Add scopes and aud claim to token

MarcialRosales · MarcialRosales · commit b728b82b97c5 · 2025-06-13T07:47:42.000+02:00
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/AudienceAuthority.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/AudienceAuthority.java
@@ -0,0 +1,23 @@
+package com.rabbitmq.authorization_server;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class AudienceAuthority implements GrantedAuthority {
+
+    private String authority;
+    
+     
+    public AudienceAuthority(String value) {
+        this.authority = value;
+    }
+
+    public static AudienceAuthority aud(String value) {
+        return new AudienceAuthority(value);
+    }
+    
+    @Override
+    public String getAuthority() {
+        return authority;
+    }
+    
+}
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/ScopeAuthority.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/ScopeAuthority.java
@@ -0,0 +1,22 @@
+package com.rabbitmq.authorization_server;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class ScopeAuthority implements GrantedAuthority {
+
+    private String authority;
+    
+    public ScopeAuthority(String value) {
+        this.authority = value;
+    }
+
+    public static ScopeAuthority scope(String value) {
+        return new ScopeAuthority(value);
+    }
+    
+    @Override
+    public String getAuthority() {
+        return authority;
+    }
+    
+}
diff --git a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java
@@ -4,6 +4,7 @@
 import java.security.KeyPairGenerator;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
+import java.util.List;
 import java.util.UUID;
 
 import org.springframework.context.annotation.Bean;
@@ -20,13 +21,16 @@
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
 import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
+import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
@@ -38,6 +42,9 @@
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.proc.SecurityContext;
 
+import static com.rabbitmq.authorization_server.ScopeAuthority.scope;
+import static com.rabbitmq.authorization_server.AudienceAuthority.aud;
+
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig {
@@ -91,7 +98,11 @@ public UserDetailsService userDetailsService() {
 		UserDetails userDetails = User.withDefaultPasswordEncoder()
 				.username("rabbit_admin")
 				.password("rabbit_admin")
-				.roles("openid profile rabbitmq.tag:administrator")
+				.authorities(List.of(
+					scope("openid"),
+					scope("profile"),
+					scope("rabbitmq.tag:administrator"),
+					aud("rabbitmq")))
 				.build();
 
 		return new InMemoryUserDetailsManager(userDetails);
@@ -141,6 +152,20 @@ private static KeyPair generateRsaKey() {
 		return keyPair;
 	}
 
+	@Bean
+	public OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer() {
+		return (context) -> {
+			if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
+				System.out.println("Principal: " + context.getPrincipal());
+				System.out.println("Authorized scopes: " + context.getAuthorizedScopes());
+				context.getClaims().claims((claims) -> {
+					claims.put("aud", "rabbitmq");					
+				});
+			}
+		};
+	}
+
+
 	@Bean 
 	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
 		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
