Add new AuthoritiesProvider interface to adding custom GrantedAuthori…

…ties Converted existing code to use this new interface (scopes and groups) Fixes: #136
okta · Jan 27, 2020 · b657b58 · b657b58
1 parent d6841ca
commit b657b58
Show file tree

Hide file tree

Showing 11 changed files with 225 additions and 37 deletions.
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/AuthoritiesProvider.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/AuthoritiesProvider.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright 2019-Present Okta, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.okta.spring.boot.oauth;
+
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+
+import java.util.Collection;
+
+/**
+ * Allows for custom {@link GrantedAuthority}s to be added to the current OAuth Principal. Multiple implementations
+ * are allowed, by default OAuth scopes are converted to Authorities with the format {@code SCOPE_<scope-name>} and
+ * if a `groups` claim exists in the access or id token, those are converted as well.
+ *
+ * Example usage:
+ *
+ * <pre><code>
+ *     &#64;Bean
+ *     AuthoritiesProvider myCustomAuthoritiesProvider() {
+ *         return (user, userRequest) -&gt; lookupExtraAuthoritesByName(user.getAttributes().get("email"));
+ *     }
+ * </code></pre>
+ *
+ * @since 1.4.0
+ */
+public interface AuthoritiesProvider {
+
+    Collection<? extends GrantedAuthority> getAuthorities(OAuth2User user, OAuth2UserRequest userRequest);
+
+    default Collection<? extends GrantedAuthority> getAuthorities(OidcUser user, OidcUserRequest userRequest) {
+        return getAuthorities((OAuth2User) user, userRequest);
+    }
+}
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/AuthorityProvidersConfig.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/AuthorityProvidersConfig.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2019-Present Okta, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.okta.spring.boot.oauth;
+
+import com.okta.spring.boot.oauth.config.OktaOAuth2Properties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @since 1.4.0
+ */
+@Configuration
+class AuthorityProvidersConfig {
+
+    @Bean
+    AuthoritiesProvider tokenScopesAuthoritiesProvider() {
+        return (user, userRequest) -> TokenUtil.tokenScopesToAuthorities(userRequest.getAccessToken());
+    }
+
+    @Bean
+    AuthoritiesProvider groupClaimsAuthoritiesProvider(OktaOAuth2Properties oktaOAuth2Properties) {
+        return (user, userRequest) -> TokenUtil.tokenClaimsToAuthorities(user.getAttributes(), oktaOAuth2Properties.getGroupsClaim());
+    }
+}
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2AutoConfig.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2AutoConfig.java
@@ -23,6 +23,7 @@
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
@@ -34,12 +35,14 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 
 import java.net.URI;
+import java.util.Collection;
 
 @Configuration
 @ConditionalOnOktaClientProperties
 @EnableConfigurationProperties(OktaOAuth2Properties.class)
 @ConditionalOnClass({ EnableWebSecurity.class, ClientRegistration.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
+@Import(AuthorityProvidersConfig.class)
 class OktaOAuth2AutoConfig {
 
     @Bean
@@ -53,13 +56,13 @@ OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler(OktaOAuth2Prope
 
     @Bean
     @ConditionalOnMissingBean(name="oAuth2UserService")
-    OAuth2UserService<OAuth2UserRequest, OAuth2User> oAuth2UserService(OktaOAuth2Properties oktaOAuth2Properties) {
-        return new OktaOAuth2UserService(oktaOAuth2Properties.getGroupsClaim());
+    OAuth2UserService<OAuth2UserRequest, OAuth2User> oAuth2UserService(Collection<AuthoritiesProvider> authoritiesProviders) {
+        return new OktaOAuth2UserService(authoritiesProviders);
     }
 
     @Bean
     @ConditionalOnMissingBean(name="oidcUserService")
-    OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService(OktaOAuth2Properties oktaOAuth2Properties) {
-        return new OktaOidcUserService(oktaOAuth2Properties.getGroupsClaim());
+    OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService(Collection<AuthoritiesProvider> authoritiesProviders) {
+        return new OktaOidcUserService(oAuth2UserService(authoritiesProviders), authoritiesProviders);
     }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2UserService.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOAuth2UserService.java
@@ -23,12 +23,14 @@
 import org.springframework.web.client.RestOperations;
 import org.springframework.web.client.RestTemplate;
 
+import java.util.Collection;
+
 final class OktaOAuth2UserService extends DefaultOAuth2UserService {
 
-    private final String groupClaim;
+    private final Collection<AuthoritiesProvider> authoritiesProviders;
 
