Skip to content

Auto-configure a JwtAuthenticationConverter #38105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Auto-configure a JwtAuthenticationConverter #38105

wants to merge 1 commit into from

Conversation

ykardziyaka
Copy link
Contributor

Adds support for auto-configuring JwtAuthenticationConverter (and ReactiveJwtAuthenticationConverter) with following properties:

  • spring.security.oauth2.resourceserver.jwt.authority-prefix
  • spring.security.oauth2.resourceserver.jwt.authorities-claim-delimiter
  • spring.security.oauth2.resourceserver.jwt.authorities-claim-name
  • spring.security.oauth2.resourceserver.jwt.principal-claim-name

Closes gh-33689

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 30, 2023
@mhalbritter mhalbritter added type: enhancement A general enhancement for: merge-with-amendments Needs some changes when we merge and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 10, 2024
@mhalbritter mhalbritter added this to the 3.3.x milestone Jan 10, 2024
@mhalbritter
Copy link
Contributor

When merging, we should let the bean back off if no properties are set. Right now, it always supplies the JWT converter.

@mhalbritter mhalbritter mentioned this pull request Jan 10, 2024
Closed
mhalbritter pushed a commit to mhalbritter/spring-boot that referenced this pull request Jan 10, 2024
@ykardziyaka @mhalbritter
Auto-configure a JwtAuthenticationConverter
879c53f 
See spring-projectsgh-38105
mhalbritter added a commit to mhalbritter/spring-boot that referenced this pull request Jan 10, 2024
@mhalbritter
Polish "Auto-configure a JwtAuthenticationConverter"
bc2d258 
The JwtConverter bean is only supplied, if one of the following
properties is there:

* spring.security.oauth2.resourceserver.jwt.authority-prefix
* spring.security.oauth2.resourceserver.jwt.principal-claim-name
* spring.security.oauth2.resourceserver.jwt.authorities-claim-name

See spring-projectsgh-38105
@mhalbritter
Copy link
Contributor

I got some amended changes here: https://github.com/mhalbritter/spring-boot/tree/pr/38105

mhalbritter pushed a commit that referenced this pull request Jan 11, 2024
@ykardziyaka @mhalbritter
Auto-configure a JwtAuthenticationConverter
e9bce31 
See gh-38105
mhalbritter added a commit that referenced this pull request Jan 11, 2024
@mhalbritter
Polish "Auto-configure a JwtAuthenticationConverter"
baf5221 
The JwtConverter bean is only supplied, if one of the following
properties is there:

* spring.security.oauth2.resourceserver.jwt.authority-prefix
* spring.security.oauth2.resourceserver.jwt.principal-claim-name
* spring.security.oauth2.resourceserver.jwt.authorities-claim-name

See gh-38105
@mhalbritter mhalbritter modified the milestones: 3.3.x, 3.3.0-M1 Jan 11, 2024
@mhalbritter
Copy link
Contributor

Thanks a lot!

@Jojoooo1
Copy link

Are you planning to add nested authorities-claim-name ? For example, Keycloak is nesting the roles in realm_access.roles

@wilkinsona
Copy link
Member

@Jojoooo1 I don't think so, but I'm not sure that I understand what you're asking for. Please open a new issue describing how to configure a JwtGrantedAuthoritiesConverter that meets your needs. We can then consider how we could support such configuration using application properties.

@Jojoooo1
Copy link

Jojoooo1 commented May 24, 2024
edited
Loading

Sorry I was not very clear, I was wondering if in the future you are planning to allow nested claim name with the property spring.security.oauth2.resourceserver.jwt.authorities-claim-name. My use case was regarding Keycloak for example the jwt structure is as follows:

"realm_access": {
    "roles": [
      "default-roles-api",
      "offline_access",
      "uma_authorization",
      "management_user"
    ]
  },
 "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },

@wilkinsona
Copy link
Member

spring.security.oauth2.resourceserver.jwt.authorities-claim-name maps onto org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter.setAuthoritiesClaimName(String). If you want that to support more than it currently does today, I believe a change to JwtGrantedAuthoritiesConverter, which is part of Spring Security, would be required. If this is something that you would like to see, please open an issue over there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
for: merge-with-amendments Needs some changes when we merge type: enhancement A general enhancement
Projects
None yet
Milestone
3.3.0-M1
Development

Successfully merging this pull request may close these issues.

Auto-configure a JwtAuthenticationConverter
5 participants
@ykardziyaka @mhalbritter @Jojoooo1 @wilkinsona @spring-projects-issues