I have:
- Spring boot client application with some public endpoints and private endpoints which require @PreAuthorize("#oauth2.hasScope('resource.read')") for example
- I have a external authorization server: Cloudfoundry UAA
- I have a external OIDC provider linked to UAA I can use that to authenticate a person, I receive a Person_ID from the ID_Token from that external OIDC provider
- Now I need to change UAA core code to implement my logic of using that Person_ID and searching for equivalent user from LDAP which shares the same Person_ID and then I will need to add it's usergroups to the token for the client. (I have done it currently in the /userinfo endpoint)
So I have done this logic in the /userinfo endpoint, when client receives a access token (From client, redirected to UAA, from UAA to OIDC for AUTH, then back again for the token and then this token is sent to client, now client can take the token and ask for the /userinfo which will then have it's user roles)
Is this bad logic? Should I add the LDAP implementation(step4) inside the access token already somehow?