-    OktaOAuth2UserService(String groupClaim) {
-        this.groupClaim = groupClaim;
+    OktaOAuth2UserService(Collection<AuthoritiesProvider> authoritiesProviders) {
+        this.authoritiesProviders = authoritiesProviders;
         setRestOperations(restOperations());
     }
 
@@ -42,6 +44,6 @@ private RestOperations restOperations() {
     @Override
     public OAuth2User loadUser(OAuth2UserRequest userRequest) {
         OAuth2User user = super.loadUser(userRequest);
-        return UserUtil.decorateUser(user, userRequest, groupClaim);
+        return UserUtil.decorateUser(user, userRequest, authoritiesProviders);
     }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOidcUserService.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/OktaOidcUserService.java
@@ -17,21 +17,26 @@
 
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserRequest;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+
+import java.util.Collection;
 
 final class OktaOidcUserService extends OidcUserService {
 
-    private final String groupClaim;
+    private final Collection<AuthoritiesProvider> authoritiesProviders;
 
-    OktaOidcUserService(String groupClaim) {
-        this.groupClaim = groupClaim;
-        this.setOauth2UserService(new OktaOAuth2UserService(groupClaim));
+    OktaOidcUserService(OAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService, Collection<AuthoritiesProvider> authoritiesProviders) {
+        this.authoritiesProviders = authoritiesProviders;
+        this.setOauth2UserService(oauth2UserService);
     }
 
     @Override
     public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
         OidcUser user = super.loadUser(userRequest);
-        return UserUtil.decorateUser(user, userRequest, groupClaim);
+        return UserUtil.decorateUser(user, userRequest, authoritiesProviders);
     }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOAuth2AutoConfig.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOAuth2AutoConfig.java
@@ -26,6 +26,7 @@
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcReactiveOAuth2UserService;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
@@ -34,25 +35,28 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import reactor.core.publisher.Flux;
 
+import java.util.Collection;
+
 @Configuration
 @AutoConfigureAfter(ReactiveSecurityAutoConfiguration.class)
 @EnableConfigurationProperties(OktaOAuth2Properties.class)
 @ConditionalOnOktaClientProperties
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.REACTIVE)
 @ConditionalOnClass({ Flux.class, EnableWebFluxSecurity.class, ClientRegistration.class })
 @ConditionalOnBean(ReactiveSecurityAutoConfiguration.class)
+@Import(AuthorityProvidersConfig.class)
 class ReactiveOktaOAuth2AutoConfig {
 
     @Bean
     @ConditionalOnMissingBean
-    ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService(OktaOAuth2Properties oktaOAuth2Properties) {
-        return new ReactiveOktaOAuth2UserService(oktaOAuth2Properties.getGroupsClaim());
+    ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService(Collection<AuthoritiesProvider> authoritiesProviders) {
+        return new ReactiveOktaOAuth2UserService(authoritiesProviders);
     }
 
     @Bean
     @ConditionalOnMissingBean
-    OidcReactiveOAuth2UserService oidcUserService(OktaOAuth2Properties oktaOAuth2Properties,
+    OidcReactiveOAuth2UserService oidcUserService(Collection<AuthoritiesProvider> authoritiesProviders,
                                                   @Qualifier("oauth2UserService") ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oAuth2UserService) {
-        return new ReactiveOktaOidcUserService(oktaOAuth2Properties.getGroupsClaim(), oAuth2UserService);
+        return new ReactiveOktaOidcUserService(authoritiesProviders, oAuth2UserService);
     }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOAuth2UserService.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOAuth2UserService.java
@@ -20,17 +20,19 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import reactor.core.publisher.Mono;
 
+import java.util.Collection;
+
 final class ReactiveOktaOAuth2UserService extends DefaultReactiveOAuth2UserService {
 
-    private final String groupClaim;
+    private final Collection<AuthoritiesProvider> authoritiesProviders;
 
-    ReactiveOktaOAuth2UserService(String groupClaim) {
-        this.groupClaim = groupClaim;
+    ReactiveOktaOAuth2UserService(Collection<AuthoritiesProvider> authoritiesProviders) {
+        this.authoritiesProviders = authoritiesProviders;
         setWebClient(WebClientUtil.createWebClient());
     }
 
     @Override
     public Mono<OAuth2User> loadUser(OAuth2UserRequest userRequest) {
-        return super.loadUser(userRequest).map(user -> UserUtil.decorateUser(user, userRequest, groupClaim));
+        return super.loadUser(userRequest).map(user -> UserUtil.decorateUser(user, userRequest, authoritiesProviders));
     }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOidcUserService.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOidcUserService.java
@@ -23,21 +23,23 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import reactor.core.publisher.Mono;
 
+import java.util.Collection;
+
 final class ReactiveOktaOidcUserService extends OidcReactiveOAuth2UserService {
 
