ambaumann
commented
4 years ago Also want to noting the documentation that the dependencies will change: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#modules and https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide . Note the change from annotation based resources to java DSL by "oauth2ResourceServer".
No time for PR right now but maybe helpful to others viewing this repo as well.
Documentation: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2resourceserver-jwt-authorization-extraction
Example Project: https://github.com/encircle360/spring-boot-security-oauth2-keycloak-without-adapter Looks to be made by the same Patrick Hütter that replied on the reactions to the blog post. He implemented the more specific scopes that he discussed.
"Thanks for this article but i think there is one mistake. You’re extracting ALL roles to authorities instead of only extracting the roles that are contained in the resource scope. So if you are in employee service, you have to extract the roles under “employee-service” within “resource-access” in the jwt token. In your case it’s possible that a user can get rights to resources he isn’t allowed to if for example you have the same role name within two resource-access scopes. Or am i wrong?"