Spring Security JwtAuthenticationConverter should allow for configuring the principal claim

Related to https://github.com/spring-projects/spring-security/issues/6865 and https://github.com/spring-projects/spring-security/issues/7834

It's quite common for authorization servers to use the sub claim to refer to an internal user id. An example of this is Amazon Cognito. As such, it can be useful to introduce a custom claim to refer to a user id that resource servers will understand.

Configuring Resource Server to use a custom principal claim name currently looks like:

public class CustomPrincipalClaimName extends WebSecurityConfigurerAdapter {
    protected void configure(HttpSecurity http) {
        http
            .authorizeRequests(authorize -> authorize
                .anyRequest().authenticated()
            )
            .oauth2ResourceServer(oauth2 -> oauth2
                .jwt(jwt -> jwt
                    .jwtAuthenticationConverter(jwtAuthenticationConverter())
                )
            );
    }

    Converter<Jwt, JwtAuthenticationToken> jwtAuthenticationConverter() {
        JwtGrantedAuthoritiesConverter authoritiesConverter =
                new JwtGrantedAuthoritiesConverter();
        return jwt -> {
            Collection<GrantedAuthority> authorities = authoritiesConverter.convert(jwt);
            String name = jwt.getClaim("user_id");
            return new JwtAuthenticationToken(jwt, authorities, name);
        }
    }
}

By introducing something like setPrincipalClaimName, it could become:

// .. configure method as before

JwtAuthenticationConverter jwtAuthenticationConverter() {
    JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
    converter.setPrincipalClaimName("user_id");
    return converter;
}

Comment From: evgeniycheban

Can I work on this issue?

Comment From: jzheaux

It's yours, @evgeniycheban! Feel free to ask any questions here on the ticket.