|
| 1 | +[[how-to-extension-grant-type]] |
| 2 | += How-to: Add authorities to custom claims in JWT-based access tokens |
| 3 | +:index-link: ../how-to.html |
| 4 | +:docs-dir: .. |
| 5 | +:examples-dir: {docs-dir}/examples |
| 6 | + |
| 7 | +This guide demonstrates how to append resource owner authorities to a JSON Web Token (JWT)-based access token. |
| 8 | +The term 'authorities' may be described in varying forms such as roles, permissions, or groups of the resource owner. |
| 9 | + |
| 10 | +To make resource owners' authorities available to the resource server, we add custom claims to an access token issued by Spring Authorization Server. |
| 11 | +The client using the issued token to access protected resources will then have information about the resource owner’s level of access, among other potential uses and benefits. |
| 12 | + |
| 13 | +* <<custom-claims>> |
| 14 | +* <<custom-claims-authorities>> |
| 15 | + |
| 16 | +[[custom-claims]] |
| 17 | +== Add custom claims to JWT-based access tokens |
| 18 | + |
| 19 | +You may add your own custom claims to an access token using `OAuth2TokenCustomizer<JWTEncodingContext>` bean. |
| 20 | +Please note that this bean may only be defined once, and so care must be taken care of to ensure that you are customizing the appropriate token type — an access token in this case. |
| 21 | +If you are interested in customizing the identity token, see xref:how-to-userinfo.adoc#customize-user-info-mapper[the UserInfo mapper guide for more information]. |
| 22 | + |
| 23 | +The following is an example of adding custom claims to an access token — in other words, every access token that is issued by the authorization server will have the custom claims populated. |
| 24 | + |
| 25 | +[[sample.customClaims]] |
| 26 | +include::code:CustomClaimsConfiguration[] |
| 27 | + |
| 28 | +[[custom-claims-authorities]] |
| 29 | +== Add authorities to JWT-based access tokens |
| 30 | + |
| 31 | +To add authorities of the resource owner to a JWT-based access token, we can refer to the custom claim mapping method above |
| 32 | +and populate custom claims with the authorities of the `Principal`. |
| 33 | + |
| 34 | +We define a sample user with a mix of authorities for demonstration purposes, and populate custom claims in an access token |
| 35 | +with those authorities. |
| 36 | + |
| 37 | +[[sample.customClaims.authorities]] |
| 38 | +include::code:CustomClaimsWithAuthoritiesConfiguration[] |
| 39 | + |
| 40 | +<1> Define a sample user `user1` within an internal user details service. |
| 41 | +<2> Define a few roles for `user1`. |
| 42 | +<3> Define `OAuth2TokenCustomizer<JwtEncodingContext>` bean that allows for customizing JWT token claims. |
| 43 | +<4> Check whether the JWT token is an access token. |
| 44 | +<5> From the encoding context, modify the claims of the access token. |
| 45 | +<6> Extract user roles from the `Principal` object. The role information for internal users is stored as a string prefixed with `ROLE_`, so we strip the prefix here. |
| 46 | +<7> Set custom claim `roles` to the set of roles collected from the previous step. |
| 47 | + |
| 48 | +As a result of this customization, authorities information about the user will be included as a custom claim within an |
| 49 | +access token. |
0 commit comments