Merge pull request #26717 from mshima/role-microservice-oauth2

Fix oauth2 microservice roles

generators/server/__snapshots__/generator.spec.js.snap

@@ -319,9 +319,6 @@ exports[`generator - server composing databaseType option no with oauth2 should
   "src/main/java/com/mycompany/myapp/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/myapp/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/myapp/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },

generators/server/templates/src/main/java/_package_/config/SecurityConfiguration_imperative.java.ejs

@@ -67,6 +67,8 @@ import static org.springframework.security.oauth2.core.oidc.StandardClaimNames.P
 
 import <%= packageName %>.security.oauth2.AudienceValidator;
 import <%= packageName %>.security.SecurityUtils;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
@@ -75,6 +77,7 @@ import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.jwt.*;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.GrantedAuthority;
   <%_ if (!applicationTypeMicroservice) { _%>
@@ -284,7 +287,9 @@ public class SecurityConfiguration {
   <%_ } else { _%>
             .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
   <%_ } _%>
-            .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()))
+            .oauth2ResourceServer(oauth2 -> oauth2
+                .jwt(jwt -> jwt
+                    .jwtAuthenticationConverter(authenticationConverter())))
             .oauth2Client(withDefaults());
 <%_ } _%>
 <%_ if (devDatabaseTypeH2Any) { _%>
@@ -305,6 +310,21 @@ public class SecurityConfiguration {
     }
 <%_ if (authenticationTypeOauth2) { _%>
 
+    Converter<Jwt, AbstractAuthenticationToken> authenticationConverter() {
+        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
+        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(
+            new Converter<Jwt, Collection<GrantedAuthority>>() {
+                @Override
+                public Collection<GrantedAuthority> convert(Jwt jwt) {
+                    return SecurityUtils.extractAuthorityFromClaims(jwt.getClaims());
+                }
+            }
+        );
+        jwtAuthenticationConverter.setPrincipalClaimName(PREFERRED_USERNAME);
+        return jwtAuthenticationConverter;
+    }
+    <%_ if (!applicationTypeMicroservice) { _%>
+
     OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
         final OidcUserService delegate = new OidcUserService();
 
@@ -313,7 +333,6 @@ public class SecurityConfiguration {
             return new DefaultOidcUser(oidcUser.getAuthorities(), oidcUser.getIdToken(), oidcUser.getUserInfo(), PREFERRED_USERNAME);
         };
     }
-  <%_ if (!applicationTypeMicroservice) { _%>
 
     /**
      * Map authorities from "groups" or "roles" claim in ID Token.

generators/server/templates/src/main/java/_package_/config/SecurityConfiguration_reactive.java.ejs

@@ -24,7 +24,10 @@ import static org.springframework.security.oauth2.core.oidc.StandardClaimNames.P
 
 import <%= packageName %>.security.SecurityUtils;
 import <%= packageName %>.security.oauth2.AudienceValidator;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.authentication.ReactiveJwtAuthenticationConverter;
 import org.springframework.beans.factory.annotation.Value;
+import reactor.core.publisher.Flux;
 <%_ } _%>
 <%_ if (authenticationUsesCsrf) { _%>
 import tech.jhipster.web.filter.reactive.CookieCsrfFilter;
@@ -39,6 +42,7 @@ import <%= packageName %>.web.filter.SpaWebFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 <%_ if (authenticationTypeOauth2) { _%>
+import org.springframework.core.convert.converter.Converter;
   <%_ if (!applicationTypeMicroservice) { _%>
 import org.springframework.core.ParameterizedTypeReference;
   <%_ } _%>
@@ -303,7 +307,9 @@ public class SecurityConfiguration {
             .oauth2Login(oauth2 -> oauth2.authorizationRequestResolver(authorizationRequestResolver(this.clientRegistrationRepository)))
   <%_ } _%>
             .oauth2Client(withDefaults())
-            .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()));
+            .oauth2ResourceServer(oauth2 -> oauth2
+                .jwt(jwt -> jwt
+                    .jwtAuthenticationConverter(jwtAuthenticationConverter())));
 <%_ } else if (authenticationTypeJwt) { _%>
             .httpBasic(basic -> basic.disable())
             .oauth2ResourceServer(oauth2 -> oauth2.jwt(withDefaults()));
@@ -331,6 +337,20 @@ public class SecurityConfiguration {
     }
   <%_ } _%>
 
+    Converter<Jwt, Mono<AbstractAuthenticationToken>> jwtAuthenticationConverter() {
+        ReactiveJwtAuthenticationConverter jwtAuthenticationConverter = new ReactiveJwtAuthenticationConverter();
+        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(
+            new Converter<Jwt, Flux<GrantedAuthority>>() {
+                @Override
+                public Flux<GrantedAuthority> convert(Jwt jwt) {
+                    return Flux.fromIterable(SecurityUtils.extractAuthorityFromClaims(jwt.getClaims()));
+                }
+            }
+        );
+        jwtAuthenticationConverter.setPrincipalClaimName(PREFERRED_USERNAME);
+        return jwtAuthenticationConverter;
+    }
+
     /**
      * Map authorities from "groups" or "roles" claim in ID Token.
      *

