Spring Security Make #oauth2. expressions compatible with JwtAuthenticationToken

Expected Behavior

OAuth2MethodSecurityExpressionHandler should work with JwtAuthenticationToken

Current Behavior

Currently there is a check in OAuth2ExpressionUtils

if (authentication instanceof OAuth2Authentication) which prevents the #oauth2 expressions to work on jwt tokens

@PreAuthorize("#oauth2.hasAnyScope('dealer:read', 'api:admin')") won't work but this will @PreAuthorize("hasAnyAuthority('SCOPE_dealer:read', 'SCOPE_api:admin')")

Comment From: jzheaux

Thanks for the suggestion, @JayChandler. However, OAuth2MethodSecurityExpressionHandler is from the deprecated Spring Security OAuth project, and there's no intention to port over this feature to Spring Security proper.

It's advised that you just use Spring Security from this point onward as well as the default expressions (hasAnyAuthority, etc.).

If you are migrating from Spring Security OAuth to Spring Security, then wiring your own expression handler may simplify the transition.

Or, you can achieve comparable behavior by publishing a bean and referencing it in your expressions:

@Bean 
public MyOAuth2ExpressionsBean oauth2() {
    // ...
}

// ...

@PreAuthorize("@oauth2.hasAnyScope(...)")