Open Kehrlann opened 5 months ago
@Kehrlann How did you register AppSsoAuthorizationCodeRequestAuthenticationProvider
with the authorization server?
@Suvink excellent question, this is a classic pattern, but not 100% obvious. You register it with the AuthorizationServerConfigurer
using an object post-processor. In your security configuration:
@Configuration
class SecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.authorizeHttpRequests(authorize -> {
// ...
})
// ...
.with(
new OAuth2AuthorizationServerConfigurer(),
authServer -> {
authServer.withObjectPostProcessor(new AuthorizationCodeAuthenticationProvider());
// ...
})
.build();
}
class AuthorizationCodeAuthenticationProvider implements ObjectPostProcessor<AuthenticationProvider> {
@Override
public <O extends AuthenticationProvider> O postProcess(O object) {
if (object instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
return (O) new AppSsoAuthorizationCodeRequestAuthenticationProvider(object, authorizationService);
} else if (object instanceof OAuth2AuthorizationConsentAuthenticationProvider) {
return (O) new AppSsoAuthorizationCodeRequestAuthenticationProvider(object, authorizationService);
}
return object;
}
}
}
Perfect. Initially we tried to register this with web security config but it didn't work. Then registered it with auth server configs and it works perfectly fine. Thanks a lot for the support!
Context
We have a use-case for filtering the scopes that go into an
access_token
, based on the Resource Owner's "roles" - e.g., if you have the rolehr-user
you can havepayslip.view
in the scopes of access tokens issued for you, but not thepayslip.edit
scope - even if the Client is allowed to request it.There is no way to easily change the
OAuth2Authorization#authorizedScopes()
before it is created/saved.The token itself, when it is a JWT, can be customized with an
OAuth2TokenCustomizer<JwtEncodingContext>
that acts on the scope claim, but the token response has the full list of authorized scopes.Expected Behavior
When the
OAuth2Authorization
object is created and saved in theOAuth2Service
, either throughOAuth2AuthorizationCodeRequestAuthenticationProvider
orOAuth2AuthorizationConsentAuthenticationProvider
, I want to be able to alter the scopes.Current workaround
Currently, we work around this by creating a custom
AuthenticationProvider
that wraps around bothOAuth2AuthorizationCodeRequestAuthenticationProvider
andOAuth2AuthorizationConsentAuthenticationProvider
: