Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-09 11:53:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update oauth2Login sample doc -> user authority mapping

Browse Source 
Fixes gh-4373
This commit is contained in:
Joe Grandja 2017-07-12 17:19:30 -04:00
parent c42b9a68b1
commit 67f80dfadc
1 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
samples/boot/oauth2login/README.adoc
View File

@ -343,6 +343,73 @@ Click through on the Okta link and you'll be redirected to Okta for authenticati
After you authenticate using your Okta credentials, the OAuth Client (application) will retrieve your email address and basic profile information from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[*UserInfo Endpoint*] After you authenticate using your Okta credentials, the OAuth Client (application) will retrieve your email address and basic profile information from the http://openid.net/specs/openid-connect-core-1_0.html#UserInfo[*UserInfo Endpoint*]
and establish an _authenticated session_. The home page will then be displayed showing the user attributes retrieved from the UserInfo Endpoint, for example, name, email, profile, sub, etc. and establish an _authenticated session_. The home page will then be displayed showing the user attributes retrieved from the UserInfo Endpoint, for example, name, email, profile, sub, etc.
[[user-authority-mapping]]
== Mapping User Authorities
After the user successfully authenticates with the _OAuth 2.0 Provider_, the `OAuth2User.getAuthorities()` may be re-mapped to a new set of `GrantedAuthority`(s), which is then supplied to the `OAuth2AuthenticationToken`.
The `GrantedAuthority`(s) associated to the `OAuth2AuthenticationToken` is then used for authorizing requests, such as, `hasRole('USER') or hasRole('ADMIN')`.
In order to implement custom user authority mapping, you need to provide an implementation of `GrantedAuthoritiesMapper` and configure it using `OAuth2LoginConfigurer`.
The following is a partial implementation of `GrantedAuthoritiesMapper` that maps an `OidcUserAuthority` or `OAuth2UserAuthority` to a set of `GrantedAuthority`(s):
[source,java]
----
public class CustomGrantedAuthoritiesMapper implements GrantedAuthoritiesMapper {
@Override
public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
for (GrantedAuthority authority : authorities) {
if (OidcUserAuthority.class.isInstance(authority)) {
OidcUserAuthority userAuthority = (OidcUserAuthority)authority;
IdToken idToken = userAuthority.getIdToken();
UserInfo userInfo = userAuthority.getUserInfo();
// TODO
// Map the claims found in IdToken and/or UserInfo
// to one or more GrantedAuthority's and add to mappedAuthorities
} else if (OAuth2UserAuthority.class.isInstance(authority)) {
OAuth2UserAuthority userAuthority = (OAuth2UserAuthority)authority;
Map<String, Object> userAttributes = userAuthority.getAttributes();
// TODO
// Map the attributes found in userAttributes
// to one or more GrantedAuthority's and add to mappedAuthorities
}
}
return mappedAuthorities;
}
}
----
The following _security configuration_ configures a custom `GrantedAuthoritiesMapper` for OAuth 2.0 Login:
[source,java]
----
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.oauth2Login()
.userAuthoritiesMapper(new CustomGrantedAuthoritiesMapper());
}
}
----
[[oauth2-login-auto-configuration]] [[oauth2-login-auto-configuration]]
== OAuth 2.0 Login auto-configuration == OAuth 2.0 Login auto-configuration