JHipster - OAuth2/OIDC 需要从访问令牌中读取组

Question

The JHipster OAuth2/OIDC default configuration expects the "groups' to be found in the idToken. Can anyone explain how to read the "groups" from the access token instead?

Answer 1

Here are the changes made to retrieve the user's groups / granted authorities from the access token.

Note that for my case the Access Token (JSON) that the auth code is exchanged for contains an "access_token" field as a peer to the idToken. The "access_token" field is an ID or reference to the actual access token with the user's groups. An extra http request is needed to retrieve that "actual" access token.

For Okta the access token is a JWT similar to the idToken so if for some reason you need to configure Okta to add the groups to the access token instead of the idToken you will find them there.

Solution was based in this Spring doc:

Delegation-based strategy with OAuth2UserService

In your WebSecurityConfigurerAdapter class edit your oauth2Login config:

.oauth2Login().userInfoEndpoint().oidcUserService(this.oidcUserService());

Then create the custom oidcUserService():

private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
    final OidcUserService delegate = new OidcUserService();
    return (userRequest) -> {
        // Delegate to the default implementation for loading a user
        OidcUser oidcUser = delegate.loadUser(userRequest);

        // The access token will be a reference to the actual token
        // ( for Okta this would be the actual JWT access token )
        String accessTokenRef = userRequest.getAccessToken().getTokenValue();

        // Call the end point to get the actual access_token
        // ( httpClient is just a RestTemplate impl w/the required configs )
        String[] groups = httpClient.fetchGroups(accessTokenRef);

        // Create the GrantedAuthority objs & add to mappedAuthorities set
        Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
        for (String group: groups) {
            mappedAuthorities.add(new SimpleGrantedAuthority(group));
        }

        // Create a copy of oidcUser but use the mappedAuthorities instead
        oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
        return oidcUser;
    };
}

If you are using JHipster there will be a GrantedAuthoritiesMapper that will need to be updated to map the authorities passed in directly to your application roles rather than reading them from the idToken. Something like:

@Bean
public GrantedAuthoritiesMapper userAuthoritiesMapper() {
    return (authorities) -> {
        Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
        Collection<String> roles = new HashSet();
        authorities.forEach(authority -> {
            roles.add(authority.getAuthority());
        });
        List<GrantedAuthority> list = SecurityUtils.mapRolesToGrantedAuthorities(roles);
        mappedAuthorities = new HashSet<GrantedAuthority>(list);
        return mappedAuthorities;
    };
}

There are likely some other ways to do this and I would be happy to hear any advice.
Thanks to the commenters for their help.