DMC/oauth2-authorization-server
0
0
Fork 0
Code Issues 6 Pull Requests Actions Packages Projects Releases Wiki Activity

Include entitlements in ID token and UserInfo response #8

Manually merged
ansv7779 merged 2 commits from entitlements-in-id-token into main 2025-05-12 15:11:34 +02:00
Conversation 0 Commits 2 Files Changed 6 +34 -8
2 changed files with 34 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit cee61c73ee - Show all commits

23
src/main/java/se/su/dsv/oauth2/shibboleth/ShibbolethTokenPopulator.java
View File

@@ -40,19 +40,15 @@ public final class ShibbolethTokenPopulator implements OAuth2TokenCustomizer<Jwt
@Override @Override
public void customize(final JwtEncodingContext context) { public void customize(final JwtEncodingContext context) {
if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) { if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
List<String> entitlements = context List<String> entitlements = getEntitlements(context);
.getPrincipal()
.getAuthorities()
.stream()
.filter(Entitlement.class::isInstance)
.map(Entitlement.class::cast)
.map(Entitlement::entitlement)
.toList();
context.getClaims().claim("entitlements", entitlements); context.getClaims().claim("entitlements", entitlements);
} }
if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) { if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
List<String> entitlements = getEntitlements(context);
context.getClaims().claim("entitlements", entitlements);
if (context.getPrincipal().getDetails() instanceof ShibbolethAuthenticationDetails details) { if (context.getPrincipal().getDetails() instanceof ShibbolethAuthenticationDetails details) {
OidcUserInfo oidcUserInfo = getOidcUserInfo(details); OidcUserInfo oidcUserInfo = getOidcUserInfo(details);
@@ -67,6 +63,17 @@ public final class ShibbolethTokenPopulator implements OAuth2TokenCustomizer<Jwt
} }
} }
private static List<String> getEntitlements(JwtEncodingContext context) {
return context
.getPrincipal()
.getAuthorities()
.stream()
.filter(Entitlement.class::isInstance)
.map(Entitlement.class::cast)
.map(Entitlement::entitlement)
.toList();
}
private Set<String> getAuthorizedClaims(final Set<String> scopes) { private Set<String> getAuthorizedClaims(final Set<String> scopes) {
Set<String> authorizedClaims = new HashSet<>(); Set<String> authorizedClaims = new HashSet<>();
if (scopes.contains(OidcScopes.PROFILE)) { if (scopes.contains(OidcScopes.PROFILE)) {

19
src/test/java/se/su/dsv/oauth2/IdTokenTest.java
View File

@@ -6,6 +6,8 @@ import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.core.oidc.StandardClaimNames; import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
import org.springframework.test.context.ActiveProfiles; import org.springframework.test.context.ActiveProfiles;
import java.util.List;
import static org.junit.jupiter.api.Assertions.*; import static org.junit.jupiter.api.Assertions.*;
import static se.su.dsv.oauth2.ShibbolethRequestProcessor.remoteUser; import static se.su.dsv.oauth2.ShibbolethRequestProcessor.remoteUser;
@@ -108,4 +110,21 @@ public class IdTokenTest extends AbstractMetadataCodeFlowTest {
assertNotNull(claimsSet.getClaim(StandardClaimNames.EMAIL_VERIFIED)); assertNotNull(claimsSet.getClaim(StandardClaimNames.EMAIL_VERIFIED));
} }
@Test
public void includes_entitlements_in_the_id_token() throws Exception {
TokenResponse tokenResponse = authorize(request -> request
.queryParam("scope", OidcScopes.OPENID)
.with(remoteUser("someone@university")
.entitlement("gdpr")
.entitlement("hr")));
String idToken = tokenResponse.idToken();
assertNotNull(idToken);
JWTClaimsSet claimsSet = verifyToken(idToken);
List<String> entitlements = claimsSet.getStringListClaim("entitlements");
assertTrue(entitlements.contains("gdpr"));
assertTrue(entitlements.contains("hr"));
}
} }