UPDATE
Hi everyone,
I’m sharing what worked for one of our customers and I think it might be useful.
Issue: I’m using the Authorization extension and I created a rule to put the groups and roles of a user into a custom claim in the access token for my API, under “[namespace]/groups” and “[namespace]/roles” respectively. That works just fine.
How to integrate the above with Spring security:
The customer created a rule to put the groups and roles into the scope field so that Spring can interpret it. However, Instead of pushing the roles and groups in to the scope claim, what you will want to do is to extract the Spring authorities from the JWT manually. This is covered in the Spring Security documentation here.
There are a few ways to do this, but one of our engineers put together this gist demonstrating how a custom extractor can be created and used. This may help you avoid needing to put non-scopes into the scopes claim.
Also, our engineering team is working on improving/updating our documentation on this.
Please let us know if you have any questions!