Assign roles manually after Azure AD authentication Spring boot app

Question

I have an app registered at Azure AD, with oauth2AllowImplicitFlow set as True.

Because of restriction at Azure AD , I am no able to add user roles and groups to the registered application. These will be synchronized from other sources in future. Meanwhile, I need a way to authorize users from database or a property file after they are authenticated.

Here is my basic the setup that passes the authentication but spits out server error because of access denied.

Authentication is working with dependencies azure-active-directory-spring-boot-starter and spring-boot-starter-oauth2-client.

spring.security.oauth2.client.registration.azure.client-id=xxxx
spring.security.oauth2.client.registration.azure.client-secret=yyyy
azure.activedirectory.tenant-id=zzzz
azure.activedirectory.user-group.allowed-groups=group1, group2, group3
spring.security.oauth2.client.registration.azure.provider=azure

group1, group2, group3 exists but are empty and have no roles attached.

@EnableWebSecurity
@EnableGlobalMethodSecurity(
        prePostEnabled = true,
        securedEnabled = true,
        jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

    @Autowired
    private UserDetailsServiceImpl userDetailsServiceImpl;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .antMatcher("/**")
                .authorizeRequests()
                .anyRequest().authenticated()
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService);
    }

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsServiceImpl);
    }
}

I need a way to intercept the security configuration after authentication, and add roles manually. I have tried extending OidcUserService and plugging that into AuthenticationManagerBuilder

@Component
public class UserDetailsServiceImpl extends OidcUserService {
    @Override
    public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
        OidcUser oidcUser;
        Set<GrantedAuthority> grantedAuthorities = null; //TODO: GRANT ROLES
        oidcUser = new DefaultOidcUser(grantedAuthorities, userRequest.getIdToken());
        return oidcUser;
    }
}

There are other examples where an implementation of UserDetailsService is used. I tried that too, but none seems to be working.

What is the way to intercept the spring security after the user is authenticated via Azure AD, and inject some custom roles to the authenticated user. I understand, this way to do this is authorize users using Graph API, but at this moment, due to company restrictions at Azure AD, setting up roles there is not happening.

Answer 1

You can use something like this:

.oauth2Login()
    .userInfoEndpoint()
        .userAuthoritiesMapper(this.userAuthoritiesMapper())
         ...

private GrantedAuthoritiesMapper userAuthoritiesMapper() {
        return (authorities) -> {
            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
            //fill in your authorities
            return mappedAuthorities;
        };
}

Answer 2

In your SecurityConfig:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
    .antMatcher("/**")
    .authorizeRequests()
    .anyRequest().authenticated()
    .and()
    .oauth2Login()
    .userInfoEndpoint()
    .oidcUserService(oidcUserService)
    .and()
    .addFilterAfter(customAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
}

Then you can create the CustomAuthenticationFilter by :

public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {