Add OAuth2AuthorizedScopesMapper for Client Credentials Grant

Add OAuth2AuthorizedScopesMapper functional interface and
OAuth2AuthorizedScopesContext to allow filtering/transforming
authorized scopes before the OAuth2Authorization is persisted.

Integrate the mapper into OAuth2ClientCredentialsAuthenticationProvider
with a setter following the existing setAuthenticationValidator pattern.

Fixes gh-1504

Signed-off-by: Nikita Nagar <permanayan84@gmail.com>

Author: nikitanagar08

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizedScopesContext.java

@@ -0,0 +1,145 @@
+/*
+ * Copyright 2020-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.util.Assert;
+
+/**
+ * An {@link OAuth2AuthenticationContext} that holds information about the authorized
+ * scopes and is used when mapping the OAuth 2.0 authorized scopes.
+ *
+ * @author Nikita Nagar
+ * @since 1.5
+ * @see OAuth2AuthenticationContext
+ * @see OAuth2AuthorizedScopesMapper
+ */
+public final class OAuth2AuthorizedScopesContext implements OAuth2AuthenticationContext {
+
+	private static final String AUTHORIZED_SCOPES_KEY = OAuth2AuthorizedScopesContext.class.getName()
+			.concat(".AUTHORIZED_SCOPES");
+
+	private final Map<Object, Object> context;
+
+	private OAuth2AuthorizedScopesContext(Map<Object, Object> context) {
+		this.context = Collections.unmodifiableMap(new HashMap<>(context));
+	}
+
+	@SuppressWarnings("unchecked")
+	@Nullable
+	@Override
+	public <V> V get(Object key) {
+		return hasKey(key) ? (V) this.context.get(key) : null;
+	}
+
+	@Override
+	public boolean hasKey(Object key) {
+		Assert.notNull(key, "key cannot be null");
+		return this.context.containsKey(key);
+	}
+
+	/**
+	 * Returns the {@link RegisteredClient registered client}.
+	 * @return the {@link RegisteredClient}
+	 */
+	public RegisteredClient getRegisteredClient() {
+		return get(RegisteredClient.class);
+	}
+
+	/**
+	 * Returns the {@link AuthorizationGrantType authorization grant type}.
+	 * @return the {@link AuthorizationGrantType}
+	 */
+	public AuthorizationGrantType getAuthorizationGrantType() {
+		return get(AuthorizationGrantType.class);
+	}
+
+	/**
+	 * Returns the authorized scopes.
+	 * @return the authorized scopes
+	 */
+	public Set<String> getAuthorizedScopes() {
+		return get(AUTHORIZED_SCOPES_KEY);
+	}
+
+	/**
+	 * Constructs a new {@link Builder} with the provided {@link Authentication}.
+	 * @param authentication the {@link Authentication}
+	 * @return the {@link Builder}
+	 */
+	public static Builder with(Authentication authentication) {
+		return new Builder(authentication);
+	}
+
+	/**
+	 * A builder for {@link OAuth2AuthorizedScopesContext}.
+	 */
+	public static final class Builder extends AbstractBuilder<OAuth2AuthorizedScopesContext, Builder> {
+
+		private Builder(Authentication authentication) {
+			super(authentication);
+		}
+
+		/**
+		 * Sets the {@link RegisteredClient registered client}.
+		 * @param registeredClient the {@link RegisteredClient}
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder registeredClient(RegisteredClient registeredClient) {
+			return put(RegisteredClient.class, registeredClient);
+		}
+
+		/**
+		 * Sets the {@link AuthorizationGrantType authorization grant type}.
+		 * @param authorizationGrantType the {@link AuthorizationGrantType}
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder authorizationGrantType(AuthorizationGrantType authorizationGrantType) {
+			return put(AuthorizationGrantType.class, authorizationGrantType);
+		}
+
+		/**
+		 * Sets the authorized scopes.
+		 * @param authorizedScopes the authorized scopes
+		 * @return the {@link Builder} for further configuration
+		 */
+		public Builder authorizedScopes(Set<String> authorizedScopes) {
+			return put(AUTHORIZED_SCOPES_KEY, authorizedScopes);
+		}
+
+		/**
+		 * Builds a new {@link OAuth2AuthorizedScopesContext}.
+		 * @return the {@link OAuth2AuthorizedScopesContext}
+		 */
+		@Override
+		public OAuth2AuthorizedScopesContext build() {
+			Assert.notNull(get(RegisteredClient.class), "registeredClient cannot be null");
+			Assert.notNull(get(AuthorizationGrantType.class), "authorizationGrantType cannot be null");
+			Assert.notNull(get(AUTHORIZED_SCOPES_KEY), "authorizedScopes cannot be null");
+			return new OAuth2AuthorizedScopesContext(getContext());
+		}
+
+	}
+
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizedScopesMapper.java

