Spring Security WebFlux and OAuth2 Custom Roles

I used SSO based on Google and WebFlux and I don't know how to add own role in authentication. Now I have only ROLE_USER which was provided by google. Can you give me any advice ?

Comment From: jgrandja

@ayudovin You can use the same strategy as detailed in Delegation-based strategy with OAuth2UserService.

Although the code in the reference is based on Servlet, the same strategy applies.

Take a look at the following code:

ServerHttpSecurity.OAuth2LoginSpec.getOidcUserService() - this method checks for a registered @Bean of type ReactiveOAuth2UserService<OidcUserRequest, OidcUser>. If it's registered than it's used, otherwise it defaults to OidcReactiveOAuth2UserService.

NOTE: ReactiveOAuth2UserService<OidcUserRequest, OidcUser> is used for OpenID Connect authentication.

and...

ServerHttpSecurity.OAuth2LoginSpec.getOauth2UserService() - this method checks for a registered @Bean of type ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User>. If it's registered than it's used, otherwise it defaults to DefaultReactiveOAuth2UserService.

NOTE: ReactiveOAuth2UserService<OAuth2UserRequest, OAuth2User> is used for providers that do not implement OpenID Connect - so standard OAuth 2.0 Authorization Code flow.

So if you're looking to add one or more roles/authorities to the OidcUser for an OpenID Connect authentication than you can register a custom @Bean of type ReactiveOAuth2UserService<OidcUserRequest, OidcUser> that simply delegates to OidcReactiveOAuth2UserService and than enhances the returned OidcUser by adding more authorities and returning the new enhanced version of OidcUser. Basically following the implementation pattern in the reference.

Does this make sense?

Comment From: ayudovin

@jgrandja, thank you for your help. It works!!!

Comment From: rwinch

Thanks for the feedback @ayudovin! I'm closing this since you got it working

Comment From: suchorski

What if the roles change when a user is logged in. E.g. if I remove a role from another user. How to force the refresh of this user because he lost a role and he doesn't have access to some resource anymore.