Spring Security Dedicated API for extracting roles from Oidc User flow

Summary

Today, in order to extract Spring Security roles from custom role representations in the Oidc User flow, code needs to fall back to implementing an OAuth2UserService:

public MyRoleExtractingOidcUserService implements OAuth2UserService<OidcUserRequest, OidcUser> {
    private final OidcUserService delegate;

    // ...

    public OidcUser loadUser(OidcUserRequest request) {
        OidcUser user = delegate.loadUser(reqest);

        Collection<? extends GrantedAuthority> authorities = 
        // extract authorities using request and user objects

        return  new DefaultOidcUser(authorities, ...);
}

This follows from the reference documentation [1].

Would be nice to have a dedicated authorities extractor:

interface OAuth2UserAuthoritiesExtractor<R extends OAuth2UserRequest, U extends OAuth2User> {
    Collection<? extends GrantedAuthority> extractAuthorities(R request, U user);
}

[1] - https://docs.spring.io/spring-security/site/docs/5.0.5.RELEASE/reference/htmlsingle/#oauth2login-advanced-map-authorities-oauth2userservice

Additional Info

This is born out of some observations from @thomasdarimont in a OAuth github sample.

Comment From: husam-e

Any updates on this? Noticed the okta lib does the same currently: https://github.com/okta/okta-spring-boot/blob/master/oauth2/src/main/java/com/okta/spring/boot/oauth/ReactiveOktaOidcUserService.java

where User objects are decorated by logic in their UserUtil through a list of AuthoritiesProviders, similar to the description above.

I'm currently working on integrating a different IdP and after days of investigation/debugging landed on this and came to the same conclusion as @jzheaux, would be great to have this :).

If it already exists, can someone share details on it? #7339 doesn't seem to address this in particular.

Comment From: filiphr

I created issue #11780, because we also need a similar functionality. In there I've outlined what is happening now and the classes where this would need changing

• OAuth2LoginAuthenticationProvider
• OAuth2LoginReactiveAuthenticationManager
• OidcAuthorizationCodeAuthenticationProvider
• OidcAuthorizationCodeReactiveAuthenticationManager

I did a small prototype (https://github.com/filiphr/spring-security/commit/7d4b3bf9f7a3ce084071da8fc904a21cae79ef58) which is slightly different then the one proposed in this issue. It would be good if the Spring Security team has a look at my proposal and lets me know whether you think that it would be an acceptable solution for this issue. If yes I can go ahead and work on a proper PR with all the bells and whistles for a review.