OAuth role mapping: allow use of Spring authorities

[jquirymateco]

Issue submitter TODO list

• I've searched for an already existing issues here
• I'm running a supported version of the application which is listed here and the feature is not present there

Is your proposal related to a problem?

For the role matching, it is only possible to provide a roles-field which matches the principal's attributes (ID token claims), it is not possible to use Spring's default authorities.

Describe the feature you're interested in

It should also be possible to match against the user's authorities mapped through the access token by Spring (DefaultReactiveOAuth2UserService) because authorities are used to assign roles.

Describe alternatives you've considered

I couls add a claim to the ID token to make it work without change but that's a hack.

Version you're running

8e8ff06

Additional context

No response

[github-actions]

Hi jquirymateco! 👋

Welcome, and thank you for opening your first issue in the repo!

Please wait for triaging by our maintainers.

As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues.
Sponsorship link

If you plan to raise a PR for this issue, please take a look at our contributing guide.

[Haarolean]

Can you elaborate on how you want to populate default spring's authorities? IIRC it gets populated only with scope-based authorities

[kapybro]

Further user feedback is requested. Please reply within 7 days or we might close the issue.

[jquirymateco]

@Haarolean Hi, yes, I'd like the scopes to be available for role mapping and I'd like to create a PR for it.
But I realise scopes are not roles, we're misusing the scope grant on the access token to supply roles in our RBAC system.

Although, mapping an rbac role from a scope does make sense, for example:

rbac:
  roles:
    - name: "Viewer"
      clusters:
        - non-prod
      subjects:
        - provider: oauth
          type: scope
          value: application:read

[kapybro]

Thanks for the additional feedback! We'll get back to your issue soon.