GH-15201 Introduce ExpressionJwtGrantedAuthoritiesConverter to extract nested authorities with an expression

This helps to reduce custom code necessary to extract roles from deeply
nested claims.

Fixes #15201

Signed-off-by: Thomas Darimont <[email protected]>

Author: thomasdarimont

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/ExpressionJwtGrantedAuthoritiesConverter.java

@@ -0,0 +1,122 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.authentication;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.core.log.LogMessage;
+import org.springframework.expression.Expression;
+import org.springframework.expression.ExpressionException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.util.Assert;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+
+import static org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter.castAuthoritiesToCollection;
+
+/**
+ * Uses an expression for extracting the token claim value to use for mapping
+ * {@link GrantedAuthority authorities}.
+ *
+ * Note this can be used in combination with a
+ * {@link DelegatingJwtGrantedAuthoritiesConverter}.
+ *
+ * @author Thomas Darimont
+ * @since 6.4
+ */
+public class ExpressionJwtGrantedAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
+
+	private final Log logger = LogFactory.getLog(getClass());
+
+	private String authorityPrefix = "";
+
+	private final Expression authoritiesClaimExpression;
+
+	/**
+	 * Constructs a {@link ExpressionJwtGrantedAuthoritiesConverter} using the provided
+	 * {@code authoritiesClaimExpression}.
+	 * @param authoritiesClaimExpression The token claim SpEL Expression to map
+	 * authorities from.
+	 */
+	public ExpressionJwtGrantedAuthoritiesConverter(Expression authoritiesClaimExpression) {
+		Assert.notNull(authoritiesClaimExpression, "authoritiesClaimExpression must not be null");
+		this.authoritiesClaimExpression = authoritiesClaimExpression;
+	}
+
+	/**
+	 * Sets the prefix to use for {@link GrantedAuthority authorities} mapped by this
+	 * converter. Defaults to {@code ""}.
+	 * @param authorityPrefix The authority prefix
+	 */
+	public void setAuthorityPrefix(String authorityPrefix) {
+		Assert.notNull(authorityPrefix, "authorityPrefix cannot be null");
+		this.authorityPrefix = authorityPrefix;
+	}
+
+	/**
+	 * Extract {@link GrantedAuthority}s from the given {@link Jwt}.
+	 * @param jwt The {@link Jwt} token
+	 * @return The {@link GrantedAuthority authorities} read from the token scopes
+	 */
+	@Override
+	public Collection<GrantedAuthority> convert(Jwt jwt) {
+		Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
+		for (String authority : getAuthorities(jwt)) {
+			grantedAuthorities.add(new SimpleGrantedAuthority(this.authorityPrefix + authority));
+		}
+		return grantedAuthorities;
+	}
+
+	private Collection<String> getAuthorities(Jwt jwt) {
+		Object authorities;
+		try {
+			if (this.logger.isTraceEnabled()) {
+				this.logger.trace(LogMessage.format("Looking for authorities with expression. expression=%s",
+						authoritiesClaimExpression.getExpressionString()));
+			}
+			authorities = authoritiesClaimExpression.getValue(jwt.getClaims(), Collection.class);
+			if (this.logger.isTraceEnabled()) {
+				this.logger.trace(LogMessage.format("Found authorities with expression. authorities=%s", authorities));
+			}
+		}
+		catch (ExpressionException ee) {
+			if (this.logger.isTraceEnabled()) {
+				this.logger.trace(LogMessage.format("Failed to evaluate expression. error=%s", ee.getMessage()));
+			}
+			authorities = Collections.emptyList();
+		}
+
+		if (authorities != null) {
+			return castAuthoritiesToCollection(authorities);
+		}
+		return Collections.emptyList();
+	}
+
+	public Expression getAuthoritiesClaimExpression() {
+		return authoritiesClaimExpression;
+	}
+
+	public String getAuthorityPrefix() {
+		return authorityPrefix;
+	}
+
+}

oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtGrantedAuthoritiesConverter.java

@@ -140,7 +140,7 @@ private Collection<String> getAuthorities(Jwt jwt) {
 	}
 
 	@SuppressWarnings("unchecked")
-	private Collection<String> castAuthoritiesToCollection(Object authorities) {
+	static Collection<String> castAuthoritiesToCollection(Object authorities) {
 		return (Collection<String>) authorities;
 	}
 

oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/ExpressionJwtGrantedAuthoritiesConverterTests.java

@@ -0,0 +1,100 @@
+/*
+ * Copyright 2002-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.server.resource.authentication;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.expression.spel.standard.SpelExpression;
+import org.springframework.expression.spel.standard.SpelExpressionParser;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.TestJwts;
+
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link ExpressionJwtGrantedAuthoritiesConverter}
+ *
+ * @author Thomas Darimont
+ * @since 6.4
+ */
+public class ExpressionJwtGrantedAuthoritiesConverterTests {
+
+	@Test
+	public void convertWhenTokenHasCustomClaimNameExpressionThenCustomClaimNameAttributeIsTranslatedToAuthorities() {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("nested", Collections.singletonMap("roles", Arrays.asList("role1", "role2")))
+				.build();
+		// @formatter:on
+		SpelExpression expression = new SpelExpressionParser().parseRaw("[nested][roles]");
+		ExpressionJwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new ExpressionJwtGrantedAuthoritiesConverter(
+				expression);
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).containsExactly(new SimpleGrantedAuthority("role1"),
+				new SimpleGrantedAuthority("role2"));
+	}
+
+	@Test
+	public void convertToEmptyListWhenTokenClaimExpressionYieldsNull() {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("nested", Collections.singletonMap("roles", null))
+				.build();
+		// @formatter:on
+		SpelExpression expression = new SpelExpressionParser().parseRaw("[nested][roles]");
+		ExpressionJwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new ExpressionJwtGrantedAuthoritiesConverter(
+				expression);
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).isEmpty();
+	}
+
+	@Test
+	public void convertWhenTokenHasCustomClaimNameExpressionThenCustomClaimNameAttributeIsTranslatedToAuthoritiesWithPrefix() {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("nested", Collections.singletonMap("roles", Arrays.asList("role1", "role2")))
+				.build();
+		// @formatter:on
+		SpelExpression expression = new SpelExpressionParser().parseRaw("[nested][roles]");
+		ExpressionJwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new ExpressionJwtGrantedAuthoritiesConverter(
+				expression);
+		jwtGrantedAuthoritiesConverter.setAuthorityPrefix("CUSTOM_");
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).containsExactly(new SimpleGrantedAuthority("CUSTOM_role1"),
+				new SimpleGrantedAuthority("CUSTOM_role2"));
+	}
+
+	@Test
+	public void convertWhenTokenHasCustomInvalidClaimNameExpressionThenCustomClaimNameAttributeIsTranslatedToEmptyAuthorities() {
+		// @formatter:off
+		Jwt jwt = TestJwts.jwt()
+				.claim("other", Collections.singletonMap("roles", Arrays.asList("role1", "role2")))
+				.build();
+		// @formatter:on
+		SpelExpression expression = new SpelExpressionParser().parseRaw("[nested][roles]");
+		ExpressionJwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new ExpressionJwtGrantedAuthoritiesConverter(
+				expression);
+		Collection<GrantedAuthority> authorities = jwtGrantedAuthoritiesConverter.convert(jwt);
+		assertThat(authorities).isEmpty();
+	}
+
+}