AuthorizationManager makes the following possible in the DSL:
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().access(hasRole("USER"))
)
It would be nice to be able to do the same with scopes, like so:
http
.authorizeHttpRequests((authorize) -> authorize
.anyRequest().access(hasScope("resource:read"))
)
This could be done in a static factory class like OAuth2AuthorizationManagers in oauth2-core. It could have hasScope and hasAnyScope. They might be implemented by delegating to AuthorityAuthorizationManager like this:
public static <T> AuthorityAuthorizationManager<T> hasScope(String scope) {
return AuthorityAuthorizationManager.hasAuthority("SCOPE_" + scope);
}
Comment From: petrovskimario
Hello @jzheaux I would like to contribute for this one. Is this open ?
Question regarding the implementation Should we just create a class like OAuth2AuthorizationManagers with hasScope and hasAnyScope and just that ?
Comment From: petrovskimario
Hey @jzheaux
I know this wasn't assigned to me yet, but i have already created the PR. Can you please review if this is what we want ? https://github.com/spring-projects/spring-security/pull/13769 Thanks