1 package de.kaiserpfalzedv.commons.spring.security;
2
3 import java.util.Collection;
4 import java.util.HashSet;
5 import java.util.Set;
6 import java.util.stream.Collectors;
7
8 import org.springframework.security.core.GrantedAuthority;
9 import org.springframework.security.core.authority.SimpleGrantedAuthority;
10 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
11 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
12 import org.springframework.stereotype.Component;
13
14 import lombok.RequiredArgsConstructor;
15 import lombok.extern.slf4j.Slf4j;
16
17
18
19
20
21
22 @Component
23 @RequiredArgsConstructor
24 @Slf4j
25 public class KeycloakGroupAuthorityMapper implements GrantedAuthoritiesMapper {
26
27 private final KeycloakGroupMapperProperties properties;
28
29 @Override
30 public Collection<? extends GrantedAuthority> mapAuthorities(Collection<? extends GrantedAuthority> authorities) {
31 Set<GrantedAuthority> result = new HashSet<>();
32
33 authorities.forEach(authority -> extractRolesFromAuthority(result, authority));
34
35 log.debug("Roles mapped. roles={}", result);
36 return result;
37 }
38
39 private void extractRolesFromAuthority(Set<GrantedAuthority> result, GrantedAuthority authority){
40 if (authority instanceof OidcUserAuthority) {
41 OidcUserAuthority oidc = (OidcUserAuthority) authority;
42
43 log.trace("Reading roles. oidc={}, groups={}", oidc, oidc.getUserInfo().getClaimAsString(properties.getRoleAttribute()));
44
45 result.addAll(extractGroupRoleFromOidcAuthority(oidc));
46 }
47 }
48
49 private Set<SimpleGrantedAuthority> extractGroupRoleFromOidcAuthority(OidcUserAuthority oidc) {
50 return oidc.getUserInfo().getClaimAsStringList(properties.getRoleAttribute())
51 .stream()
52 .map(r -> "ROLE_" + r.toUpperCase())
53 .map(SimpleGrantedAuthority::new)
54 .collect(Collectors.toSet());
55 }
56
57 }