Also check the UserInfo for a role in the OidcSecurityContext
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/b3677b6a Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/b3677b6a Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/b3677b6a Branch: refs/heads/master-jaxrs-2.1 Commit: b3677b6a9201bd894879d9d06a4c75ac7e310660 Parents: 9e42b9b Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Thu Jul 21 10:14:52 2016 +0100 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Thu Jul 21 10:14:52 2016 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/oidc/rp/OidcSecurityContext.java | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/b3677b6a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java index 552a6a1..c5e456c 100644 --- a/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java +++ b/rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcSecurityContext.java @@ -86,9 +86,15 @@ public class OidcSecurityContext extends SimpleSecurityContext implements Securi @Override public boolean isUserInRole(String role) { - return roleClaim != null && role != null && oidcContext.getIdToken() != null - && oidcContext.getIdToken().containsProperty(roleClaim) - && role.equals(oidcContext.getIdToken().getProperty(roleClaim)); + + return roleClaim != null && role != null + && (containsClaim(oidcContext.getIdToken(), roleClaim, role) + || containsClaim(oidcContext.getUserInfo(), roleClaim, role)); + } + + private boolean containsClaim(AbstractUserInfo userInfo, String claim, String claimValue) { + return userInfo != null && userInfo.containsProperty(claim) + && claimValue.equals(userInfo.getProperty(claim)); } /**