Skip to content

Commit 21bb5a9

Browse files
loichenningerloichenninger
committed
fix: retrieve roles from inseegroupedefaut
1 parent ce01f55 commit 21bb5a9

File tree

1 file changed

+31
-22
lines changed

1 file changed

+31
-22
lines changed

src/main/java/fr/insee/genesis/configuration/auth/security/OIDCSecurityConfig.java

Lines changed: 31 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
2727
import org.springframework.security.web.SecurityFilterChain;
2828

29+
import java.util.ArrayList;
2930
import java.util.Collection;
3031
import java.util.Collections;
3132
import java.util.HashMap;
@@ -112,39 +113,47 @@ Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
112113
@Override
113114
@SuppressWarnings({"unchecked"})
114115
public Collection<GrantedAuthority> convert(Jwt source) {
115-
116-
String[] claimPath = inseeSecurityTokenProperties.getOidcClaimRole().split("\\.");
117-
Map<String, Object> claims = source.getClaims();
118116
try {
117+
List<String> allTokenClaims = new ArrayList<>();
118+
119+
// 🔹 1. Retrieve roles from realm_access.roles
120+
String[] claimPath = inseeSecurityTokenProperties.getOidcClaimRole().split("\\.");
121+
Map<String, Object> claims = source.getClaims();
119122
for (int i = 0; i < claimPath.length - 1; i++) {
120123
claims = (Map<String, Object>) claims.get(claimPath[i]);
121124
}
122125
if (claims != null) {
123126
List<String> tokenClaims = (List<String>) claims.getOrDefault(claimPath[claimPath.length - 1], List.of());
124-
// Collect distinct values from mapping associated with input keys
125-
List<String> claimedRoles = tokenClaims.stream()
126-
.filter(roleConfiguration.getRolesByClaim()::containsKey) // Ensure the key exists in the mapping
127-
.flatMap(key -> roleConfiguration.getRolesByClaim().get(key).stream()) // Get the list of values associated with the key
128-
.distinct() // Remove duplicates
129-
.toList();
130-
131-
return Collections.unmodifiableCollection(claimedRoles.stream().map(s -> new GrantedAuthority() {
132-
@Override
133-
public String getAuthority() {
134-
return ROLE_PREFIX + s;
135-
}
136-
137-
@Override
138-
public String toString() {
139-
return getAuthority();
140-
}
141-
}).toList());
127+
allTokenClaims.addAll(tokenClaims);
128+
}
129+
130+
// 🔹 2. Retrieve roles from inseegroupedefaut
131+
Object inseeGroups = source.getClaims().get("inseegroupedefaut");
132+
if (inseeGroups instanceof List<?> groups) {
133+
groups.stream()
134+
.filter(String.class::isInstance)
135+
.map(String.class::cast)
136+
.forEach(allTokenClaims::add);
142137
}
138+
139+
// 🔹 3. Mapping with Spring roles
140+
List<String> claimedRoles = allTokenClaims.stream()
141+
.filter(roleConfiguration.getRolesByClaim()::containsKey)
142+
.flatMap(key -> roleConfiguration.getRolesByClaim().get(key).stream())
143+
.distinct()
144+
.toList();
145+
146+
// 🔹 4. Transforms in GrantedAuthority
147+
return Collections.unmodifiableCollection(
148+
claimedRoles.stream()
149+
.map(s -> (GrantedAuthority) () -> ROLE_PREFIX + s)
150+
.toList()
151+
);
152+
143153
} catch (ClassCastException e) {
144154
// role path not correctly found, assume that no role for this user
145155
return List.of();
146156
}
147-
return List.of();
148157
}
149158
};
150159
}

0 commit comments

Comments
 (0)