Closed
Description
When logging a user in with OpenID Connect 1.0, there are cases where authority information is included in the access token returned by the IdP. Currently, the only way to map authorities to the user based on the access token is to use delegation with OidcUserService (docs) or OidcReactiveOAuth2UserService (docs). As mentioned in the docs, this is a more advanced option.
It would be nice to be able to directly customize the mapping of the OidcUser, with the added benefit of being able to map the authorities based on the access token without the need for delegation. For example:
@Configuration
public class SecurityConfiguration {
// ...
@Bean
public OidcUserService oidcUserService() {
var userService = new OidcUserService();
userService.setOidcUserMapper(oidcUserMapper());
return userService;
}
private static BiFunction<OidcUserRequest, OidcUserInfo, OidcUser> oidcUserMapper() {
return (userRequest, userInfo) -> {
var accessToken = userRequest.getAccessToken();
var grantedAuthorities = new HashSet<GrantedAuthority>();
// TODO: Map authorities from the access token
var userNameAttributeName = "preferred_username";
return new DefaultOidcUser(
grantedAuthorities,
userRequest.getIdToken(),
userInfo,
userNameAttributeName
);
};
}
}Related gh-12275