Expected Behavior
Extract granted authorities from a given OAuth2User.
Current Behavior
Currently the OAuth2 support uses a GrantedAuthoritiesMapper which allows for expanding the granted authorities for OAuth2. This is done in:
OAuth2LoginAuthenticationProviderOAuth2LoginReactiveAuthenticationManagerOidcAuthorizationCodeAuthenticationProviderOidcAuthorizationCodeReactiveAuthenticationManager
Currently only the current granted authorities of the OAuth2User can be accessed. There is a way to access OAuth2UserAuthority, but that does not give information such as the name of the principal
Context
We need this because we are providing some functionality that allows extracting various attributes from the OAuth context and remapping them to some specific granted authorities known for us. Recently we've had a request fro integrating all of this with a specific identity provider. This means that Google is used as an OAuth provider, but the information that is available in the token is not enough and we need to fetch things such as group access from a different identity provider. In order to do that fetch we need the ID of the user.
I did a small prototype (https://github.com/filiphr/spring-security/commit/7d4b3bf9f7a3ce084071da8fc904a21cae79ef58) with the OAuth2LoginAuthenticationProvider by adding a new interface OAuth2GrantedAuthoritiesProvider that can be used to pass the OAuth2User to the provider. The naming and package location is TBD, we can make OAuth2GrantedAuthoritiesProvider be a generic with <T extends OAuth2User>, etc.
I would like to hear more whether a solution like this would be something that the team would be willing to look into if I provide a Pull Request.
Comment From: filiphr
I realize now that this is a bit similar to #5349, minus the use of the request.
Comment From: sjohnr
Thanks @filiphr. I think we can close this as a duplicate of gh-5349. I'll do that for now, let me know if you disagree.
Comment From: filiphr
Yes indeed @sjohnr. Thanks for checking it. In any case I would like to ask you to let me know what you think about my proposed solution? If that solution is acceptable I can go ahead and implement it in a proper Pull Request with tests and everything.
Comment From: sjohnr
@filiphr, your solution looks slightly different than what was proposed in gh-5349. Having said that, I don't have complete context so it might be best to discuss on that issue prior to submitting a PR.
Comment From: sjohnr
Note: The scope of 5.8 and 6.0 is fairly dialed in at this point, so keep in mind that there could be some delay in considering the feature at the moment.