Add extra scopes and audience to token

MarcialRosales · MarcialRosales · commit 846e91f80f32 · 2025-06-13T08:54:17.000+02:00
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/AudienceAuthority.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/AudienceAuthority.java
@@ -1,5 +1,8 @@
 package com.rabbitmq.authorization_server;
 
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import java.util.List;
+
 import org.springframework.security.core.GrantedAuthority;
 
 public class AudienceAuthority implements GrantedAuthority {
@@ -20,4 +23,10 @@ public String getAuthority() {
         return authority;
     }
     
+    public static List<String> getAll(AbstractAuthenticationToken principal) {
+        return principal.getAuthorities()
+					.stream().filter(a -> a instanceof AudienceAuthority)
+					.map(a -> a.getAuthority()).toList();
+    }
+				
 }
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/AuthorizationServerUserDetailsService.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/AuthorizationServerUserDetailsService.java
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/ScopeAuthority.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/ScopeAuthority.java
@@ -1,5 +1,9 @@
 package com.rabbitmq.authorization_server;
 
+import java.util.List;
+import java.util.Set;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 
 public class ScopeAuthority implements GrantedAuthority {
@@ -18,5 +22,14 @@ public static ScopeAuthority scope(String value) {
     public String getAuthority() {
         return authority;
     }
+
+    public static List<String> getAllUnauthorized(AbstractAuthenticationToken principal,
+            Set<String> authorized) {
+        return principal.getAuthorities()
+					.stream()
+					.filter(a -> a instanceof ScopeAuthority)
+					.filter(a -> !authorized.contains(a.getAuthority()))
+					.map(a -> a.getAuthority()).toList();
+    }
     
 }
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java
@@ -11,24 +11,18 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.MediaType;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.oauth2.core.AuthorizationGrantType;
-import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
-import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
-import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
-import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
-import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
-import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -156,11 +150,11 @@ private static KeyPair generateRsaKey() {
 	public OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer() {
 		return (context) -> {
 			if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
-				System.out.println("Principal: " + context.getPrincipal());
-				System.out.println("Authorized scopes: " + context.getAuthorizedScopes());
-				context.getClaims().claims((claims) -> {
-					claims.put("aud", "rabbitmq");					
-				});
+				AbstractAuthenticationToken principal = context.getPrincipal();
+				context.getClaims()
+					.audience(AudienceAuthority.getAll(principal))
+					.claim("extra_scope", ScopeAuthority.getAllUnauthorized(principal, 
+						context.getAuthorizedScopes()));				
 			}
 		};
 	}
diff --git a/selenium/test/oauth/rabbitmq.spring-oauth-provider.conf b/selenium/test/oauth/rabbitmq.spring-oauth-provider.conf
@@ -1,2 +1,3 @@
 auth_oauth2.issuer = ${SPRING_URL}
 auth_oauth2.https.cacertfile = ${SPRING_CA_CERT}
+auth_oauth2.additional_scopes_key = extra_scope

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	`auth_oauth2.issuer = ${SPRING_URL}`
`2`	`2`	`auth_oauth2.https.cacertfile = ${SPRING_CA_CERT}`
	`3`	`+auth_oauth2.additional_scopes_key = extra_scope`