This filter init and configure in OAuth2LoginConfigurer In both init and configure method, no set this property
How should i config this property?
Comment From: mengxzh
Spring-Security-Config Version: 6.3.1
Comment From: mengxzh
Which MeilStone could merge above merge reuqest?
Comment From: jzheaux
You can use an ObjectPostProcessor like so:
http
.oauth2Login((oauth2) -> oauth2
.addObjectPostProcessor(new ObjectPostProcessor<OAuth2LoginAuthenticationFilter>() {
@Override
public <O extends OAuth2LoginAuthenticationFilter> O postProcess(O object) {
object.setAuthenticationResultConverter(myAuthenticationResultConverter);
return object;
}
})
The DSL doesn't expose everything, just the most common configurations. addObjectPostProcessor is there to allow you to see the unexposed values.
I'm going to close this as answered, however please feel free to post more comments if it seems I'm misunderstood.
Comment From: dirkniblick
Thank you @jzheaux for posting your solution. I am using Spring Cloud Azure (i.e., Active Directory, Entra) to add single sign on (SSO) to my Spring Boot 3.4 web app. I searched high and low for a way to convert the DefaultOidcUser principal provided by AadOAuth2UserService to my own (and more useful) UserDetails and found nothing, until I found this page. I feel like this should be easier to do, but for anybody who wants to do this too, here's my solution:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig {
@Bean
public SecurityFilterChain securityFilterChainBean(HttpSecurity http) throws Exception {
http.with(AadWebApplicationHttpSecurityConfigurer.aadWebApplication(), o -> {})
.authorizeHttpRequests(requests -> requests
.requestMatchers(HttpMethod.OPTIONS).permitAll()
.requestMatchers(ENDPOINTS_PERMITTED_TO_ALL).permitAll()
// Requires all users to have this authority, otherwise do .anyRequest().authenticated()
.anyRequest().hasAuthority(MyAppAuthorities.ADMIN.getAuthority())
)
.oauth2Login(o -> o.addObjectPostProcessor(AadLoginAuthenticationTokenConverter.postProcessor()))
// Add more here if you want
;
return http.build();
}
// BONUS: Here's how to configure the Azure Active Directory programmatically,
// i.e., not within application.properties, a seemingly undocumented feature.
// Make sure you add the AadWebApplicationHttpSecurityConfigurer above!
@Bean
public AadAuthenticationProperties aadAuthenticationPropertiesBean() {
AadAuthenticationProperties properties = new AadAuthenticationProperties();
properties.getCredential().setClientId("BOGUS-CLIENT-ID");
properties.getCredential().setClientSecret("BOGUS-CLIENT-SECRET");
properties.getProfile().setTenantId("BOGUS-TENANT-Id");
properties.setPostLogoutRedirectUri("http://localhost:8080/");
return properties;
}
}
/**
* @see OAuth2LoginAuthenticationFilter
*/
public class AadLoginAuthenticationTokenConverter implements Converter<OAuth2LoginAuthenticationToken, OAuth2AuthenticationToken> {
@Override
public OAuth2AuthenticationToken convert(@NonNull OAuth2LoginAuthenticationToken authenticationResult) {
final Collection<GrantedAuthority> authorities = mapAuthorities(authenticationResult.getAuthorities());
final PayrollReportingUserDetails principal = createPrincipal(authenticationResult);
final String registrationId = authenticationResult.getClientRegistration().getRegistrationId();
return new OAuth2AuthenticationToken(principal, authorities, registrationId);
}
protected static @NonNull Collection<GrantedAuthority> mapAuthorities(@NonNull Collection<GrantedAuthority> authorities) {
// TODO
}
protected static @NonNull PayrollReportingUserDetails createPrincipal(@NonNull OAuth2LoginAuthenticationToken authenticationResult) {
// TODO
}
public static @NonNull ObjectPostProcessor<OAuth2LoginAuthenticationFilter> postProcessor() {
return new ObjectPostProcessor<>() {
@Override
public <O extends OAuth2LoginAuthenticationFilter> O postProcess(O object) {
object.setAuthenticationResultConverter(new AadLoginPostProcessor());
return object;
}
};
}
}