feat: scope-based authorization — read standard scope claim, remove custom roles extraction

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/main/java/net/siegeln/cameleer/saas/config/MeController.java

@@ -34,9 +34,6 @@ public class MeController {
 
         String orgId = jwt.getClaimAsString("organization_id");
 
-        List<String> globalRoles = jwt.getClaimAsStringList("roles");
-        boolean isPlatformAdmin = globalRoles != null && globalRoles.contains("platform-admin");
-
         if (orgId != null) {
             var tenant = tenantService.getByLogtoOrgId(orgId).orElse(null);
             List<Map<String, Object>> tenants = tenant != null
@@ -49,7 +46,6 @@ public class MeController {
 
             return ResponseEntity.ok(Map.of(
                     "userId", userId,
-                    "isPlatformAdmin", isPlatformAdmin,
                     "tenants", tenants));
         }
 
@@ -67,7 +63,6 @@ public class MeController {
 
         return ResponseEntity.ok(Map.of(
                 "userId", userId,
-                "isPlatformAdmin", isPlatformAdmin,
                 "tenants", tenants));
     }
 }

src/main/java/net/siegeln/cameleer/saas/config/SecurityConfig.java

@@ -62,17 +62,14 @@ public class SecurityConfig {
         var converter = new JwtAuthenticationConverter();
         converter.setJwtGrantedAuthoritiesConverter(jwt -> {
             List<GrantedAuthority> authorities = new ArrayList<>();
-
-            var roles = jwt.getClaimAsStringList("roles");
-            if (roles != null) {
-                roles.forEach(r -> authorities.add(new SimpleGrantedAuthority("ROLE_" + r)));
+            String scope = jwt.getClaimAsString("scope");
+            if (scope != null) {
+                for (String s : scope.split(" ")) {
+                    if (!s.isBlank()) {
+                        authorities.add(new SimpleGrantedAuthority("SCOPE_" + s));
+                    }
+                }
             }
-
-            var orgRoles = jwt.getClaimAsStringList("organization_roles");
-            if (orgRoles != null) {
-                orgRoles.forEach(r -> authorities.add(new SimpleGrantedAuthority("ROLE_org_" + r)));
-            }
-
             return authorities;
         });
         return converter;

src/main/java/net/siegeln/cameleer/saas/tenant/TenantController.java

@@ -28,7 +28,7 @@ public class TenantController {
     }
 
     @GetMapping
-    @PreAuthorize("hasRole('platform-admin')")
+    @PreAuthorize("hasAuthority('SCOPE_platform:admin')")
     public ResponseEntity<List<TenantResponse>> listAll() {
         List<TenantResponse> tenants = tenantService.findAll().stream()
                 .map(this::toResponse).toList();
@@ -36,7 +36,7 @@ public class TenantController {
     }
 
     @PostMapping
-    @PreAuthorize("hasRole('platform-admin')")
+    @PreAuthorize("hasAuthority('SCOPE_platform:admin')")
     public ResponseEntity<TenantResponse> create(@Valid @RequestBody CreateTenantRequest request,
                                                   Authentication authentication) {
         try {

src/test/java/net/siegeln/cameleer/saas/TestSecurityConfig.java

@@ -7,7 +7,6 @@ import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 
 import java.time.Instant;
-import java.util.List;
 
 @TestConfiguration
 public class TestSecurityConfig {
@@ -20,8 +19,7 @@ public class TestSecurityConfig {
                 .claim("sub", "test-user")
                 .claim("iss", "https://test-issuer.example.com/oidc")
                 .claim("organization_id", "test-org-id")
-                .claim("roles", List.of("platform-admin"))
-                .claim("organization_roles", List.of("admin"))
+                .claim("scope", "platform:admin tenant:manage apps:manage apps:deploy observe:read observe:debug secrets:manage billing:manage team:manage settings:manage")
                 .issuedAt(Instant.now())
                 .expiresAt(Instant.now().plusSeconds(3600))
                 .build();

src/test/java/net/siegeln/cameleer/saas/license/LicenseControllerTest.java

@@ -40,8 +40,8 @@ class LicenseControllerTest {
         var result = mockMvc.perform(post("/api/tenants")
                         .with(jwt().jwt(j -> j
                                 .claim("sub", "test-user")
-                                .claim("roles", java.util.List.of("platform-admin")))
-                                .authorities(new SimpleGrantedAuthority("ROLE_platform-admin")))
+                                .claim("scope", "platform:admin"))
+                                .authorities(new SimpleGrantedAuthority("SCOPE_platform:admin")))
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(objectMapper.writeValueAsString(request)))
                 .andExpect(status().isCreated())

src/test/java/net/siegeln/cameleer/saas/tenant/TenantControllerTest.java

@@ -41,8 +41,8 @@ class TenantControllerTest {
                         .with(jwt().jwt(j -> j
                                 .claim("sub", "test-user")
                                 .claim("organization_id", "test-org")
-                                .claim("roles", java.util.List.of("platform-admin")))
-                                .authorities(new SimpleGrantedAuthority("ROLE_platform-admin")))
+                                .claim("scope", "platform:admin"))
+                                .authorities(new SimpleGrantedAuthority("SCOPE_platform:admin")))
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(objectMapper.writeValueAsString(request)))
                 .andExpect(status().isCreated())
@@ -59,8 +59,8 @@ class TenantControllerTest {
         mockMvc.perform(post("/api/tenants")
                         .with(jwt().jwt(j -> j
                                 .claim("sub", "test-user")
-                                .claim("roles", java.util.List.of("platform-admin")))
-                                .authorities(new SimpleGrantedAuthority("ROLE_platform-admin")))
+                                .claim("scope", "platform:admin"))
+                                .authorities(new SimpleGrantedAuthority("SCOPE_platform:admin")))
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(objectMapper.writeValueAsString(request)))
                 .andExpect(status().isCreated());
@@ -68,8 +68,8 @@ class TenantControllerTest {
         mockMvc.perform(post("/api/tenants")
                         .with(jwt().jwt(j -> j
                                 .claim("sub", "test-user")
-                                .claim("roles", java.util.List.of("platform-admin")))
-                                .authorities(new SimpleGrantedAuthority("ROLE_platform-admin")))
+                                .claim("scope", "platform:admin"))
+                                .authorities(new SimpleGrantedAuthority("SCOPE_platform:admin")))
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(objectMapper.writeValueAsString(request)))
                 .andExpect(status().isConflict());
@@ -93,8 +93,8 @@ class TenantControllerTest {
         var createResult = mockMvc.perform(post("/api/tenants")
                         .with(jwt().jwt(j -> j
                                 .claim("sub", "test-user")
-                                .claim("roles", java.util.List.of("platform-admin")))
-                                .authorities(new SimpleGrantedAuthority("ROLE_platform-admin")))
+                                .claim("scope", "platform:admin"))
+                                .authorities(new SimpleGrantedAuthority("SCOPE_platform:admin")))
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(objectMapper.writeValueAsString(request)))
                 .andExpect(status().isCreated())