Skip to content

Add authorizationCustomizer pattern for OAuth2Authorization customization#2294

Open
nikitanagar08 wants to merge 1 commit intospring-projects:mainfrom
nikitanagar08:gh-1504-authorized-scopes-mapper
Open

Add authorizationCustomizer pattern for OAuth2Authorization customization#2294
nikitanagar08 wants to merge 1 commit intospring-projects:mainfrom
nikitanagar08:gh-1504-authorized-scopes-mapper

Conversation

@nikitanagar08
Copy link

@nikitanagar08 nikitanagar08 commented Mar 2, 2026
edited
Loading

Summary

Based on maintainer feedback from @jgrandja, this PR replaces the narrow OAuth2AuthorizedScopesMapper with a more general authorizationCustomizer pattern.

The new design uses Consumer<OAuth2XXX_AuthenticationContext> to customize the OAuth2Authorization.Builder before building, providing:

  • Broader applicability: Not limited to scope filtering - can customize attributes, metadata, tokens, etc.
  • Consistent pattern: Same pattern used across multiple authentication providers
  • General abstraction: Aligns with the maintainer's vision for a general "Policy Decision" capability

Changes

Authentication Providers Updated

  1. OAuth2AuthorizationCodeRequestAuthenticationProvider

    • Added setAuthorizationCustomizer(Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>)
    • Customizer called before both authorization consent and authorization code persistence

  2. OAuth2AuthorizationConsentAuthenticationProvider

    • Added setAuthorizationCustomizer(Consumer<OAuth2AuthorizationConsentAuthenticationContext>)
    • Customizer called before authorization update with consent

  3. OAuth2ClientCredentialsAuthenticationProvider

    • Replaced setAuthorizedScopesMapper() with setAuthorizationCustomizer()
    • Customizer called before token generation and authorization persistence

Context Enhancements

Added getAuthorizationBuilder() and authorizationBuilder() methods to:

  • OAuth2AuthorizationCodeRequestAuthenticationContext
  • OAuth2AuthorizationConsentAuthenticationContext
  • OAuth2ClientCredentialsAuthenticationContext

Files Changed

Deleted:

  • OAuth2AuthorizedScopesMapper.java (narrow scope)
  • OAuth2AuthorizedScopesContext.java (narrow scope)

Modified:

  • 3 Authentication Providers
  • 3 Authentication Contexts
  • 3 Test Classes

Usage Example

@Bean
Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authorizationCustomizer() {
    return context -> {
        OAuth2Authorization.Builder builder = context.getAuthorizationBuilder();
        
        // Filter scopes based on user roles
        Set<String> filteredScopes = filterScopesByRole(
            builder.<Set<String>>get("authorizedScopes"),
            context.getPrincipal()
        );
        builder.authorizedScopes(filteredScopes);
        
        // Add custom metadata
        builder.attribute("tenantId", getTenantId(context.getPrincipal()));
    };
}

Motivation

This addresses issue #1504 by providing a general-purpose extension point for customizing OAuth2Authorization before persistence, enabling use cases such as:

  • Role/tenant-based scope filtering
  • Adding metadata from upstream authz servers
  • Policy-based authorization decisions
  • Any other authorization customization needs

Test plan

  • setAuthorizationCustomizerWhenNullThenThrowIllegalArgumentException - verifies null check
  • authenticateWhenCustomAuthorizationCustomizerThenUsed - verifies customizer is invoked
  • All existing tests pass
  • Checkstyle passes
  • Code compiles successfully

Fixes gh-1504

Signed-off-by: Nikita Nagar permanayan84@gmail.com

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 2, 2026
@nikitanagar08 nikitanagar08 marked this pull request as ready for review March 2, 2026 20:47
@nikitanagar08 nikitanagar08 marked this pull request as draft March 2, 2026 20:47
@nikitanagar08 nikitanagar08 marked this pull request as ready for review March 2, 2026 20:48
@nikitanagar08 nikitanagar08 force-pushed the gh-1504-authorized-scopes-mapper branch from 2f9b48a to 6d2ecda Compare March 2, 2026 20:50
@nikitanagar08 nikitanagar08 changed the title Add OAuth2AuthorizedScopesMapper for Client Credentials Grant Add authorizationCustomizer pattern for OAuth2Authorization customization Mar 4, 2026
@nikitanagar08
Redesign: Add authorizationCustomizer pattern per maintainer feedback
517ed1e 
Replaced the narrow OAuth2AuthorizedScopesMapper with a more general
authorizationCustomizer pattern as requested by @jgrandja.

Changes:
- Deleted OAuth2AuthorizedScopesMapper and OAuth2AuthorizedScopesContext
- Added authorizationCustomizer field and setter to:
  * OAuth2AuthorizationCodeRequestAuthenticationProvider
  * OAuth2AuthorizationConsentAuthenticationProvider
  * OAuth2ClientCredentialsAuthenticationProvider
- Added getAuthorizationBuilder() method to authentication contexts
- Customizer receives context with OAuth2Authorization.Builder for
  flexible customization of scopes, attributes, metadata, etc.
- Updated tests for all three providers

This allows broader use cases beyond scope filtering:
- Role-based scope transformation
- Adding custom metadata to authorization
- Integrating with external authz servers
- Any other authorization customization needs

Fixes spring-projectsgh-1504

Signed-off-by: Nikita Nagar <permanayan84@gmail.com>
@nikitanagar08 nikitanagar08 force-pushed the gh-1504-authorized-scopes-mapper branch from 2bbde2d to 517ed1e Compare March 4, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support transforming authorized scopes when the OAuth2Authorization object is created

2 participants

@nikitanagar08 @spring-projects-issues