mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-09 11:53:30 +00:00
Update oauth2Login sample doc -> user authority mapping
Fixes gh-4373
This commit is contained in:
parent
c42b9a68b1
commit
67f80dfadc
@ -343,6 +343,73 @@ Click through on the Okta link and you'll be redirected to Okta for authenticati
|
|||||||
After you authenticate using your Okta credentials, the OAuth Client (application) will retrieve your email address and basic profile information from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[*UserInfo Endpoint*]
|
After you authenticate using your Okta credentials, the OAuth Client (application) will retrieve your email address and basic profile information from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[*UserInfo Endpoint*]
|
||||||
and establish an _authenticated session_. The home page will then be displayed showing the user attributes retrieved from the UserInfo Endpoint, for example, name, email, profile, sub, etc.
|
and establish an _authenticated session_. The home page will then be displayed showing the user attributes retrieved from the UserInfo Endpoint, for example, name, email, profile, sub, etc.
|
||||||
|
|
||||||
|
[[user-authority-mapping]]
|
||||||
|
== Mapping User Authorities
|
||||||
|
|
||||||
|
After the user successfully authenticates with the _OAuth 2.0 Provider_, the `OAuth2User.getAuthorities()` may be re-mapped to a new set of `GrantedAuthority`(s), which is then supplied to the `OAuth2AuthenticationToken`.
|
||||||
|
The `GrantedAuthority`(s) associated to the `OAuth2AuthenticationToken` is then used for authorizing requests, such as, `hasRole('USER') or hasRole('ADMIN')`.
|
||||||
|
|
||||||
|
In order to implement custom user authority mapping, you need to provide an implementation of `GrantedAuthoritiesMapper` and configure it using `OAuth2LoginConfigurer`.
|
||||||
|
|
||||||
|
The following is a partial implementation of `GrantedAuthoritiesMapper` that maps an `OidcUserAuthority` or `OAuth2UserAuthority` to a set of `GrantedAuthority`(s):
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
public class CustomGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
|
||||||
|
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
|
||||||
|
|
||||||
|
for (GrantedAuthority authority : authorities) {
|
||||||
|
if (OidcUserAuthority.class.isInstance(authority)) {
|
||||||
|
OidcUserAuthority userAuthority = (OidcUserAuthority)authority;
|
||||||
|
|
||||||
|
IdToken idToken = userAuthority.getIdToken();
|
||||||
|
UserInfo userInfo = userAuthority.getUserInfo();
|
||||||
|
|
||||||
|
// TODO
|
||||||
|
// Map the claims found in IdToken and/or UserInfo
|
||||||
|
// to one or more GrantedAuthority's and add to mappedAuthorities
|
||||||
|
|
||||||
|
|
||||||
|
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
|
||||||
|
OAuth2UserAuthority userAuthority = (OAuth2UserAuthority)authority;
|
||||||
|
|
||||||
|
Map<String, Object> userAttributes = userAuthority.getAttributes();
|
||||||
|
|
||||||
|
// TODO
|
||||||
|
// Map the attributes found in userAttributes
|
||||||
|
// to one or more GrantedAuthority's and add to mappedAuthorities
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return mappedAuthorities;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
The following _security configuration_ configures a custom `GrantedAuthoritiesMapper` for OAuth 2.0 Login:
|
||||||
|
|
||||||
|
[source,java]
|
||||||
|
----
|
||||||
|
@EnableWebSecurity
|
||||||
|
public class SecurityConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.authorizeRequests()
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
.and()
|
||||||
|
.oauth2Login()
|
||||||
|
.userAuthoritiesMapper(new CustomGrantedAuthoritiesMapper());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
[[oauth2-login-auto-configuration]]
|
[[oauth2-login-auto-configuration]]
|
||||||
== OAuth 2.0 Login auto-configuration
|
== OAuth 2.0 Login auto-configuration
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user