-    private final String groupClaim;
+    private final Collection<AuthoritiesProvider> authoritiesProviders;
 
-    ReactiveOktaOidcUserService(String groupClaim) {
-        this(groupClaim, new ReactiveOktaOAuth2UserService(groupClaim));
+    ReactiveOktaOidcUserService(Collection<AuthoritiesProvider> authoritiesProviders) {
+        this(authoritiesProviders, new ReactiveOktaOAuth2UserService(authoritiesProviders));
     }
 
-    ReactiveOktaOidcUserService(String groupClaim, ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService) {
-        this.groupClaim = groupClaim;
+    ReactiveOktaOidcUserService(Collection<AuthoritiesProvider> authoritiesProviders, ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> oauth2UserService) {
+        this.authoritiesProviders = authoritiesProviders;
         setOauth2UserService(oauth2UserService);
     }
 
     @Override
     public Mono<OidcUser> loadUser(OidcUserRequest userRequest) {
-        return super.loadUser(userRequest).map(user -> UserUtil.decorateUser(user, userRequest,  groupClaim));
+        return super.loadUser(userRequest).map(user -> UserUtil.decorateUser(user, userRequest,  authoritiesProviders));
     }
 }
diff --git a/oauth2/src/main/java/com/okta/spring/boot/oauth/UserUtil.java b/oauth2/src/main/java/com/okta/spring/boot/oauth/UserUtil.java
@@ -24,14 +24,16 @@
 import org.springframework.security.oauth2.core.user.OAuth2User;
 import org.springframework.util.StringUtils;
 
+import java.util.Collection;
 import java.util.HashSet;
+import java.util.Objects;
 import java.util.Set;
 
 final class UserUtil {
 
     private UserUtil() {}
 
-    static OAuth2User decorateUser(OAuth2User user, OAuth2UserRequest userRequest, String groupClaim) {
+    static OAuth2User decorateUser(OAuth2User user, OAuth2UserRequest userRequest, Collection<AuthoritiesProvider> authoritiesProviders) {
 
         // Only post process requests from the "Okta" reg
         if (!"okta".equalsIgnoreCase(userRequest.getClientRegistration().getRegistrationId())) {
@@ -40,18 +42,19 @@ static OAuth2User decorateUser(OAuth2User user, OAuth2UserRequest userRequest, S
 
         // start with authorities from super
         Set<GrantedAuthority> authorities = new HashSet<>(user.getAuthorities());
-        // add 'SCOPE_' authorities
-        authorities.addAll(TokenUtil.tokenScopesToAuthorities(userRequest.getAccessToken()));
-        // add any authorities extracted from the 'group' claim
-        authorities.addAll(TokenUtil.tokenClaimsToAuthorities(user.getAttributes(), groupClaim));
+        // add each set of authorities from providers
+        authoritiesProviders.stream()
+            .map(authoritiesProvider -> authoritiesProvider.getAuthorities(user, userRequest))
+            .filter(Objects::nonNull)
+            .forEach(authorities::addAll);
 
         String userNameAttributeName = userRequest.getClientRegistration().getProviderDetails()
                 .getUserInfoEndpoint().getUserNameAttributeName();
 
         return new DefaultOAuth2User(authorities, user.getAttributes(), userNameAttributeName);
     }
 
-    static OidcUser decorateUser(OidcUser user, OidcUserRequest userRequest, String groupClaim) {
+    static OidcUser decorateUser(OidcUser user, OidcUserRequest userRequest, Collection<AuthoritiesProvider> authoritiesProviders) {
 
         // Only post process requests from the "Okta" reg
         if (!"okta".equals(userRequest.getClientRegistration().getRegistrationId())) {
@@ -60,10 +63,11 @@ static OidcUser decorateUser(OidcUser user, OidcUserRequest userRequest, String
 
         // start with authorities from super
         Set<GrantedAuthority> authorities = new HashSet<>(user.getAuthorities());
-        // add 'SCOPE_' authorities
-        authorities.addAll(TokenUtil.tokenScopesToAuthorities(userRequest.getAccessToken()));
-        // add any authorities extracted from the 'group' claim
-        authorities.addAll(TokenUtil.tokenClaimsToAuthorities(user.getAttributes(), groupClaim));
+        // add each set of authorities from providers
+        authoritiesProviders.stream()
+            .map(authoritiesProvider -> authoritiesProvider.getAuthorities(user, userRequest))
+            .filter(Objects::nonNull)
+            .forEach(authorities::addAll);
 
         String userNameAttributeName = userRequest.getClientRegistration()
             .getProviderDetails().getUserInfoEndpoint().getUserNameAttributeName();