GH-15201 Support extracting nested authorities in JwtGrantedAuthoritiesConverter

This helps to reduce custom code necessary to extract roles from deeply
nested claims.

Fixes #15201

Signed-off-by: Thomas Darimont <[email protected]>

Author: thomasdarimont

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java

@@ -24,8 +24,11 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.log.LogMessage;
+import org.springframework.expression.Expression;
+import org.springframework.expression.ExpressionException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -55,6 +58,8 @@ public final class JwtGrantedAuthoritiesConverter implements Converter<Jwt, Coll
 
 	private String authoritiesClaimName;
 
+	private Expression authoritiesClaimExpression;
+
 	/**
 	 * Extract {@link GrantedAuthority}s from the given {@link Jwt}.
 	 * @param jwt The {@link Jwt} token
@@ -117,16 +122,38 @@ private String getAuthoritiesClaimName(Jwt jwt) {
 		return null;
 	}
 
+	/**
+	 * Sets the expression for extracting the token claim to use for mapping {@link GrantedAuthority
+	 * authorities} by this converter.
+	 * Note that this takes precedence over {@link #setAuthoritiesClaimName(String)}.
+	 * @param authoritiesClaimExpression The token claim SpEL Expression to map authorities
+	 * @since 6.5
+	 */
+	public void setAuthoritiesClaimExpression(Expression authoritiesClaimExpression) {
+		Assert.notNull(authoritiesClaimExpression, "authoritiesClaimExpression must not be null");
+		this.authoritiesClaimExpression = authoritiesClaimExpression;
+	}
+
 	private Collection<String> getAuthorities(Jwt jwt) {
-		String claimName = getAuthoritiesClaimName(jwt);
-		if (claimName == null) {
-			this.logger.trace("Returning no authorities since could not find any claims that might contain scopes");
-			return Collections.emptyList();
-		}
-		if (this.logger.isTraceEnabled()) {
-			this.logger.trace(LogMessage.format("Looking for scopes in claim %s", claimName));
+
+		Object authorities;
+		if (authoritiesClaimExpression != null) {
+			try {
+				authorities = authoritiesClaimExpression.getValue(jwt.getClaims(), Collection.class);
+			} catch (ExpressionException ee) {
+				authorities = Collections.emptyList();
+			}
+		} else {
+			String claimName = getAuthoritiesClaimName(jwt);
+			if (claimName == null) {
+				this.logger.trace("Returning no authorities since could not find any claims that might contain scopes");
+				return Collections.emptyList();
+			}
+			if (this.logger.isTraceEnabled()) {
+				this.logger.trace(LogMessage.format("Looking for scopes in claim %s", claimName));
+			}
+			authorities = jwt.getClaim(claimName);
 		}
-		Object authorities = jwt.getClaim(claimName);
 		if (authorities instanceof String) {
 			if (StringUtils.hasText((String) authorities)) {
 				return Arrays.asList(((String) authorities).split(this.authoritiesClaimDelimiter));

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverterTests.java

@@ -19,9 +19,12 @@
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
+import java.util.Map;
 
 import org.junit.jupiter.api.Test;
 
+import org.springframework.expression.Expression;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -229,6 +232,33 @@ public void convertWhenTokenHasCustomClaimNameThenCustomClaimNameAttributeIsTran
 				new SimpleGrantedAuthority("SCOPE_message:write"));
 	}
 
+	@Test
+	public void convertWhenTokenHasCustomClaimNameExpressionThenCustomClaimNameAttributeIsTranslatedToAuthorities() {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("nested", Map.of("roles", Arrays.asList("role1", "role2")))
+				.build();
+		// @formatter:on
+		JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
+		jwtGrantedAuthoritiesConverter.setAuthoritiesClaimExpression(new SpelExpressionParser().parseRaw("[nested][roles]"));
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).containsExactly(new SimpleGrantedAuthority("SCOPE_role1"),
+				new SimpleGrantedAuthority("SCOPE_role2"));
+	}
+
+	@Test
+	public void convertWhenTokenHasCustomInvalidClaimNameExpressionThenCustomClaimNameAttributeIsTranslatedToEmptyAuthorities() {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("other", Map.of("roles", Arrays.asList("role1", "role2")))
+				.build();
+		// @formatter:on
+		JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
+		jwtGrantedAuthoritiesConverter.setAuthoritiesClaimExpression(new SpelExpressionParser().parseRaw("[nested][roles]"));
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).isEmpty();
+	}
+
 	@Test
 	public void convertWhenTokenHasEmptyCustomClaimNameThenCustomClaimNameAttributeIsTranslatedToNoAuthorities() {
 		// @formatter:off