Skip to content

Introduce support for multi-valued role mapping for oauth#9872

Merged
evandongen merged 6 commits intomasterfrom
issue/9837-introduce-better-role-mapping-for-oauth
Nov 11, 2025
Merged

Introduce support for multi-valued role mapping for oauth#9872
evandongen merged 6 commits intomasterfrom
issue/9837-introduce-better-role-mapping-for-oauth

Conversation

@evandongen
Copy link
Contributor

@evandongen evandongen commented Nov 10, 2025

Changes

Added support for a list of roles to be mapped using oauth-role-mapping.properties.

Pull Request Checklist

Title

  • Title expresses the business value (who benefits + what outcome)

Issues

  • Relevant issues linked

Documentation

  • FF! Doc updated (user-facing behavior/config)
  • FF! Manual updated (if applicable)
  • Javadoc updated/generated (developer-facing APIs)

Tests

  • Unit tests added/updated
  • E2E/Integration tests added/updated (if applicable)

@evandongen evandongen linked an issue Nov 10, 2025 that may be closed by this pull request
OAuth2 authenticator needs to map multivalued roles #9837
Closed
@evandongen evandongen removed a link to an issue Nov 10, 2025
OAuth2 authenticator needs to map multivalued roles #9837
Closed
@evandongen evandongen linked an issue Nov 10, 2025 that may be closed by this pull request
OAuth2 authenticator needs to map multivalued roles #9837
Closed
evandongen
evandongen commented Nov 11, 2025
View reviewed changes
security/src/test/java/org/frankframework/lifecycle/servlets/AuthorityMapperTest.java Outdated
public static List<Arguments> data() {
return Arrays.asList(new Arguments[]{
Arguments.of("roles", Map.of("roles", List.of("IbisAdmin"))),
Arguments.of("realm_access.roles", Map.of("realm_access", Map.of("roles", List.of("IbisAdmin"))))
Copy link
Contributor Author

@evandongen evandongen Nov 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ik bedenk me net dat hier eigenlijk nog een List.of meerdere rollen in moet ipv alleen een single valued list.

tnleeuw
tnleeuw approved these changes Nov 11, 2025
View reviewed changes
security/src/main/java/org/frankframework/lifecycle/servlets/AuthorityMapper.java
return getRolesFromUserInfo(oidcUserAuthority.getUserInfo()).stream().toList();
} else if (authority instanceof OAuth2UserAuthority oAuth2UserAuthority) {
return getKeyValues(oAuth2UserAuthority.getAttributes());
}
Copy link
Contributor

@tnleeuw tnleeuw Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moet er misschien nog een else throw new IllegalArgumentException() voor wanneer de authority geen instance is van beide classes? Of is dat een geldige situatie?

Copy link
Contributor Author

@evandongen evandongen Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dat is in principe hierboven al gefilterd. Als je Oauth2 gebruikt is er altijd een Oauth2UserAuthority volgens spring, al dan niet van het child-type OidcUserAuthority.

security/src/main/java/org/frankframework/lifecycle/servlets/AuthorityMapper.java
Map<String, Collection<String>> realmAccess = (Map<String, Collection<String>>) userAttributes.get(keyParts[0]);

// get second part of the key
return (List<String>) realmAccess.get(keyParts[1]);
Copy link
Contributor

@tnleeuw tnleeuw Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for the key to contain multiple . separators?

What happens the key ends with a .?

What if the claim does not exist, or is not in form of a List<String>?

Copy link
Contributor Author

@evandongen evandongen Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dit is afgedekt door de configure() methode in Oauth2Authenticator, die doet hetzelfde als de bearer only authenticator en support alleen maar 1 punt in deze string. Ik zal dat nog even toevoegen als comment, want Vivy vroeg zich dit ook al af :-)

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 11, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
87.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@evandongen evandongen merged commit 2649dd6 into master Nov 11, 2025
33 checks passed
@evandongen evandongen deleted the issue/9837-introduce-better-role-mapping-for-oauth branch November 11, 2025 12:01
@evandongen evandongen mentioned this pull request Jan 15, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnleeuw tnleeuw tnleeuw approved these changes

@Matthbo Matthbo Matthbo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

OAuth2 authenticator needs to map multivalued roles

3 participants

@evandongen @tnleeuw @Matthbo