From 44433127395be606c8aa7feb034e2a5f5198c3d7 Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Wed, 18 May 2022 16:31:24 -0500 Subject: [PATCH] Add UserInfo Endpoint in ref doc Issue gh-672 --- .../src/docs/asciidoc/protocol-endpoints.adoc | 55 ++++++++++++++++++- 1 file changed, 54 insertions(+), 1 deletion(-) diff --git a/docs/src/docs/asciidoc/protocol-endpoints.adoc b/docs/src/docs/asciidoc/protocol-endpoints.adoc index fee27b30..f08963b8 100644 --- a/docs/src/docs/asciidoc/protocol-endpoints.adoc +++ b/docs/src/docs/asciidoc/protocol-endpoints.adoc @@ -208,7 +208,60 @@ The JWK Set endpoint is configured *only* if a `JWKSource` `@Be [[oidc-user-info-endpoint]] == OpenID Connect 1.0 UserInfo Endpoint -This section is under construction. +The following example shows how to enable the https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[OpenID Connect 1.0 UserInfo endpoint]: + +[source,java] +---- +@Bean +public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { + OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); + http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt); + return http.build(); +} + +@Bean +public JwtDecoder jwtDecoder(JWKSource jwkSource) { + return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource); +} +---- + +[NOTE] +A `JwtDecoder` is *REQUIRED* for the OpenID Connect 1.0 UserInfo endpoint. See xref:configuration-model.adoc#default-configuration[Default configuration] for more information. + +`OidcUserInfoEndpointConfigurer` provides the ability to customize the UserInfo endpoint. +It defines extension points that let you customize the https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse[UserInfo response]. + +`OidcUserInfoEndpointConfigurer` provides the following configuration option: + +[source,java] +---- +@Bean +public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception { + OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = + new OAuth2AuthorizationServerConfigurer<>(); + http.apply(authorizationServerConfigurer); + + authorizationServerConfigurer + .oidc(oidc -> oidc + .userInfoEndpoint(userInfoEndpoint -> + userInfoEndpoint.userInfoMapper(userInfoMapper) // <1> + ) + ); + + return http.build(); +} +---- +<1> `userInfoMapper()`: The `Function` used to extract claims from `OidcUserInfoAuthenticationContext` to an instance of `OidcUserInfo`. + +`OidcUserInfoEndpointConfigurer` configures the `OidcUserInfoEndpointFilter` and registers it with the OAuth2 authorization server `SecurityFilterChain` `@Bean`. +`OidcUserInfoEndpointFilter` is the `Filter` that processes https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest[UserInfo requests] and returns the `OidcUserInfo`. + +`OidcUserInfoEndpointFilter` is configured with the following defaults: + +* `*userInfoMapper()*` -- An internal implementation that extracts https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard claims] from the https://openid.net/specs/openid-connect-core-1_0.html#IDToken[ID Token] based on the https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[scopes requested] during authorization. + +[TIP] +You can customize the ID Token by providing an xref:core-model-components.adoc#oauth2-token-customizer[`OAuth2TokenCustomizer`] declared with a generic type of `JwtEncodingContext`. [[oidc-client-registration-endpoint]] == OpenID Connect 1.0 Client Registration Endpoint