Spring Security: extract oidc role claims to spring authorities

Question

I am trying to get role claims from an OAuth2AuthenticationToken to be detected as Spring Security authorities. There is a custom role defined on OIDC provider side (Azure AD in my case) that is nested inside the DefaultOidcUser, but not added automatically to the authorities:

I tried to extract them from the Jwt Token like this

However, when I do that, neither of the following methods is called (neither during login, nor later, even in the default configuration):

• JwtGrantedAuthoritiesConverter.convert(Jwt)
• JwtAuthenticationConverter.convert(Jwt)
• JwtAuthenticationConverter.extractAuthorities(Jwt)

My current configuration is:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
@Import(SecurityProblemSupport.class)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .csrf()
            <some more config that has nothing to do with oauth/oidc>
            .and()
            .oauth2Login()
            .and()
            .oauth2ResourceServer()
            .jwt()
            .jwtAuthenticationConverter(jwtAuthenticationConverter())
            .and()
            .and()
            .oauth2Client()
        ;
    }

    private JwtAuthenticationConverter jwtAuthenticationConverter() {
        // create a custom JWT converter to map the roles from the token as granted authorities
        JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
        jwtGrantedAuthoritiesConverter.setAuthoritiesClaimName("roles");     
        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
        return jwtAuthenticationConverter;
    }
}

I also tried with a

CustomJwtAuthConverter implements Converter<Jwt, AbstractAuthenticationToken>

but to no avail.

Any help would be appreciated.

Answer 1

Managed to achieve it using an authorities mapper that also extracts claims from the oidcToken:

public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    
    [...]
   
    @Bean
    public GrantedAuthoritiesMapper userAuthoritiesMapper() {
        return authorities -> {
            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();

            authorities.forEach(
                authority -> {
                    // Check for OidcUserAuthority because Spring Security 5.2 returns
                    // each scope as a GrantedAuthority, which we don't care about.
                    if (authority instanceof OidcUserAuthority) {
                        OidcUserAuthority oidcUserAuthority = (OidcUserAuthority) authority;
                        mappedAuthorities.addAll(SecurityUtils.extractAuthorityFromClaims(oidcUserAuthority.getUserInfo().getClaims()));
                        mappedAuthorities.addAll(SecurityUtils.extractAuthorityFromClaims(oidcUserAuthority.getIdToken().getClaims()));
                    }
                }
            );
            return mappedAuthorities;
        };
    }

}

and inside SecurityUtils:

public static List<GrantedAuthority> extractAuthorityFromClaims(Map<String, Object> claims) {
        return mapRolesToGrantedAuthorities(getRolesFromClaims(claims));
    }
private static List<GrantedAuthority> mapRolesToGrantedAuthorities(Collection<String> roles) {
        return roles.stream().filter(role -> role.startsWith("ROLE_")).map(SimpleGrantedAuthority::new).collect(Collectors.toList());
    }

Afterwards the custom role should be present in mappedAuthorities and with it in the authorities of the token. Thus making the annotations "hasRole" and "hasAuthority" possible to use.

Answer 2

This is the solution I found when using keycloak.

@EnableGlobalMethodSecurity(securedEnabled = true)
@EnableWebSecurity(debug = true)
public class SecurityConfiguration {

    private static final String REALM = "realm_access";

    private static final String ROLES = "roles";

    /**
     * Configuration For oauth
     */
    @Bean
    SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authorize) -> authorize
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(source -> new CustomJwtConfigure().convert(source));
        return http.build();
    }

    public static class CustomJwtConfigure implements Converter<Jwt, JwtAuthenticationToken> {

        @Override
        public JwtAuthenticationToken convert(Jwt jwt) {
            var tokenAttributes = jwt.getClaims();
            var jsonObject = (JSONObject) tokenAttributes.get(REALM);
            var roles = (JSONArray) jsonObject.get(ROLES);
            List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
            roles.forEach(role -> grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_" + role)));
            return new JwtAuthenticationToken(jwt, grantedAuthorities);
        }
    }
}

Link to example https://github.com/kesaven8/resourceServer-spring-boot

Answer 3

2022 update

I maintain a set of tutorials and samples to configure resource-servers security for:

• both servlet and reactive applications
• decoding JWTs and introspecting access-tokens
• default or custom Authentication implementations
• any OIDC authorization-server(s), including Keycloak of course (most samples support multiple realms / identity-providers)

The repo also contains a set of libs published on maven-central to:

• mock OAuth2 identities during unit and integration tests (with authorities and any OpenID claim, including private ones)
• configure resource-servers from properties file (including source claims for roles, roles prefix and case processing, CORS configuration, session-management, public routes and more)

Sample for a servlet with JWT decoder

@EnableMethodSecurity(prePostEnabled = true)
@Configuration
public class SecurityConfig {}

com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master
com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,resource_access.spring-addons-public.roles,resource_access.spring-addons-confidential.roles
com.c4-soft.springaddons.security.cors[0].path=/sample/**

<dependency>
    <groupId>com.c4-soft.springaddons</groupId>
    <artifactId>spring-addons-webmvc-jwt-resource-server</artifactId>
    <version>6.0.3</version>
</dependency>

No, nothing more requried.

Unit-tests with mocked authentication

Secured @Component without http request (@Service, @Repository, etc.)

@Import({ SecurityConfig.class, SecretRepo.class })
@AutoConfigureAddonsSecurity
class SecretRepoTest {

    // auto-wire tested component
    @Autowired
    SecretRepo secretRepo;

    @Test
    void whenNotAuthenticatedThenThrows() {
        // call tested components methods directly (do not use MockMvc nor WebTestClient)
        assertThrows(Exception.class, () -> secretRepo.findSecretByUsername("ch4mpy"));
    }

    @Test
    @WithMockJwtAuth(claims = @OpenIdClaims(preferredUsername = "Tonton Pirate"))
    void whenAuthenticatedAsSomeoneElseThenThrows() {
        assertThrows(Exception.class, () -> secretRepo.findSecretByUsername("ch4mpy"));
    }

    @Test
    @WithMockJwtAuth(claims = @OpenIdClaims(preferredUsername = "ch4mpy"))
    void whenAuthenticatedWithSameUsernameThenReturns() {
        assertEquals("Don't ever tell it", secretRepo.findSecretByUsername("ch4mpy"));
    }

}

Secured @Controller (sample for @WebMvcTest but works for @WebfluxTest too)

@WebMvcTest(GreetingController.class) // Use WebFluxTest or WebMvcTest
@AutoConfigureAddonsWebSecurity // If your web-security depends on it, setup spring-addons security
@Import({ SecurityConfig.class }) // Import your web-security configuration
class GreetingControllerAnnotatedTest {

    // Mock controller injected dependencies
    @MockBean
    private MessageService messageService;

    @Autowired
    MockMvcSupport api;

    @BeforeEach
    public void setUp() {
        when(messageService.greet(any())).thenAnswer(invocation -> {
            final JwtAuthenticationToken auth = invocation.getArgument(0, JwtAuthenticationToken.class);
            return String.format("Hello %s! You are granted with %s.", auth.getName(), auth.getAuthorities());
        });
        when(messageService.getSecret()).thenReturn("Secret message");
    }

    @Test
    void greetWitoutAuthentication() throws Exception {
        api.get("/greet").andExpect(status().isUnauthorized());
    }

    @Test
    @WithMockAuthentication(authType = JwtAuthenticationToken.class, principalType = Jwt.class, authorities = "ROLE_AUTHORIZED_PERSONNEL")
    void greetWithDefaultMockAuthentication() throws Exception {
        api.get("/greet").andExpect(content().string("Hello user! You are granted with [ROLE_AUTHORIZED_PERSONNEL]."));
    }
}

Advanced use-cases

The most advanced tutorial demoes how to define a custom Authentication implementation to parse (and expose to java code) any private claim into things that are security related but not roles (in the sample it's grant delegation between users).

It also shows how to extend spring-security SpEL to build a DSL like:

@GetMapping("greet/on-behalf-of/{username}")
@PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')")
public String getGreetingFor(@PathVariable("username") String username) {
    return ...;
}