|
| 1 | +[[how-to-custom-claims-authorities]] |
| 2 | += How-to: Add authorities as custom claims in JWT-based access tokens |
| 3 | +:index-link: ../how-to.html |
| 4 | +:docs-dir: .. |
| 5 | + |
| 6 | +This guide demonstrates how to add resource owner authorities to a JWT access token. |
| 7 | +The term "authorities" may represent varying forms such as roles, permissions, or groups of the resource owner. |
| 8 | + |
| 9 | +To make resource owners' authorities available to the resource server, we add custom claims to an access token issued by Spring Authorization Server. |
| 10 | +The client using the issued token to access protected resources will then have information about the resource owner’s level of access, among other potential uses and benefits. |
| 11 | + |
| 12 | +* xref:guides/how-to-custom-claims-authorities.adoc#custom-claims[Add custom claims to JWT access tokens] |
| 13 | +* xref:guides/how-to-custom-claims-authorities.adoc#custom-claims-authorities[Add authorities as custom claims to JWT access tokens] |
| 14 | + |
| 15 | +[[custom-claims]] |
| 16 | +== Add custom claims to JWT access tokens |
| 17 | + |
| 18 | +You may add your own custom claims to an access token using `OAuth2TokenCustomizer<JWTEncodingContext>` bean. |
| 19 | +Please note that this bean may only be defined once, and so care must be taken care of to ensure that you are customizing the appropriate token type — an access token in this case. |
| 20 | +If you are interested in customizing the identity token, see xref:guides/how-to-userinfo.adoc#customize-user-info-mapper[the UserInfo mapper guide for more information]. |
| 21 | + |
| 22 | +The following is an example of adding custom claims to an access token — in other words, every access token that is issued by the authorization server will have the custom claims populated. |
| 23 | + |
| 24 | +[[sample.customClaims]] |
| 25 | +[source,java] |
| 26 | +---- |
| 27 | +include::{examples-dir}/main/java/sample/customClaims/CustomClaimsConfiguration.java[] |
| 28 | +---- |
| 29 | + |
| 30 | +[[custom-claims-authorities]] |
| 31 | +== Add authorities as custom claims to JWT access tokens |
| 32 | + |
| 33 | +To add authorities of the resource owner to a JWT-based access token, we can refer to the custom claim mapping method above |
| 34 | +and populate custom claims with the authorities of the `Principal`. |
| 35 | + |
| 36 | +We define a sample user with a mix of authorities for demonstration purposes, and populate custom claims in an access token |
| 37 | +with those authorities. |
| 38 | + |
| 39 | +[[sample.customClaims.authorities]] |
| 40 | +[source,java] |
| 41 | +---- |
| 42 | +include::{examples-dir}/main/java/sample/customClaims/authorities/CustomClaimsWithAuthoritiesConfiguration.java[] |
| 43 | +---- |
| 44 | + |
| 45 | +<1> Define a sample user `user1` with an in-memory user details service. |
| 46 | +<2> Define a few roles for `user1`. |
| 47 | +<3> Define `OAuth2TokenCustomizer<JwtEncodingContext>` `@Bean` that allows for customizing JWT token claims. |
| 48 | +<4> Check whether the JWT token is an access token. |
| 49 | +<5> From the encoding context, modify the claims of the access token. |
| 50 | +<6> Extract user roles from the `Principal` object. The role information for internal users is stored as a string prefixed with `ROLE_`, so we strip the prefix here. |
| 51 | +<7> Set custom claim `roles` to the set of roles collected from the previous step. |
| 52 | + |
| 53 | +As a result of this customization, authorities information about the user will be included as a custom claim within the |
| 54 | +access token. |
0 commit comments