SpringBoot Auto-configure a JwtAuthenticationConverter

Adds support for auto-configuring JwtAuthenticationConverter (and ReactiveJwtAuthenticationConverter) with following properties: - spring.security.oauth2.resourceserver.jwt.authority-prefix - spring.security.oauth2.resourceserver.jwt.authorities-claim-delimiter - spring.security.oauth2.resourceserver.jwt.authorities-claim-name - spring.security.oauth2.resourceserver.jwt.principal-claim-name

Closes gh-33689

Comment From: mhalbritter

When merging, we should let the bean back off if no properties are set. Right now, it always supplies the JWT converter.

Comment From: mhalbritter

I got some amended changes here: https://github.com/mhalbritter/spring-boot/tree/pr/38105

Comment From: mhalbritter

Thanks a lot!

Comment From: Jojoooo1

Are you planning to add nested authorities-claim-name ? For example, Keycloak is nesting the roles in realm_access.roles

Comment From: wilkinsona

@Jojoooo1 I don't think so, but I'm not sure that I understand what you're asking for. Please open a new issue describing how to configure a JwtGrantedAuthoritiesConverter that meets your needs. We can then consider how we could support such configuration using application properties.

Comment From: Jojoooo1

Sorry I was not very clear, I was wondering if in the future you are planning to allow nested claim name with the property spring.security.oauth2.resourceserver.jwt.authorities-claim-name. My use case was regarding Keycloak for example the jwt structure is as follows:

"realm_access": {
    "roles": [
      "default-roles-api",
      "offline_access",
      "uma_authorization",
      "management_user"
    ]
  },
 "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },

Comment From: wilkinsona

spring.security.oauth2.resourceserver.jwt.authorities-claim-name maps onto org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter.setAuthoritiesClaimName(String). If you want that to support more than it currently does today, I believe a change to JwtGrantedAuthoritiesConverter, which is part of Spring Security, would be required. If this is something that you would like to see, please open an issue over there.