@@ -0,0 +1,42 @@
+/*
+ * Copyright 2020-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import java.util.Set;
+
+/**
+ * A mapper that transforms the authorized scopes before the
+ * {@link org.springframework.security.oauth2.server.authorization.OAuth2Authorization} is
+ * persisted.
+ *
+ * @author Nikita Nagar
+ * @since 1.5
+ * @see OAuth2AuthorizedScopesContext
+ * @see OAuth2ClientCredentialsAuthenticationProvider#setAuthorizedScopesMapper(OAuth2AuthorizedScopesMapper)
+ */
+@FunctionalInterface
+public interface OAuth2AuthorizedScopesMapper {
+
+	/**
+	 * Maps the authorized scopes from the provided
+	 * {@link OAuth2AuthorizedScopesContext}.
+	 * @param context the {@link OAuth2AuthorizedScopesContext} containing the authorized
+	 * scopes and additional information
+	 * @return the mapped authorized scopes
+	 */
+	Set<String> map(OAuth2AuthorizedScopesContext context);
+
+}

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java

@@ -73,6 +73,8 @@ public final class OAuth2ClientCredentialsAuthenticationProvider implements Auth
 
 	private Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator = new OAuth2ClientCredentialsAuthenticationValidator();
 
+	private OAuth2AuthorizedScopesMapper authorizedScopesMapper = (ctx) -> ctx.getAuthorizedScopes();
+
 	/**
 	 * Constructs an {@code OAuth2ClientCredentialsAuthenticationProvider} using the
 	 * provided parameters.
@@ -117,6 +119,16 @@ public Authentication authenticate(Authentication authentication) throws Authent
 
 		Set<String> authorizedScopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
 
+		// @formatter:off
+		OAuth2AuthorizedScopesContext authorizedScopesContext = OAuth2AuthorizedScopesContext
+				.with(clientCredentialsAuthentication)
+				.registeredClient(registeredClient)
+				.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
+				.authorizedScopes(authorizedScopes)
+				.build();
+		// @formatter:on
+		authorizedScopes = this.authorizedScopesMapper.map(authorizedScopesContext);
+
 		// Verify the DPoP Proof (if available)
 		Jwt dPoPProof = DPoPProofVerifier.verifyIfAvailable(clientCredentialsAuthentication);
 
@@ -199,4 +211,17 @@ public void setAuthenticationValidator(
 		this.authenticationValidator = authenticationValidator;
 	}
 
+	/**
+	 * Sets the {@link OAuth2AuthorizedScopesMapper} used to map the authorized scopes
+	 * before the {@link OAuth2Authorization} is persisted. The default authorized scopes
+	 * mapper is the identity function.
+	 * @param authorizedScopesMapper the {@link OAuth2AuthorizedScopesMapper} used to map
+	 * the authorized scopes
+	 * @since 1.5
+	 */
+	public void setAuthorizedScopesMapper(OAuth2AuthorizedScopesMapper authorizedScopesMapper) {
+		Assert.notNull(authorizedScopesMapper, "authorizedScopesMapper cannot be null");
+		this.authorizedScopesMapper = authorizedScopesMapper;
+	}
+
 }

oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProviderTests.java

@@ -165,6 +165,35 @@ public void setAuthenticationValidatorWhenNullThenThrowIllegalArgumentException(
 			.hasMessage("authenticationValidator cannot be null");
 	}
 
+	@Test
+	public void setAuthorizedScopesMapperWhenNullThenThrowIllegalArgumentException() {
+		assertThatThrownBy(() -> this.authenticationProvider.setAuthorizedScopesMapper(null))
+			.isInstanceOf(IllegalArgumentException.class)
+			.hasMessage("authorizedScopesMapper cannot be null");
+	}
+
+	@Test
+	public void authenticateWhenCustomAuthorizedScopesMapperThenUsed() {
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();
+		OAuth2ClientAuthenticationToken clientPrincipal = new OAuth2ClientAuthenticationToken(registeredClient,
+				ClientAuthenticationMethod.CLIENT_SECRET_BASIC, registeredClient.getClientSecret());
+		Set<String> requestedScopes = registeredClient.getScopes();
+		OAuth2ClientCredentialsAuthenticationToken authentication = new OAuth2ClientCredentialsAuthenticationToken(
+				clientPrincipal, requestedScopes, null);
+
+		Set<String> mappedScopes = Collections.singleton("scope1");
+		this.authenticationProvider.setAuthorizedScopesMapper((context) -> mappedScopes);
+
+		given(this.jwtEncoder.encode(any())).willReturn(createJwt(mappedScopes));
+
+		this.authenticationProvider.authenticate(authentication);
+
+		ArgumentCaptor<OAuth2Authorization> authorizationCaptor = ArgumentCaptor.forClass(OAuth2Authorization.class);
+		verify(this.authorizationService).save(authorizationCaptor.capture());
+		OAuth2Authorization authorization = authorizationCaptor.getValue();
+		assertThat(authorization.getAuthorizedScopes()).isEqualTo(mappedScopes);
+	}
+
 	@Test
 	public void authenticateWhenClientPrincipalNotOAuth2ClientAuthenticationTokenThenThrowOAuth2AuthenticationException() {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient2().build();