Systems like keycloak allow you to specify custom claims for users. These can appear in any of the tokens.
Some examples:
Everyone in group myapplication_user gets a claim "user":"true"
The full list of groups is provided in a claim "groups":{"group1","group2",...}
It would be usefull if HWIOAuthBundle could pass the token data to the User object, and provide a means to map roles.
Possible Solutions
The class OAuthUserProvider/EntityUserProvider receives the UserResponseInterface, which contains the claims in the (serializable) getData(). Passing that data to the OAuthUser and giving it a getData() function solves half of the problem.
The second half is harder: Adding roles to getRoles() based on the contents of getData(). I chose the quick and dirty way, adding a groups array to getData() and claiming that groups and roles are identical. This works, but a more general implementation would allow config-based mapping, maybe reusing the 'paths' mechanism of PathUserResponse.
There is also loadUserByIdentifier and refreshUser that can't be easily implemented. It seems unused in my application, but I don't know enough about HWIOAuthBundle to know if there is a better way.
Actual Behavior
Systems like keycloak allow you to specify custom claims for users. These can appear in any of the tokens.
Some examples:
It would be usefull if HWIOAuthBundle could pass the token data to the User object, and provide a means to map roles.
Possible Solutions
The class OAuthUserProvider/EntityUserProvider receives the UserResponseInterface, which contains the claims in the (serializable) getData(). Passing that data to the OAuthUser and giving it a getData() function solves half of the problem.
The second half is harder: Adding roles to getRoles() based on the contents of getData(). I chose the quick and dirty way, adding a groups array to getData() and claiming that groups and roles are identical. This works, but a more general implementation would allow config-based mapping, maybe reusing the 'paths' mechanism of PathUserResponse.
There is also loadUserByIdentifier and refreshUser that can't be easily implemented. It seems unused in my application, but I don't know enough about HWIOAuthBundle to know if there is a better way.