Package org.springframework.security.oauth2.client.oidc.userinfo

Class OidcUserService

java.lang.Object
org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService
All Implemented Interfaces:
OAuth2UserService<OidcUserRequest,OidcUser>
public class OidcUserService extends Object implements OAuth2UserService<OidcUserRequest,OidcUser>
An implementation of an OAuth2UserService that supports OpenID Connect 1.0 Provider's.
Since:
5.0
See Also:

  • Constructor Details

    • OidcUserService

      public OidcUserService()

  • Method Details

    • createDefaultClaimTypeConverters

      public static Map<String,org.springframework.core.convert.converter.Converter<Object,?>> createDefaultClaimTypeConverters()
      Returns the default Converter's used for type conversion of claim values for an OidcUserInfo.
      Returns:
      a Map of Converter's keyed by claim name
      Since:
      5.2

    • loadUser

      public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException
      Description copied from interface: OAuth2UserService
      Returns an OAuth2User after obtaining the user attributes of the End-User from the UserInfo Endpoint.
      Specified by:
      loadUser in interface OAuth2UserService<OidcUserRequest,OidcUser>
      Parameters:
      userRequest - the user request
      Returns:
      an OAuth2User
      Throws:
      OAuth2AuthenticationException - if an error occurs while attempting to obtain the user attributes from the UserInfo Endpoint

    • setOauth2UserService

      public final void setOauth2UserService(OAuth2UserService<OAuth2UserRequest,OAuth2User> oauth2UserService)
      Sets the OAuth2UserService used when requesting the user info resource.
      Parameters:
      oauth2UserService - the OAuth2UserService used when requesting the user info resource.
      Since:
      5.1

    • setClaimTypeConverterFactory

      public final void setClaimTypeConverterFactory(Function<ClientRegistration,org.springframework.core.convert.converter.Converter<Map<String,Object>,Map<String,Object>>> claimTypeConverterFactory)
      Sets the factory that provides a Converter used for type conversion of claim values for an OidcUserInfo. The default is ClaimTypeConverter for all clients.
      Parameters:
      claimTypeConverterFactory - the factory that provides a Converter used for type conversion of claim values for a specific client
      Since:
      5.2

    • setAccessibleScopes

      @Deprecated(since="6.3", forRemoval=true) public final void setAccessibleScopes(Set<String> accessibleScopes)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Use setRetrieveUserInfo(Predicate) instead
      Sets the scope(s) that allow access to the user info resource. The default is profile, email, address and phone. The scope(s) are checked against the "granted" scope(s) associated to the access token to determine if the user info resource is accessible or not. If there is at least one match, the user info resource will be requested, otherwise it will not.
      Parameters:
      accessibleScopes - the scope(s) that allow access to the user info resource
      Since:
      5.2

    • setRetrieveUserInfo

      public final void setRetrieveUserInfo(Predicate<OidcUserRequest> retrieveUserInfo)
      Sets the Predicate used to determine if the UserInfo Endpoint should be called to retrieve information about the End-User (Resource Owner).

      By default, the UserInfo Endpoint is called if all of the following are true:

      Parameters:
      retrieveUserInfo - the function used to determine if the UserInfo Endpoint should be called
      Since:
      6.3

    • setOidcUserMapper

      public final void setOidcUserMapper(BiFunction<OidcUserRequest,OidcUserInfo,OidcUser> oidcUserMapper)
      Sets the BiFunction used to map the user from the user request and user info.

      This is useful when you need to map the user or authorities from the access token itself. For example, when the authorization server provides authorization information in the access token payload you can do the following: 

              @Bean
        public OidcUserService oidcUserService() {
                var userService = new OidcUserService();
                userService.setOidcUserMapper(oidcUserMapper());
                return userService;
        }

        private static BiFunction<OidcUserRequest, OidcUserInfo, OidcUser> oidcUserMapper() {
                return (userRequest, userInfo) -> {
                        var accessToken = userRequest.getAccessToken();
                        var grantedAuthorities = new HashSet<GrantedAuthority>();
                        // TODO: Map authorities from the access token
                        var userNameAttributeName = "preferred_username";
                        return new DefaultOidcUser(
                                grantedAuthorities,
                                userRequest.getIdToken(),
                                userInfo,
                                userNameAttributeName
                        );
                };
        }

      Note that you can access the userNameAttributeName via the ClientRegistration as follows: 

              var userNameAttributeName = userRequest.getClientRegistration()
                .getProviderDetails()
                .getUserInfoEndpoint()
                .getUserNameAttributeName();

      By default, a DefaultOidcUser is created with authorities mapped as follows:

      Parameters:
      oidcUserMapper - the function used to map the OidcUser from the OidcUserRequest and OidcUserInfo
      Since:
      6.3