Skip to content

Add OAuth2AuthorizedScopesMapper for Client Credentials Grant#2294

Open
nikitanagar08 wants to merge 1 commit intospring-projects:mainfrom
nikitanagar08:gh-1504-authorized-scopes-mapper
Open

Add OAuth2AuthorizedScopesMapper for Client Credentials Grant#2294
nikitanagar08 wants to merge 1 commit intospring-projects:mainfrom
nikitanagar08:gh-1504-authorized-scopes-mapper

Conversation

@nikitanagar08
Copy link

@nikitanagar08 nikitanagar08 commented Mar 2, 2026
edited
Loading

Summary

  • Add OAuth2AuthorizedScopesMapper functional interface and OAuth2AuthorizedScopesContext to allow filtering/transforming authorized scopes before the OAuth2Authorization is persisted
  • Integrate the mapper into OAuth2ClientCredentialsAuthenticationProvider with a setAuthorizedScopesMapper() setter following the existing setAuthenticationValidator() pattern
  • This initial draft covers one provider (Client Credentials) per CONTRIBUTING.adoc guidance to keep the PR small; remaining providers can be expanded based on maintainer feedback

Motivation

Closes gh-1504 — there is currently no way to filter/transform OAuth2 authorized scopes before the OAuth2Authorization is persisted. Users must wrap entire authentication providers to modify scopes (e.g., restricting payslip.edit scope based on user roles).

Test plan

  • setAuthorizedScopesMapperWhenNullThenThrowIllegalArgumentException — verifies null check on setter
  • authenticateWhenCustomAuthorizedScopesMapperThenUsed — verifies mapper is called and saved authorization uses mapped scopes
  • All existing OAuth2ClientCredentialsAuthenticationProviderTests pass (no regressions)
  • Checkstyle passes

Fixes gh-1504

Signed-off-by: Nikita Nagar permanayan84@gmail.com

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 2, 2026
@nikitanagar08 nikitanagar08 marked this pull request as ready for review March 2, 2026 20:47
@nikitanagar08 nikitanagar08 marked this pull request as draft March 2, 2026 20:47
@nikitanagar08 nikitanagar08 marked this pull request as ready for review March 2, 2026 20:48
@nikitanagar08 @niqSolve
Add OAuth2AuthorizedScopesMapper for Client Credentials Grant
6d2ecda 
Add OAuth2AuthorizedScopesMapper functional interface and
OAuth2AuthorizedScopesContext to allow filtering/transforming
authorized scopes before the OAuth2Authorization is persisted.

Integrate the mapper into OAuth2ClientCredentialsAuthenticationProvider
with a setter following the existing setAuthenticationValidator pattern.

Fixes spring-projectsgh-1504

Signed-off-by: Nikita Nagar <permanayan84@gmail.com>
@nikitanagar08 nikitanagar08 force-pushed the gh-1504-authorized-scopes-mapper branch from 2f9b48a to 6d2ecda Compare March 2, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support transforming authorized scopes when the OAuth2Authorization object is created

2 participants

@nikitanagar08 @spring-projects-issues