Allow R2dbcReactiveOAuth2AuthorizedClientService to save scope when JWT has custom attribute for scopes #13258
Labels
for: stackoverflow
A question that's better suited to stackoverflow.com
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Expected Behavior
When an Authorization Server returns an access token with a custom attribute for scope, the value stored in the database column
oauth2_authorized_client.access_token_scopes
contains the scope(s) in the access token.Current Behavior
When an Authorization Server returns an access token with a custom attribute for scope (e.g.
"scp": "read_notifications.v1"
), the value stored in the database columnoauth2_authorized_client.access_token_scopes
is null.Context
The application I am developing has different scopes based on the features enabled. I need to be able to query
oauth2_authorized_client
on theaccess_token_scopes
column to find a match so I use the proper access token. However that column is empty because the 3rd party Authorization Server returns an access token with the attribute"scp":
for scopes.The Spring ResourceServer DSL has
jwtAuthenticationConverter()
. Something similar would be ideal as it happens upstream from allOauth2AuthorizedClient
behavior.The only alternative I have thought of to date is to modify the schema for
oauth2_authorized_client
to include a generated primary key and then create a separate table with the scopes with a link to the generated primary key. I would have to figure out how to call the logic to populate this table.I considered
GrantedAuthoritiesMapper
but I "think" it is too late in the flow, i.e. the row has already been written by the time it would be called.A workaround might be to subclass
R2dbcReactiveOAuth2AuthorizedClientService
with a customOAuth2AuthorizedClientParametersMapper
.The text was updated successfully, but these errors were encountered: