https://github.com/SAP/cloud-security-xsuaa-integration/blob/main/samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/SecurityConfiguration.java https://github.com/daniel-mader/blog-post-spring-multi-jwt/blob/master/src/main/java/com/example/demo/security/OAuthJwtAuthenticationConverter.java https://www.novatec-gmbh.de/en/blog/how-to-support-different-jwts-in-your-spring-boot-application/
https://www.tutorialspoint.com/spring_boot/spring_boot_oauth2_with_jwt.htm
https://www.javadevjournal.com/spring-security/spring-security-custom-authentication-provider
https://bytemeta.vip/repo/SAP/cloud-security-xsuaa-integration/issues/649
https://danielblancocuadrado.medium.com/authentication-with-spring-boot-and-jwt-2cb43ed0b6ef
https://www.baeldung.com/spring-security-multiple-auth-providers
https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.java https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationProvider.html
Extracting claim values from the JWT payload, usually the scope or scp claim
Mapping those claims into a set of GrantedAuthority objects
Spring uses a straightforward strategy to convert claims into GrantedAuthority instances. - it extracts the scope or scp claim and splits it into a list of strings. - for each string, it creates a new SimpleGrantedAuthority using the prefix SCOPE_ followed by the scope value
how to change Spring Security’s default claim mapping behavior there are two classes involved in this task:
- JwtAuthenticationConverter: Converts a raw JWT into an AbstractAuthenticationToken
- JwtGrantedAuthoritiesConverter: Extracts a collection of GrantedAuthority instances from the raw JWT.
Sometimes, we might need to map the scope names received in the JWT to an internal name. For example, this can be the case where the same application needs to work with tokens generated by different authorization servers, depending on the environment where it was deployed. We might be tempted to extend JwtGrantedAuthoritiesConverter, but since this is a final class, we can’t use this approach. Instead, we must code our own Converter class and inject it into JwtAuthorizationConverter. This enhanced mapper, MappingJwtGrantedAuthoritiesConverter, implements Converter<Jwt, Collection> and looks much like the original one:
https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-decoder-builder https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-validation-custom