OKTA-595963 made it possible to set authorities claim name from config

okta · Jan 26, 2024 · c5dcaab · c5dcaab
1 parent c466cbd
commit c5dcaab
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 1 deletion.
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaJwtAuthenticationConverter.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaJwtAuthenticationConverter.java
@@ -15,6 +15,7 @@
  */
 package com.okta.spring.boot.oauth;
 
+import com.okta.spring.boot.oauth.config.OktaOAuth2Properties;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
@@ -31,4 +32,18 @@ public OktaJwtAuthenticationConverter(String groupClaim) {
             return result;
         });
     }
+
+    public OktaJwtAuthenticationConverter(OktaOAuth2Properties oktaOAuth2Properties) {
+        JwtGrantedAuthoritiesConverter originalConverter = new JwtGrantedAuthoritiesConverter();
+
+        if (oktaOAuth2Properties.getAuthoritiesClaimName() != null) {
+            originalConverter.setAuthoritiesClaimName(oktaOAuth2Properties.getAuthoritiesClaimName());
+        }
+
+        this.setJwtGrantedAuthoritiesConverter(source -> {
+            Collection<GrantedAuthority> result = originalConverter.convert(source);
+            result.addAll(TokenUtil.tokenClaimsToAuthorities(source.getClaims(), oktaOAuth2Properties.getGroupsClaim()));
+            return result;
+        });
+    }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2ResourceServerAutoConfig.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2ResourceServerAutoConfig.java
@@ -63,7 +63,7 @@ class OktaOAuth2ResourceServerAutoConfig {
 
     @Bean
     public JwtAuthenticationConverter jwtAuthenticationConverter(OktaOAuth2Properties oktaOAuth2Properties) {
-        return new OktaJwtAuthenticationConverter(oktaOAuth2Properties.getGroupsClaim());
+        return new OktaJwtAuthenticationConverter(oktaOAuth2Properties);
     }
 
     @Bean

diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/config/OktaOAuth2Properties.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/config/OktaOAuth2Properties.java
@@ -66,6 +66,11 @@ public final class OktaOAuth2Properties implements Validator {
      */
     private String groupsClaim = "groups";
 
+    /**
+     * The token claim name to map authorities
+     */
+    private String authoritiesClaimName;
+
     /**
      * URL to redirect to after an RP-Initiated logout (SSO Logout).
      */
@@ -128,6 +133,14 @@ public void setGroupsClaim(String groupsClaim) {
         this.groupsClaim = groupsClaim;
     }
 
+    public String getAuthoritiesClaimName() {
+        return authoritiesClaimName;
+    }
+
+    public void setAuthoritiesClaimName(String authoritiesClaimName) {
+        this.authoritiesClaimName = authoritiesClaimName;
+    }
+
     public Set<String> getScopes() {
         return getRegistration().map(OAuth2ClientProperties.Registration::getScope)
                                 .orElse(scopes);

diff --git a/oauth2/src/test/groovy/com/okta/spring/boot/oauth/OktaJwtAuthenticationConverterTest.groovy b/oauth2/src/test/groovy/com/okta/spring/boot/oauth/OktaJwtAuthenticationConverterTest.groovy
@@ -15,6 +15,7 @@
  */
 package com.okta.spring.boot.oauth
 
+import com.okta.spring.boot.oauth.config.OktaOAuth2Properties
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.oauth2.jwt.Jwt
 import org.testng.annotations.Test
@@ -45,6 +46,28 @@ class OktaJwtAuthenticationConverterTest {
                 new SimpleGrantedAuthority("g2"))
     }
 
+    @Test
+    void extractAuthorities_customClaimNameTest() {
+
+        // these maps must not be empty
+        def jwt = new Jwt("foo", Instant.now(), Instant.now().plusMillis(1000L), [simple: "value"], [
+            permissions: ["one", "two", "three"],
+            myGroups   : ["g1", "g2"]
+        ])
+
+        def properties = new OktaOAuth2Properties(null)
+        properties.setGroupsClaim("myGroups")
+        properties.setAuthoritiesClaimName("permissions")
+
+        def authorities = new OktaJwtAuthenticationConverter(properties).convert(jwt).getAuthorities()
+        assertThat authorities, hasItems(
+            new SimpleGrantedAuthority("SCOPE_one"),
+            new SimpleGrantedAuthority("SCOPE_two"),
+            new SimpleGrantedAuthority("SCOPE_three"),
+            new SimpleGrantedAuthority("g1"),
+            new SimpleGrantedAuthority("g2"))
+    }
+
     @Test
     void extractAuthorities_emptyTest() {
         def jwt = new Jwt("foo", Instant.now(), Instant.now().plusMillis(1000L), [simple: "value"], [simple: "value"]) // these maps must not be empty
-Original file line number
+Diff line change
@@ Expand Up / @@ -63,7 +63,7 @@ class OktaOAuth2ResourceServerAutoConfig { @@
         @Bean
         public JwtAuthenticationConverter jwtAuthenticationConverter(OktaOAuth2Properties oktaOAuth2Properties) {
-            return new OktaJwtAuthenticationConverter(oktaOAuth2Properties.getGroupsClaim());
+            return new OktaJwtAuthenticationConverter(oktaOAuth2Properties);
         }
         @Bean
@@ Expand Down @@