|
1 | 1 | [[how-to-custom-claims-authorities]] |
2 | | -= How-to: Add authorities as custom claims in JWT-based access tokens |
| 2 | += How-to: Add authorities as custom claims in JWT access tokens |
3 | 3 | :index-link: ../how-to.html |
4 | 4 | :docs-dir: .. |
5 | 5 |
|
6 | 6 | This guide demonstrates how to add resource owner authorities to a JWT access token. |
7 | 7 | The term "authorities" may represent varying forms such as roles, permissions, or groups of the resource owner. |
8 | 8 |
|
9 | | -To make resource owners' authorities available to the resource server, we add custom claims to an access token issued by Spring Authorization Server. |
10 | | -The client using the issued token to access protected resources will then have information about the resource owner’s level of access, among other potential uses and benefits. |
| 9 | +To make resource owner's authorities available to the resource server, we add custom claims to the access token. |
| 10 | +When the client uses the access token to access a protected resource, the resource server will be able to obtain the information about the resource owner's level of access, among other potential uses and benefits. |
11 | 11 |
|
12 | 12 | * xref:guides/how-to-custom-claims-authorities.adoc#custom-claims[Add custom claims to JWT access tokens] |
13 | 13 | * xref:guides/how-to-custom-claims-authorities.adoc#custom-claims-authorities[Add authorities as custom claims to JWT access tokens] |
14 | 14 |
|
15 | 15 | [[custom-claims]] |
16 | 16 | == Add custom claims to JWT access tokens |
17 | 17 |
|
18 | | -You may add your own custom claims to an access token using `OAuth2TokenCustomizer<JWTEncodingContext>` bean. |
19 | | -Please note that this bean may only be defined once, and so care must be taken care of to ensure that you are customizing the appropriate token type — an access token in this case. |
20 | | -If you are interested in customizing the identity token, see xref:guides/how-to-userinfo.adoc#customize-user-info-mapper[the UserInfo mapper guide for more information]. |
| 18 | +You may add your own custom claims to an access token using an `OAuth2TokenCustomizer<JWTEncodingContext>` `@Bean`. |
| 19 | +Please note that this `@Bean` may only be defined once, and so care must be taken to ensure that you are customizing the appropriate token type — an access token in this case. |
| 20 | +If you are interested in customizing the ID Token, see the xref:guides/how-to-userinfo.adoc#customize-user-info-mapper[User Info Mapper guide] for more information. |
21 | 21 |
|
22 | 22 | The following is an example of adding custom claims to an access token — in other words, every access token that is issued by the authorization server will have the custom claims populated. |
23 | 23 |
|
24 | | -[[sample.customClaims]] |
| 24 | +[[sample.customclaims]] |
25 | 25 | [source,java] |
26 | 26 | ---- |
27 | | -include::{examples-dir}/main/java/sample/customClaims/CustomClaimsConfiguration.java[] |
| 27 | +include::{examples-dir}/main/java/sample/customclaims/CustomClaimsConfiguration.java[] |
28 | 28 | ---- |
29 | 29 |
|
30 | 30 | [[custom-claims-authorities]] |
31 | 31 | == Add authorities as custom claims to JWT access tokens |
32 | 32 |
|
33 | | -To add authorities of the resource owner to a JWT-based access token, we can refer to the custom claim mapping method above |
34 | | -and populate custom claims with the authorities of the `Principal`. |
| 33 | +To add authorities of the resource owner to a JWT access token, we can refer to the custom claim mapping method above and populate a custom claim with the authorities of the `Principal`. |
35 | 34 |
|
36 | | -We define a sample user with a mix of authorities for demonstration purposes, and populate custom claims in an access token |
37 | | -with those authorities. |
| 35 | +We define a sample user with a set of authorities for demonstration purposes, and populate a custom claim in the access token with those authorities. |
38 | 36 |
|
39 | | -[[sample.customClaims.authorities]] |
| 37 | +[[sample.customclaims.authorities]] |
40 | 38 | [source,java] |
41 | 39 | ---- |
42 | | -include::{examples-dir}/main/java/sample/customClaims/authorities/CustomClaimsWithAuthoritiesConfiguration.java[] |
| 40 | +include::{examples-dir}/main/java/sample/customclaims/authorities/CustomClaimsWithAuthoritiesConfiguration.java[] |
43 | 41 | ---- |
44 | 42 |
|
45 | | -<1> Define a sample user `user1` with an in-memory user details service. |
46 | | -<2> Define a few roles for `user1`. |
47 | | -<3> Define `OAuth2TokenCustomizer<JwtEncodingContext>` `@Bean` that allows for customizing JWT token claims. |
48 | | -<4> Check whether the JWT token is an access token. |
49 | | -<5> From the encoding context, modify the claims of the access token. |
50 | | -<6> Extract user roles from the `Principal` object. The role information for internal users is stored as a string prefixed with `ROLE_`, so we strip the prefix here. |
51 | | -<7> Set custom claim `roles` to the set of roles collected from the previous step. |
| 43 | +<1> Define a sample user `user1` with an in-memory `UserDetailsService`. |
| 44 | +<2> Assign the roles for `user1`. |
| 45 | +<3> Define an `OAuth2TokenCustomizer<JwtEncodingContext>` `@Bean` that allows for customizing the JWT claims. |
| 46 | +<4> Check whether the JWT is an access token. |
| 47 | +<5> Access the default claims via the `JwtEncodingContext`. |
| 48 | +<6> Extract the roles from the `Principal` object. The role information is stored as a string prefixed with `ROLE_`, so we strip the prefix here. |
| 49 | +<7> Set the custom claim `roles` to the set of roles collected from the previous step. |
52 | 50 |
|
53 | | -As a result of this customization, authorities information about the user will be included as a custom claim within the |
54 | | -access token. |
| 51 | +As a result of this customization, authorities information about the user will be included as a custom claim in the access token. |
0 commit comments