From 96ae0fe8f80abbde8003e072522ff255f0136d8f Mon Sep 17 00:00:00 2001
From: Joe Grandja <jgrandja@pivotal.io>
Date: Wed, 12 Jul 2017 11:38:31 -0400
Subject: [PATCH] Expose configuration for authorities mapping

Fixes gh-4409
---
 ...zationCodeAuthenticationFilterConfigurer.java | 16 +++++++++++++---
 .../oauth2/client/OAuth2LoginConfigurer.java     |  7 +++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java
index 386f47d87d..83505b09b9 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/AuthorizationCodeAuthenticationFilterConfigurer.java
@@ -17,20 +17,21 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.cl
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.jwt.JwtDecoder;
 import org.springframework.security.jwt.nimbus.NimbusJwtDecoderJwkSupport;
 import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProcessingFilter;
 import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationProvider;
 import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.AuthorizationGrantTokenExchanger;
+import org.springframework.security.oauth2.client.authentication.jwt.DefaultProviderJwtDecoderRegistry;
+import org.springframework.security.oauth2.client.authentication.jwt.ProviderJwtDecoderRegistry;
 import org.springframework.security.oauth2.client.authentication.nimbus.NimbusAuthorizationCodeTokenExchanger;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.user.OAuth2UserService;
 import org.springframework.security.oauth2.client.user.nimbus.NimbusOAuth2UserService;
-import org.springframework.security.oauth2.client.authentication.jwt.DefaultProviderJwtDecoderRegistry;
 import org.springframework.security.oauth2.core.provider.DefaultProviderMetadata;
-import org.springframework.security.oauth2.client.authentication.jwt.ProviderJwtDecoderRegistry;
 import org.springframework.security.oauth2.core.provider.ProviderMetadata;
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.security.web.util.matcher.RequestMatcher;
@@ -54,7 +55,7 @@ final class AuthorizationCodeAuthenticationFilterConfigurer<H extends HttpSecuri
 	private OAuth2UserService userInfoService;
 	private Map<URI, Class<? extends OAuth2User>> customUserTypes = new HashMap<>();
 	private Map<URI, String> userNameAttributeNames = new HashMap<>();
-
+	private GrantedAuthoritiesMapper userAuthoritiesMapper;
 
 	AuthorizationCodeAuthenticationFilterConfigurer() {
 		super(new AuthorizationCodeAuthenticationProcessingFilter(), null);
@@ -95,6 +96,12 @@ final class AuthorizationCodeAuthenticationFilterConfigurer<H extends HttpSecuri
 		return this;
 	}
 
+	AuthorizationCodeAuthenticationFilterConfigurer<H> userAuthoritiesMapper(GrantedAuthoritiesMapper userAuthoritiesMapper) {
+		Assert.notNull(userAuthoritiesMapper, "userAuthoritiesMapper cannot be null");
+		this.userAuthoritiesMapper = userAuthoritiesMapper;
+		return this;
+	}
+
 	String getLoginUrl() {
 		return super.getLoginPage();
 	}
@@ -107,6 +114,9 @@ final class AuthorizationCodeAuthenticationFilterConfigurer<H extends HttpSecuri
 	public void init(H http) throws Exception {
 		AuthorizationCodeAuthenticationProvider authenticationProvider = new AuthorizationCodeAuthenticationProvider(
 				this.getAuthorizationCodeTokenExchanger(), this.getProviderJwtDecoderRegistry(), this.getUserInfoService());
+		if (this.userAuthoritiesMapper != null) {
+			authenticationProvider.setAuthoritiesMapper(this.userAuthoritiesMapper);
+		}
 		authenticationProvider = this.postProcess(authenticationProvider);
 		http.authenticationProvider(authenticationProvider);
 		super.init(http);
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
index d4f669c723..8cd66b79c4 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -18,6 +18,7 @@ package org.springframework.security.config.annotation.web.configurers.oauth2.cl
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.oauth2.client.authentication.AuthorizationCodeAuthenticationToken;
 import org.springframework.security.oauth2.client.authentication.AuthorizationCodeRequestRedirectFilter;
 import org.springframework.security.oauth2.client.authentication.AuthorizationGrantTokenExchanger;
@@ -78,6 +79,12 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>> exten
 		return this;
 	}
 
+	public OAuth2LoginConfigurer<B> userAuthoritiesMapper(GrantedAuthoritiesMapper userAuthoritiesMapper) {
+		Assert.notNull(userAuthoritiesMapper, "userAuthoritiesMapper cannot be null");
+		this.authorizationCodeAuthenticationFilterConfigurer.userAuthoritiesMapper(userAuthoritiesMapper);
+		return this;
+	}
+
 	public UserInfoEndpointConfig userInfoEndpoint() {
 		return this.userInfoEndpointConfig;
 	}