Generate introspected token with scopes from client

when using client_credentials
2025-08-04 17:24:58 +02:00 · 2025-08-04 17:24:58 +02:00 · 3dadfdfe9f
parent 4301251cbc
commit 3dadfdfe9f
3 changed files with 21 additions and 5 deletions
--- a/.github/workflows/authorization-server-make.yaml
+++ b/.github/workflows/authorization-server-make.yaml
@ -14,7 +14,7 @@ on:
  
 env:
  REGISTRY_IMAGE: pivotalrabbitmq/spring-authorization-server
-  IMAGE_TAG: 0.0.9
+  IMAGE_TAG: 0.0.10
 jobs:
  docker:
    runs-on: ubuntu-latest
--- a/selenium/authorization-server/pom.xml
+++ b/selenium/authorization-server/pom.xml
@ -10,7 +10,7 @@
 	</parent>
 	<groupId>com.rabbitmq</groupId>
 	<artifactId>authorization-server</artifactId>
-	<version>0.0.9</version>
+	<version>0.0.10</version>
 	<name>authorization-server</name>
 	<description>Authorization Server for Selenium</description>
 	<url/>
--- a/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java
+++ b/selenium/authorization-server/src/main/java/com/rabbitmq/authorization_server/SecurityConfig.java
@ -5,6 +5,9 @@ import java.security.KeyPairGenerator;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
 import java.util.UUID;
+import java.util.Collection;
+import java.util.List;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

@ -30,6 +33,8 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimsContext;

+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+
 import com.nimbusds.jose.jwk.JWKSet;
 import com.nimbusds.jose.jwk.RSAKey;
 import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
@ -130,9 +135,20 @@ public class SecurityConfig {
 			logger.info("authorities : {}", principal.getAuthorities());
 			logger.info("authorized scopes : {}", context.getAuthorizedScopes());
 				
-			context.getClaims()
-					.audience(AudienceAuthority.getAll(principal))
-					.claim("extra_scope", ScopeAuthority.getAuthorites(principal));
+			if (AuthorizationGrantType.CLIENT_CREDENTIALS.equals(context.getAuthorizationGrantType())) {
+				Collection<String> extra_scope = context.getRegisteredClient().getScopes();
+				logger.info("granting extra_scope: {}", extra_scope);
+				context.getClaims()
+					.claim("extra_scope", extra_scope);
+			} else {
+				Collection<String> extra_scope = ScopeAuthority.getAuthorites(principal);
+				List<String> audience = AudienceAuthority.getAll(principal);
+				logger.info("granting extra_scope: {}", extra_scope);
+				logger.info("granting audience: {}", audience);
+				context.getClaims()
+					.audience(audience)
+					.claim("extra_scope", extra_scope);
+			}
 		};
 	}
 	@Bean