Spring Security Allow the ability to configure AuthoritiesMapper in Reactive OAuth2Login

Summary

I'd like the ability to modify Reactive OAuth2Login's authoritiesMapper.

Actual Behavior

Can't find a suitable API to configure this. There's an equivalent for the Servlet HttpSecurity but not for Reactive equivalent.

Digging into the source code further seem to suggest that OAuth2LoginAuthenticationProvider (Servlet) have setAuthoritiesMapper, and OidcAuthorizationCodeReactiveAuthenticationManager (Reactive) does not have setAuthoritiesMapper

Expected Behavior

I expect I can do something similar for Reactive OAuth2Login

Configuration

Servlet HttpSecurity

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
      .authorizeRequests(a -> a
                                .antMatchers("/", "/error", "/webjars/**").permitAll()
                                .anyRequest().authenticated()
      )
      .exceptionHandling(e -> e
                                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
      )
      .logout(l -> l
                     .logoutSuccessUrl("/").permitAll()
      )
      .oauth2Login().userInfoEndpoint().userAuthoritiesMapper(new GrantedAuthoritiesMapper() {
      @Override
      public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        return null;
      }
    });
    // @formatter:on
  }

Reactive

  @Bean
  protected SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
    return http
             .authorizeExchange(a -> a
                                       .pathMatchers("/static/**", "/", "/error", "/webjars/**", "/login/**").permitAll()
                                       .anyExchange().authenticated()
             )
             .exceptionHandling(e -> e
                                       .authenticationEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED))
             )
             .logout().logoutUrl("/")
             .and()
             .oauth2Login().userInfoEndpoint().userAuthoritiesMapper(new GrantedAuthoritiesMapper() {
      @Override
      public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
        return null;
      }
    }) // DOES NOT COMPILE
             .and().build();
    // @formatter:on
  }

Version

5.2.1.RELEASE

Sample

Will provide soon if it gives further clarity

Comment From: jgrandja

@choweiyuan Indeed, OAuth2LoginReactiveAuthenticationManager and OidcAuthorizationCodeReactiveAuthenticationManager have not exposed a setAuthoritiesMapper(GrantedAuthoritiesMapper). We should allow for this configuration the same way the Servlet implementations do.

Would you be interested in submitting a PR for this?

Comment From: jgrandja

@choweiyuan You can also consider a Delegation-based strategy with OAuth2UserService. The provided link demonstrates a sample for Servlet but the same strategy can be applied on the Reactive side as well.

Comment From: antonin-arquey

I'm interested in submitting a PR for this if it is ok for you @jgrandja

Just one question, would the default ReactiveAuthenticationManager created by the OAuth2LoginSpec try to get a bean of type GrantedAuthoritiesMapper and use it ?

Or would the user have to manually configure the authentication manager if they want to provide a custom authority mapper ?

Comment From: jgrandja

Thanks for the offer @antonin-arquey! The issue is yours.

would the default ReactiveAuthenticationManager created by the OAuth2LoginSpec try to get a bean of type GrantedAuthoritiesMapper and use it ?

Yes, please go with this option.