OidcUserAuthority should not automatically include ROLE_USER authority

[reda-alaoui]

Summary

I am building a Spring based application that delegates authentication to an OIDC provider like Keycloak. The OIDC could be under my control or not. e.g. Today we use Keycloak, tomorrow we may be using Linkedin.

The users must be granted access to the application by an admin. Since the OIDC may not be under my control, I don't want a random Linkedin user be able to authenticate AND start using the application.

To prevent that, all protected uris require ROLE_ACCESS in addition to a successful authentication. ROLE_ACCESS has to be provided manually by an application admin.

Actual Behavior

I noticed that, by default, the OIDC authentication has always the ROLE_USER assigned. I am lucky since it does not clash with my expected ROLE_ACCESS, but I find this very disturbing and I am afraid more default roles will be included in the future.

Expected Behavior

org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority should not include a default role, ever.

Version

5.2.1

Sample

public class OidcUserAuthority extends OAuth2UserAuthority {
	private final OidcIdToken idToken;
	private final OidcUserInfo userInfo;

	/**
	 * Constructs a {@code OidcUserAuthority} using the provided parameters.
	 *
	 * @param idToken the {@link OidcIdToken ID Token} containing claims about the user
	 */
	public OidcUserAuthority(OidcIdToken idToken) {
		this(idToken, null);
	}

	/**
	 * Constructs a {@code OidcUserAuthority} using the provided parameters
	 * and defaults {@link #getAuthority()} to {@code ROLE_USER}.
	 *
	 * @param idToken the {@link OidcIdToken ID Token} containing claims about the user
	 * @param userInfo the {@link OidcUserInfo UserInfo} containing claims about the user, may be {@code null}
	 */
	public OidcUserAuthority(OidcIdToken idToken, OidcUserInfo userInfo) {
		this("ROLE_USER", idToken, userInfo);
	}

[jgrandja]

@reda-alaoui ROLE_USER is a sensible default role for a "regular" authenticated user. I'd like to understand how this is an issue with your setup?

I am afraid more default roles will be included in the future

No, there won't be any further default roles assigned. User authority mapping is application specific and is typically configured by the application to assign custom roles that are understood by that application.

Refer to the reference:

• Using a GrantedAuthoritiesMapper
• Delegation-based strategy with OAuth2UserService

[reda-alaoui]

Hi @jgrandja,
Thanks for your answer.

There is no issue with my current setup. But there are many spring tutorials using ROLE_USER to protect urls. It felt wrong to see Spring injecting a role coming from nowhere.

Does ROLE_USER has a special meaning in Spring or in the field?

[jgrandja]

ROLE_USER typically represents a "Regular" user with minimum privileges. Unlike ROLE_ADMIN that would have much higher privileges and would never be randomly assigned by the framework. The ROLE_ADMIN authority could only be assigned by the application through customization.

there are many spring tutorials using ROLE_USER to protect urls. It felt wrong to see Spring injecting a role coming from nowhere

I guess I still don't understand why you think it's wrong? Maybe my previous comment cleared things up?

Given that the user has authenticated at the provider after completing the OIDC flow, the user is also OAuth2AuthenticationToken.isAuthenticated() == true with the client application. Hence, it's sensible to assigned the currently authenticated user ROLE_USER as a default authority. Does this make sense?

[reda-alaoui]

In my context (described in my first message), if I had been using ROLE_USER instead of ROLE_ACCESS, I could have ended with a major security breach.

Given that the user has authenticated at the provider after completing the OIDC flow, the user is also OAuth2AuthenticationToken.isAuthenticated() == true with the client application.

When a JWT is verified by Spring OAuth2, I find it normal to have authenticated=true. Because the authentication is sucessful indeed.
On the other hand, in my mind at least, everything pertaining to ROLE_ is part of authorization not authentication. I feel like both are mixed here. Does this ROLE_USER is required by something in the framework? The decision to pass it by default seems very opinionated to me.

I have been using Spring Security for many years (without OAuth2), this is the first time I see a role injected by default. Also, I didn't find a single line about "what is ROLE_USER?" in Spring Security documentation. There are 59 occurrences of ROLE_USER. Each time, it is quoted as a meaningless example.