Closed Veil closed 4 weeks ago
Thanks, @Veil, for the report. This is now fixed in main
and will go out in the next snapshot.
@jzheaux awesome. For personal curiosity, what's the thinking behind not supporting any other List implementation in the defaultAuthenticationConverter
? It doesn't look like we're doing anything special with that type?
Describe the bug Since the introduction of the
authenticationConverter
in 6.3, the default implementation (this::defaultAuthenticationConverter
) does not add found scopes as granted authorities as part of introspection because the checkif (!(scopes instanceof ArrayListFromString))
always returnsfalse
on line 261, as by the time the scopes list reaches here, it has been converted into a normalArrayList
in theaccessor.getScopes()
as part of thegetClaimAsStringList
default method without customising theClaimConversionService
and therefore fails the check above and returns an empty list.To Reproduce Use the default implementation of
SpringOpaqueTokenIntrospector
without customisation of it or theClaimConversionService
used by theClaimAccessor
interface.Expected behavior Scopes are added correctly as "SCOPE_" granted authorities.
Sample
Not sure a sample is required here? This is the default behaviour.