generators/server/templates/src/main/resources/config/application.yml.ejs

@@ -358,9 +358,6 @@ spring:
             client-secret: web_app
     <%_ } _%>
             scope: openid, profile, email, offline_access # last one for refresh tokens
-      resourceserver:
-        jwt:
-          principal-claim-name: preferred_username
   <%_ } _%>
   <%_ if (authenticationTypeJwt) { _%>
     oauth2:

generators/spring-boot/__snapshots__/generator.spec.ts.snap

@@ -463,9 +463,6 @@ exports[`generator - spring-boot with oauth2 should match generated files snapsh
   "src/main/java/com/mycompany/myapp/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/myapp/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/myapp/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },

generators/spring-boot/cleanup.ts

@@ -26,7 +26,7 @@ import cleanupOauth2 from './cleanup-oauth2.js';
  * need to be removed.
  */
 export default asWritingTask(function cleanupTask(this, taskParam) {
-  const { application } = taskParam;
+  const { application, control } = taskParam;
   if (application.authenticationTypeOauth2) {
     cleanupOauth2.call(this, taskParam);
   }
@@ -208,4 +208,8 @@ export default asWritingTask(function cleanupTask(this, taskParam) {
   if (this.isJhipsterVersionLessThan('8.4.0')) {
     this.removeFile(`${application.javaPackageSrcDir}config/LocaleConfiguration.java`);
   }
+
+  control.cleanupFiles({
+    '8.6.1': [[application.authenticationTypeOauth2!, `${application.javaPackageSrcDir}security/oauth2/JwtGrantedAuthorityConverter.java`]],
+  });
 });

generators/spring-boot/files.ts

@@ -64,7 +64,7 @@ const oauth2Files = {
     {
       path: `${SERVER_MAIN_SRC_DIR}_package_/`,
       renameTo: moveToJavaPackageSrcDir,
-      templates: ['security/oauth2/AudienceValidator.java', 'security/oauth2/JwtGrantedAuthorityConverter.java'],
+      templates: ['security/oauth2/AudienceValidator.java'],
     },
     {
       path: `${SERVER_TEST_SRC_DIR}_package_/`,

generators/spring-data-cassandra/__snapshots__/generator.spec.ts.snap

@@ -1271,9 +1271,6 @@ exports[`generator - cassandra microservice-oauth2-reactive(true)-gradle-enableT
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2426,9 +2423,6 @@ exports[`generator - cassandra monolith-oauth2-reactive(false)-maven-enableTrans
   "src/main/java/tech/jhipster/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/tech/jhipster/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/tech/jhipster/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2794,9 +2788,6 @@ exports[`generator - cassandra monolith-oauth2-reactive(true)-gradle-enableTrans
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },

generators/spring-data-couchbase/__snapshots__/generator.spec.ts.snap

@@ -1316,9 +1316,6 @@ exports[`generator - couchbase microservice-oauth2-reactive(true)-gradle-enableT
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2507,9 +2504,6 @@ exports[`generator - couchbase monolith-oauth2-reactive(false)-maven-enableTrans
   "src/main/java/tech/jhipster/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/tech/jhipster/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/tech/jhipster/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2872,9 +2866,6 @@ exports[`generator - couchbase monolith-oauth2-reactive(true)-gradle-enableTrans
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },

generators/spring-data-elasticsearch/__snapshots__/generator.spec.ts.snap

@@ -1424,9 +1424,6 @@ exports[`generator - elasticsearch microservice-oauth2-reactive(true)-gradle-ena
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2729,9 +2726,6 @@ exports[`generator - elasticsearch monolith-oauth2-reactive(false)-maven-enableT
   "src/main/java/tech/jhipster/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/tech/jhipster/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/tech/jhipster/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -3160,9 +3154,6 @@ exports[`generator - elasticsearch monolith-oauth2-reactive(true)-gradle-enableT
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },

generators/spring-data-mongodb/__snapshots__/generator.spec.ts.snap

@@ -1253,9 +1253,6 @@ exports[`generator - mongodb microservice-oauth2-reactive(true)-gradle-enableTra
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2390,9 +2387,6 @@ exports[`generator - mongodb monolith-oauth2-reactive(false)-maven-enableTransla
   "src/main/java/tech/jhipster/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/tech/jhipster/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/tech/jhipster/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2743,9 +2737,6 @@ exports[`generator - mongodb monolith-oauth2-reactive(true)-gradle-enableTransla
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },

generators/spring-data-neo4j/__snapshots__/generator.spec.ts.snap

@@ -1256,9 +1256,6 @@ exports[`generator - neo4j microservice-oauth2-reactive(true)-gradle-enableTrans
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2393,9 +2390,6 @@ exports[`generator - neo4j monolith-oauth2-reactive(false)-maven-enableTranslati
   "src/main/java/tech/jhipster/security/oauth2/CustomClaimConverter.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/tech/jhipster/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/tech/jhipster/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },
@@ -2746,9 +2740,6 @@ exports[`generator - neo4j monolith-oauth2-reactive(true)-gradle-enableTranslati
   "src/main/java/com/mycompany/security/oauth2/AudienceValidator.java": {
     "stateCleared": "modified",
   },
-  "src/main/java/com/mycompany/security/oauth2/JwtGrantedAuthorityConverter.java": {
-    "stateCleared": "modified",
-  },
   "src/main/java/com/mycompany/security/oauth2/package-info.java": {
     "stateCleared": "modified",
   },