Sometimes e.g. keycloak have additional authorities. It can be roles in keyclak token stored in realm_access.roles and should be converted on authorities with prefix ROLE_.

Customizing this behaviour is problematic now.

jwtCustomizer should allow add custom JwtGrantedAuthoritiesConverter, or additional logic to obtain extra authorities.

Comment From: sjohnr

@lowcasz thanks for reaching out!

Customizing this behaviour is problematic now.

jwtCustomizer should allow add custom JwtGrantedAuthoritiesConverter, or additional logic to obtain extra authorities.

The docs already cover configuring JwtGrantedAuthoritiesConverter in a resource server. Perhaps I'm misunderstanding you?

I'm not sure what you're referring to by "jwtCustomizer". Can you please provide more information about what you're trying to do and why it is not possible today? Or can you provide a minimal, reproducible sample that will help illustrate better?

Comment From: lowcasz

I can't configure it easly from configurer level in this place:

    @Bean
    public SecurityFilterChain security(HttpSecurity http) throws Exception {
        return http
            .cors(withDefaults())
            .authorizeHttpRequests(config -> {
                    config
                        .requestMatchers("/v3/api-docs/**", "/swagger-ui/**").permitAll()
                        .anyRequest().authenticated();
                }
            )
            .oauth2ResourceServer(configurer -> configurer.jwt(withDefaults())) //add authorities converter here
            .build();
    }

Using JwtAuthenticationConverter as a bean is a lot of easier than creating other beans too.

The most important and make life easier is I would use default converter logic, but add additional authorities using custom logic. e.g. ``` .oauth2ResourceServer(configurer -> configurer .jwt(withDefaults()) .authenticationConverterExtend(jwt -> (Collection) jwt.getClaimAsMap("realm_access").get("roles")) )

Comment From: sjohnr

@lowcasz thanks for your reply.

The most important and make life easier is I would use default converter logic, but add additional authorities using custom logic.

It sounds like what you're asking for is a way to replace the jwtGrantedAuthoritiesConverter on an existing JwtAuthenticationConverter without needing to instantiate the parent converter.

As you know, you can already replace the entire converter and the configuration (as demonstrated in the docs) is quite minimal, especially when providing a bean. I understand that you would like to write less code and more convenience would be, well, convenient! However, adding the proposed convenience method is very specific to one case of customization and I don't believe it is necessary or would provide significant value.

For that reason, I'm going to close this issue. Thank you for your feedback, and do let me know if you feel I've misunderstood you in any way.