Open thomasdarimont opened 3 weeks ago
Hi @thomasdarimont. This feature would be very useful. Personally, I feel inconvenienced when I have to write the same code every time to convert authorities. I like the idea of adding a separate property:
spring.security.oauth2.resourceserver.jwt.authorities-claim-expression="[realm_access][roles]"
But for this you will have to extend OAuth2ResourceServerProperties
and change OAuth2ResourceServerJwtConfiguration
. I hope this feature will be accepted.
Expected Behavior
Users should be able to specify a SpEL expression on the
JwtGrantedAuthoritiesConverter
to extract the granted authorities from a nested claim structure. This helps to reduce the necessary code to extract roles from nested structures in JWT access tokens generated by Keycloak and other OAuth2 authorization servers which expose roles in nested claims.Current Behavior
Currently custom code (custom
JwtGrantedAuthoritiesConverter
implementation) is required to extract the role "teacher" from the nested JWT claim shown below.Context
The Keycloak OAuth2 Authorization Server / OpenID Provider generates JWT access_tokens which contain deeply nested roles configuration like the following: