claims, String path) {
+ try {
+ final var res = JsonPath.read(claims, path);
+ if (res instanceof String r) {
+ return Stream.of(r);
+ }
+ if (res instanceof List l) {
+ if (l.size() == 0) {
+ return Stream.empty();
+ }
+ if (l.get(0) instanceof String) {
+ return l.stream();
+ }
+ if (l.get(0) instanceof List) {
+ return l.stream().flatMap(o -> ((List) o).stream());
+ }
+ }
+ return Stream.empty();
+ } catch (PathNotFoundException e) {
+ return Stream.empty();
+ }
+ }
}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java
index b52db57c0..f2c14b8d0 100644
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java
+++ b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/OpenidProviderPropertiesResolver.java
@@ -3,7 +3,7 @@
import java.util.Map;
import java.util.Optional;
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
/**
* Resolves OpenID Provider configuration properties from OAuth2 / OpenID claims (decoded from a JWT, introspected from an opaque token or
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java
deleted file mode 100644
index 8bf2972aa..000000000
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/OpenidProviderProperties.java
+++ /dev/null
@@ -1,48 +0,0 @@
-package com.c4_soft.springaddons.security.oidc.starter.properties;
-
-import java.net.URI;
-import java.util.List;
-
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
-
-import lombok.Data;
-
-/**
- * OpenID Providers configuration. A minimum of one issuer is required. Properties defined here are a replacement for
- * spring.security.oauth2.resourceserver.jwt.* (which will be ignored). Authorities mapping defined here is used by both client and resource server
- * filter-chains.
- *
- * @author Jerome Wacongne ch4mp@c4-soft.com
- */
-@Data
-@ConfigurationProperties
-public class OpenidProviderProperties {
- /**
- *
- * Must be exactly the same as in access tokens (even trailing slash, if any, is important). In case of doubt, open one of your access tokens with a tool
- * like https://jwt.io.
- *
- */
- private URI iss;
-
- /**
- * Can be omitted if OpenID configuration can be retrieved from ${iss}/.well-known/openid-configuration
- */
- private URI jwkSetUri;
-
- /**
- * Can be omitted. Will insert an audience validator if not null or empty
- */
- private String aud;
-
- /**
- * Authorities mapping configuration, per claim
- */
- private List authorities = List.of();
-
- /**
- * JSON path for the claim to use as "name" source
- */
- private String usernameClaim = StandardClaimNames.SUB;
-}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java
deleted file mode 100644
index 2c4399594..000000000
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SimpleAuthoritiesMappingProperties.java
+++ /dev/null
@@ -1,38 +0,0 @@
-package com.c4_soft.springaddons.security.oidc.starter.properties;
-
-import org.springframework.boot.context.properties.ConfigurationProperties;
-
-import com.c4_soft.springaddons.security.oidc.starter.ConfigurableClaimSetAuthoritiesConverter;
-
-import lombok.Data;
-
-/**
- * Configuration for {@link ConfigurableClaimSetAuthoritiesConverter}
- *
- * @author ch4mp
- */
-@Data
-@ConfigurationProperties
-public class SimpleAuthoritiesMappingProperties {
- /**
- * JSON path of the claim(s) to map with this properties
- */
- private String path = "$.realm_access.roles";
-
- /**
- * What to prefix authorities with (for instance "ROLE_" or "SCOPE_")
- */
- private String prefix = "";
-
- /**
- * Whether to transform authorities to uppercase, lowercase, or to leave it unchanged
- */
- private Case caze = Case.UNCHANGED;
-
- public static enum Case {
- UNCHANGED,
- UPPER,
- LOWER
- }
-
-}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java
index 5469585be..67834049d 100644
--- a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java
+++ b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/properties/SpringAddonsOidcProperties.java
@@ -1,15 +1,19 @@
package com.c4_soft.springaddons.security.oidc.starter.properties;
+import java.net.URI;
import java.util.List;
import org.springframework.boot.autoconfigure.AutoConfiguration;
import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.NestedConfigurationProperty;
+import org.springframework.security.oauth2.core.oidc.StandardClaimNames;
import lombok.Data;
/**
*
- * Configuration properties for OAuth2 auto-configuration extensions to spring-boot-starter-oauth2-client and spring-boot-starter-oauth2-resource-server.
+ * Configuration properties for OAuth2 auto-configuration extensions to spring-boot-starter-oauth2-client and
+ * spring-boot-starter-oauth2-resource-server.
*
* The following spring-boot standard properties are used:
*
@@ -17,8 +21,8 @@
* - spring.security.oauth2.client.registration.*
* - spring.security.oauth2.resourceserver.opaquetoken.*
*
- * spring.security.oauth2.resourceserver.jwt.* properties are ignored. The reason for that is it is applicable only to single tenant scenarios. Use
- * properties
+ * spring.security.oauth2.resourceserver.jwt.* properties are ignored. The reason for that is it is applicable only to single tenant
+ * scenarios. Use properties
*
* @author Jerome Wacongne ch4mp@c4-soft.com
*/
@@ -27,27 +31,91 @@
@ConfigurationProperties(prefix = "com.c4-soft.springaddons.oidc")
public class SpringAddonsOidcProperties {
- /**
- * OpenID Providers configuration: JWK set URI, issuer URI, audience, and authorities mapping configuration for each issuer. A minimum of one issuer is
- * required. Properties defined here are a replacement for spring.security.oauth2.resourceserver.jwt.* (which will be ignored). Authorities mapping
- * defined there is used by both client and resource server filter-chains.
- */
- private List ops = List.of();
-
- /**
- * Auto-configuration for an OAuth2 client (secured with session, not access token) Security(Web)FilterChain with @Order(Ordered.LOWEST_PRECEDENCE - 1).
- * Typical use-cases are spring-cloud-gateway used as BFF and applications with Thymeleaf or another server-side rendering framework. Default configuration
- * includes: enabled sessions, CSRF protection, "oauth2Login", "logout". securityMatchers must be set for this filter-chain @Bean and its dependencies
- * to be defined. Properties defined here are a complement for spring.security.oauth2.client.* (which are required when enabling spring-addons client
- * filter-chain).
- */
- private SpringAddonsOidcClientProperties client = new SpringAddonsOidcClientProperties();
-
- /**
- * Auto-configuration for an OAuth2 resource server Security(Web)FilterChain with @Order(LOWEST_PRECEDENCE). Typical use case is a REST API secured with
- * access tokens. Default configuration is as follow: no securityMatcher to process all the requests that were not intercepted by higher @Order
- * Security(Web)FilterChains, no session, disabled CSRF protection, and 401 to unauthorized requests.
- */
- private SpringAddonsOidcResourceServerProperties resourceserver = new SpringAddonsOidcResourceServerProperties();
+ /**
+ * OpenID Providers configuration: JWK set URI, issuer URI, audience, and authorities mapping configuration for each issuer. A minimum of
+ * one issuer is required. Properties defined here are a replacement for spring.security.oauth2.resourceserver.jwt.* (which will be
+ * ignored). Authorities mapping defined there is used by both client and resource server filter-chains.
+ */
+ private List ops = List.of();
+ /**
+ * Auto-configuration for an OAuth2 client (secured with session, not access token) Security(Web)FilterChain with
+ * @Order(Ordered.LOWEST_PRECEDENCE - 1). Typical use-cases are spring-cloud-gateway used as BFF and applications with Thymeleaf or
+ * another server-side rendering framework. Default configuration includes: enabled sessions, CSRF protection, "oauth2Login", "logout".
+ * securityMatchers must be set for this filter-chain @Bean and its dependencies to be defined. Properties defined here are a
+ * complement for spring.security.oauth2.client.* (which are required when enabling spring-addons client filter-chain).
+ */
+ @NestedConfigurationProperty
+ private SpringAddonsOidcClientProperties client = new SpringAddonsOidcClientProperties();
+
+ /**
+ * Auto-configuration for an OAuth2 resource server Security(Web)FilterChain with @Order(LOWEST_PRECEDENCE). Typical use case is a REST
+ * API secured with access tokens. Default configuration is as follow: no securityMatcher to process all the requests that were not
+ * intercepted by higher @Order Security(Web)FilterChains, no session, disabled CSRF protection, and 401 to unauthorized requests.
+ */
+ @NestedConfigurationProperty
+ private SpringAddonsOidcResourceServerProperties resourceserver = new SpringAddonsOidcResourceServerProperties();
+
+ /**
+ * OpenID Providers configuration. A minimum of one issuer is required. Properties defined here are a replacement for
+ * spring.security.oauth2.resourceserver.jwt.* (which will be ignored). Authorities mapping defined here is used by both client and
+ * resource server filter-chains.
+ *
+ * @author Jerome Wacongne ch4mp@c4-soft.com
+ */
+ @Data
+ @ConfigurationProperties
+ static public class OpenidProviderProperties {
+ /**
+ *
+ * Must be exactly the same as in access tokens (even trailing slash, if any, is important). In case of doubt, open one of your access
+ * tokens with a tool like https://jwt.io.
+ *
+ */
+ private URI iss;
+
+ /**
+ * Can be omitted if OpenID configuration can be retrieved from ${iss}/.well-known/openid-configuration
+ */
+ private URI jwkSetUri;
+
+ /**
+ * Can be omitted. Will insert an audience validator if not null or empty
+ */
+ private String aud;
+
+ /**
+ * Authorities mapping configuration, per claim
+ */
+ private List authorities = List.of();
+
+ /**
+ * JSON path for the claim to use as "name" source
+ */
+ private String usernameClaim = StandardClaimNames.SUB;
+
+ @Data
+ @ConfigurationProperties
+ public static class SimpleAuthoritiesMappingProperties {
+ /**
+ * JSON path of the claim(s) to map with this properties
+ */
+ private String path = "$.realm_access.roles";
+
+ /**
+ * What to prefix authorities with (for instance "ROLE_" or "SCOPE_")
+ */
+ private String prefix = "";
+
+ /**
+ * Whether to transform authorities to uppercase, lowercase, or to leave it unchanged
+ */
+ private Case caze = Case.UNCHANGED;
+
+ public static enum Case {
+ UNCHANGED, UPPER, LOWER
+ }
+
+ }
+ }
}
diff --git a/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java b/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java
index 68323edd6..89d746ea1 100644
--- a/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java
+++ b/spring-addons-starter-oidc/src/test/java/com/c4_soft/springaddons/security/oidc/starter/ConfigurableJwtGrantedAuthoritiesConverterTest.java
@@ -15,10 +15,10 @@
import org.springframework.security.oauth2.jwt.JwtClaimNames;
import com.c4_soft.springaddons.security.oidc.OpenidClaimSet;
-import com.c4_soft.springaddons.security.oidc.starter.properties.OpenidProviderProperties;
-import com.c4_soft.springaddons.security.oidc.starter.properties.SimpleAuthoritiesMappingProperties;
-import com.c4_soft.springaddons.security.oidc.starter.properties.SimpleAuthoritiesMappingProperties.Case;
import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties.SimpleAuthoritiesMappingProperties;
+import com.c4_soft.springaddons.security.oidc.starter.properties.SpringAddonsOidcProperties.OpenidProviderProperties.SimpleAuthoritiesMappingProperties.Case;
public class ConfigurableJwtGrantedAuthoritiesConverterTest {