } +} +---- + +The following _security configuration_ configures a custom `GrantedAuthoritiesMapper` for OAuth 2.0 Login: + +[source,java] +---- +@EnableWebSecurity +public class SecurityConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + http + .authorizeRequests() + .anyRequest().authenticated() + .and() + .oauth2Login() + .userAuthoritiesMapper(new CustomGrantedAuthoritiesMapper()); + } +} +---- + [[oauth2-login-auto-configuration]] == OAuth 2.0 Login auto-configuration