We manage to setup a web application with Spring Cloud OAuth2, which implements single sign-on from different identity providers like Facebook and Google, by following this sample source code.
Planning to have our own authentication/authorization server, we provided our own UserDetails, and GrantedAuthority, where we associated user's Facebook and Google. We also have our own set of user authorities other than ROLE_USER.
We have our business methods secured based on user's role (we used @RolesAllowed). When a user sign-in using their Facebook and Google accounts, only ROLE_USER is added as their authorithy. I would like to know how to add our own user authorities from the associated user's GrantedAuthority upon signing into external identity providers, though I found that this can be possibly done using AuthoritiesExtractor, but can't find concrete example on this.
I was able to modify/set authorities using AuthoritiesExtractor, which is set to UserInfoTokenServices.