Add ClaimsOAuth2TokenCustomizer

src/main/java/com/monkeyk/sos/config/MVCConfiguration.java

@@ -62,18 +62,4 @@ public class MVCConfiguration implements WebMvcConfigurer {
     }
 
 
-//    /**
-//     * sitemesh filter
-//     */
-//    @Bean
-//    public FilterRegistrationBean<Filter> sitemesh() {
-//        FilterRegistrationBean<Filter> registrationBean = new FilterRegistrationBean<>();
-//        registrationBean.setFilter(new SOSSiteMeshFilter());
-//        registrationBean.addUrlPatterns("/*");
-//        //注意: 在 spring security filter之后
-//        registrationBean.setOrder(8899);
-//        return registrationBean;
-//    }
-
-
 }

src/main/java/com/monkeyk/sos/config/OAuth2ServerConfiguration.java

@@ -1,6 +1,7 @@
 package com.monkeyk.sos.config;
 
 
+import com.monkeyk.sos.domain.oauth.ClaimsOAuth2TokenCustomizer;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.jwk.source.JWKSourceBuilder;
 import com.nimbusds.jose.proc.SecurityContext;
@@ -18,7 +19,6 @@ import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
-import org.springframework.security.oauth2.jwt.JwtClaimsSet;
 import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
 import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
@@ -35,7 +35,6 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
 
 import java.io.IOException;
-import java.util.UUID;
 import java.util.function.Consumer;
 
 import static com.monkeyk.sos.domain.shared.SOSConstants.CUSTOM_CONSENT_PAGE_URI;
@@ -210,11 +209,7 @@ public class OAuth2ServerConfiguration {
      */
     @Bean
     public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
-        return context -> {
+        return new ClaimsOAuth2TokenCustomizer();
-            JwtClaimsSet.Builder claims = context.getClaims();
-            //jti
-            claims.id(UUID.randomUUID().toString());
-        };
     }
 
 

src/main/java/com/monkeyk/sos/domain/oauth/ClaimsOAuth2TokenCustomizer.java

@@ -0,0 +1,73 @@
+package com.monkeyk.sos.domain.oauth;
+
+import com.monkeyk.sos.domain.shared.GuidGenerator;
+import com.monkeyk.sos.domain.user.UserRepository;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.oauth2.core.oidc.OidcScopes;
+import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
+import org.springframework.security.oauth2.jwt.JwtClaimsSet;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
+
+import java.util.Set;
+
+/**
+ * 2023/10/17
+ * <p>
+ * 扩展 jwt  id_token  claims 属性生成
+ *
+ * @author Shengzhao Li
+ * @since 3.0.0
+ */
+public class ClaimsOAuth2TokenCustomizer implements OAuth2TokenCustomizer<JwtEncodingContext> {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ClaimsOAuth2TokenCustomizer.class);
+
+    @Autowired
+    private UserRepository userRepository;
+
+    public ClaimsOAuth2TokenCustomizer() {
+    }
+
+    @Override
+    public void customize(JwtEncodingContext context) {
+
+        JwtClaimsSet.Builder claims = context.getClaims();
+        //jti
+        claims.id(GuidGenerator.generateNumber());
+
+        //根据不同的 scope 与 tokenType添加扩展属性
+        OAuth2TokenType tokenType = context.getTokenType();
+        if (!OidcParameterNames.ID_TOKEN.equals(tokenType.getValue())) {
+            //非 id_token 排除
+            return;
+        }
+        OAuth2Authorization authorization = context.getAuthorization();
+        if (authorization == null) {
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Null OAuth2Authorization, ignore customize");
+            }
+            return;
+        }
+//        String username = authorization.getPrincipalName();
+        Set<String> scopes = context.getAuthorizedScopes();
+        if (scopes.contains(OidcScopes.ADDRESS)) {
+            Object attrVal = authorization.getAttribute(OidcScopes.ADDRESS);
+            claims.claim(OidcScopes.ADDRESS, attrVal == null ? "" : attrVal);
+        } else if (scopes.contains(OidcScopes.EMAIL)) {
+            Object attrVal = authorization.getAttribute(OidcScopes.EMAIL);
+            claims.claim(OidcScopes.EMAIL, attrVal == null ? "" : attrVal);
+        } else if (scopes.contains(OidcScopes.PHONE)) {
+            Object attrVal = authorization.getAttribute(OidcScopes.PHONE);
+            claims.claim(OidcScopes.PHONE, attrVal == null ? "" : attrVal);
+        } else if (scopes.contains(OidcScopes.PROFILE)) {
+            Object attrVal = authorization.getAttribute("nickname");
+            claims.claim("nickname", attrVal == null ? "" : attrVal);
+            claims.claim("updated_at", "");
+        }
+    }
+}